How to Configure the Microsoft 365 Audit Log
Microsoft 365
Microsoft Office 365 is a robust and diverse ecosystem that involves multiple services, such as Microsoft Teams, Exchange Online, Azure AD, SharePoint Online and OneDrive for Business. It’s a lot to keep tabs on, and global admins often need to oversee multiple sub-admins and sometimes thousands of users.
Office 365 audit logs help you track admin and user activity, including who’s accessing, viewing or moving specific documents and how resources are being used. These logs are essential for investigating security incidents and demonstrating compliance. However, the native logs have multiple limitations, so additional services are usually needed to effectively monitor activity, keep systems secure and ensure regulatory compliance.
Native log auditing is not enabled by default. To enable native log auditing:
Alternatively, you can enable log auditing using this PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Audit logging for Power BI and other auxiliary applications is also not enabled by default; you’ll have to enable it in the separate admin portals to get those audit records.
Check your licensing requirements to see how long your log data can be stored. For instance, the cap is currently 90 days for an Office 365 E3 license and one year for an Office 365 E5 license.
Prerequisites
Before you can run an audit log search, an admin must assign permissions to your account, either “View-Only Audit Logs” or “Audit Logs”.
You may have to wait several hours from the time you enable log auditing before you can run an audit log search.
Note that a unified audit log search consolidates analytics from multiple Office 365 services into a single log report, which requires anywhere from 30 minutes to 24 hours to complete.
Procedure
To run an audit log search, take the following steps:
Sign in at https://compliance.microsoft.com.
Tip: To prevent your current credentials from being used automatically, open a private browsing session:
In the Security & Compliance Center, click “Search” on the left pane. Then select “Audit log search.”
The main criteria to specify are:
Other search criteria include:
The search criteria options are helpful for an overview, but filtering the search results will help you comb through the data more effectively. You can enter keywords, specific dates, users, items or other details.
In addition, note that the search is capped at the 5,000 most recent events. If your search returns exactly 5,000 items, you’ve likely maxed out the search results. Refine your search further to ensure that you see all relevant data within your date and time range without missing crucial information.
Alternatively, you can generate a report of raw data that meets your search criteria by pulling the data into csv. This lets you download up to 50,000 events instead of 5,000. To generate even more than 50,000 events, work in batches of smaller date ranges and combine the results manually.
To save your results, click “Export results” and choose “Save loaded results” to generate a CSV file with your data. You can use Microsoft Excel to access the file or share the results as a report.
You will see a column called “AuditData”, which consists of a JSON object that contains multiple properties from the audit log record. To enable sorting and filtering on those properties, use the JSON transform tool in Excel’s Power Query Editor to split the “AuditData” column and give each property its own column.
See Export, configure, and view audit log records for more information.
Manually digging into the audit logs in Office 365 is often difficult and time-consuming. The search tools are helpful, but consider the following drawbacks when deciding how to handle auditing in your organization:
The Office 365 Management Activity API allows you to view data about admin system, user and policy events from Office 365 and Azure AD activity logs. The tool helps you monitor, analyze and visualize audit data.