Wondering how to set up auditing and reporting in Microsoft Office 365? It’s a little known or discussed feature of Office 365 which is part of the Security and Compliance centre. With audit logs, you can see almost anything that has been done in Office 365. This can include logging in, opening a file, printing a file, running a search query, changing permissions, etc.
Here is a high level list of what you can report on and audit:
People often think of auditing as tracking what people are doing, but it is much more. You can use auditing in Office 365 to do reporting on things like SharePoint and Teams. With auditing you can discover the number of views of a page, search queries and more. So it really is a power analytics tool as well as security and compliance.
There are times when you do want to monitor what is being accessed. External users could be a great case for this. We have seen time and again that content has been shared with the ‘everyone’ group, when that should have excluded external users. By reviewing the audit logs you can see what your external users are doing in your environment. This is because everything is tied together with Azure Active Directory.
1. Open the Office 365 Admin Central.
2. From Security and Compliance Admin centre, click on Search or go directly to Audit Log Search.
3. If Audit logging isn’t enabled you will see the highlighted menu bar at the top of the page. Simply click on Turn on Auditing. This can take a little time, based on your experience.
Once it is set up the alert bar will disappear. It is worth noting reports will only show events that occurred after you turned on audit logging.
Try out a search query:
You will get the results of your logins from the last seven days, including IP Address. Opening the line item, you will be able to see some additional information. This includes user agent, keep logged in flag, etc. When you create a query, you can easily select multiple actions – logged in and logged off, as an example.
You can also access the audit logs via Powershell and the Office 365 Management API. And with the Management API you open a world of automation, being able to create monthly reports using Power Automate Flows.
Browsing through the queries you will see the power of audit logs. Any queries you create can be created as an alert policy. So if someone performs an action you want to monitor, you can get an email alert when this action is performed. For example, you might have a SharePoint Site or Teams with some very sensitive information in it. However, you need to provide owner access so they can customise the site and make it usable for the business. To ensure the content remains secured, you could put an alert on the permissions on the site. If the site owner changes the permissions, you will get an alert.
