How to set up auditing and reporting in Microsoft Office 365

Wondering how to set up auditing and reporting in Microsoft Office 365? It’s a little known or discussed feature of Office 365 which is part of the Security and Compliance centre. With audit logs, you can see almost anything that has been done in Office 365. This can include logging in, opening a file, printing a file, running a search query, changing permissions, etc.

Here is a high level list of what you can report on and audit:

  • User and Admin activity in SharePoint Online and OneDrive for Business
  • User and Admin activity in Exchange Online (Exchange mailbox audit logging)
  • Admin activity in Azure Active Directory (the directory service for Office 365)
  • eDiscovery activities in the security and compliance center
  • User and admin activity in Power BI
  • User and admin activity in Microsoft Teams
  • User and admin activity in Dynamics 365
  • User and admin activity in Yammer
  • User and admin activity in Microsoft Power Automate
  • User and admin activity in Microsoft Stream
  • Analyst and admin activity in Microsoft Workplace Analytics
  • User and admin activity in Microsoft Power Apps
  • User and admin activity in Microsoft Forms
  • User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams

What else can Office 365 audit and report on?

People often think of auditing as tracking what people are doing, but it is much more. You can use auditing in Office 365 to do reporting on things like SharePoint and Teams. With auditing you can discover the number of views of a page, search queries and more. So it really is a power analytics tool as well as security and compliance.

There are times when you do want to monitor what is being accessed. External users could be a great case for this. We have seen time and again that content has been shared with the ‘everyone’ group, when that should have excluded external users. By reviewing the audit logs you can see what your external users are doing in your environment. This is because everything is tied together with Azure Active Directory.

Turning on Auditing in Office 365

1. Open the Office 365 Admin Central.

2. From Security and Compliance Admin centre, click on Search or go directly to Audit Log Search.

3. If Audit logging isn’t enabled you will see the highlighted menu bar at the top of the page. Simply click on Turn on Auditing. This can take a little time, based on your experience.

Once it is set up the alert bar will disappear. It is worth noting reports will only show events that occurred after you turned on audit logging.

Try out a search query:

  1. Under Activities, select the query box and type in ‘Log’ and select user logged in.
  2. Leave the dates to the default settings. This is the last 7 days by default.
  3. From the users box, type in your own account name and click Search.

You will get the results of your logins from the last seven days, including IP Address. Opening the line item, you will be able to see some additional information. This includes user agent, keep logged in flag, etc. When you create a query, you can easily select multiple actions – logged in and logged off, as an example.

You can also access the audit logs via Powershell and the Office 365 Management API. And with the Management API you open a world of automation, being able to create monthly reports using Power Automate Flows.

Browsing through the queries you will see the power of audit logs. Any queries you create can be created as an alert policy. So if someone performs an action you want to monitor, you can get an email alert when this action is performed. For example, you might have a SharePoint Site or Teams with some very sensitive information in it. However, you need to provide owner access so they can customise the site and make it usable for the business. To ensure the content remains secured, you could put an alert on the permissions on the site. If the site owner changes the permissions, you will get an alert.