Setup Auditing and Reporting in Microsoft Office 365

Audit logs are a little known or referenced feature of Office 365 as part of the Security and Compliance center. With audit logs you can see almost anything that has been done in Office 365. This can include logging in, opening a file, printing a file, running a search query, changing permissions. Here is a high level list of what you can report on and audit;

  • User and Admin activity in SharePoint Online and OneDrive for Business
  • User and Admin activity in Exchange Online (Exchange mailbox audit logging)
  • Admin activity in Azure Active Directory (the directory service for Office 365)
  • eDiscovery activities in the security and compliance center
  • User and admin activity in Power BI
  • User and admin activity in Microsoft Teams
  • User and admin activity in Dynamics 365
  • User and admin activity in Yammer
  • User and admin activity in Microsoft Power Automate
  • User and admin activity in Microsoft Stream
  • Analyst and admin activity in Microsoft Workplace Analytics
  • User and admin activity in Microsoft Power Apps
  • User and admin activity in Microsoft Forms
  • User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams

People often think of auditing as tracking what people are doing, but it is much more. You can use auditing in Office 365 to do reporting on things like SharePoint and Teams. With Auditing you can get number of views of a page, search queries and more. So it really is a power analytics tool as well and security and compliance. 

There are times when you do want to monitor what is being accessed, external users could be a great case for this. We have seen time and again content shared with the Everyone Group, that should have only been shared with Everyone except external users. By reviewing the audit logs you can easily see what your external users are doing in your environment as everything is tied together with Azure Active Directory.

Turning on Auditing in Office 365

1. Open the Office 365 Admin Central

2. From Security and Compliance Admin center and click on Search or go directly to Audit Log Search

3. If Audit logging isnt enabled you will see the highlighted menu bar at the top of the page. Simply click on Turn on Auditing

This can take a little time. Based on experience, it generally isnt hours but to be safe give it some time.

Once it is setup the alert bar will disappear. It is worth noting, reports will only show events that occurred after you turned on audit logging.

Try out a search query;
1. Under activities select the query box and type in ‘Log’ and select user logged in
2. Leave the dates to the default settings. This is the last 7 days by default
3. From the users box type in your own account name and click search.

You will get the results of you logins from the last 7 days including IP Address. Opening the line item, you will be able to see some additional information including user agent, keep logged in flag etc. When you create a query, you can easily select multiple actions, logged in and logged off as an example.

You can also access the audit logs via Powershell and the Office 365 Management API. And with the Management API you open a world of automation, being able to create monthly reports using Power Automate Flows.

Browsing through the queries you will see the power of audit logs. Any queries you create can be created as an alert policy. So if someone performs an action you want to monitor, you can get an email alert when this action is performed. An example, you might have a SharePoint Site or Teams with some very sensitive information in it. However you need to provide someone with owner access so they can customise the site and make it usable for the business. To ensure the content remains secured, you could put an alert on the permissions on the site. If the site owner changes the permissions you can get an alert, pretty cool.

Enjoy, use your powers for good. Audit logs are super powerful and can help create a great online workplace.