logo

How to Configure the Office 365 Audit Log

Microsoft Office 365 is a robust and diverse ecosystem that involves multiple services, such as Microsoft Teams, Exchange Online, Azure AD, SharePoint Online and OneDrive for Business. It’s a lot to keep tabs on, and global admins often need to oversee multiple sub-admins and sometimes thousands of users.

Office 365 audit logs help you track admin and user activity, including who’s accessing, viewing or moving specific documents and how resources are being used. These logs are essential for investigating security incidents and demonstrating compliance. However, the native logs have multiple limitations, so additional services are usually needed to effectively monitor activity, keep systems secure and ensure regulatory compliance.

How to Set up Office 365 Audit Logging

Native log auditing is not enabled by default. To enable native log auditing:

  1. Head to the Office 365 Security & Compliance Center.
  2. Go to “Search” and then “Audit log search.”
  3. Click “Turn on auditing.”

Alternatively, you can enable log auditing using this PowerShell command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Audit logging for Power BI and other auxiliary applications is also not enabled by default; you’ll have to enable it in the separate admin portals to get those audit records.

Check your licensing requirements to see how long your log data can be stored. For instance, the cap is currently 90 days for an Office 365 E3 license and one year for an Office 365 E5 license.

How to Run an Audit Log Search

Prerequisites

Before you can run an audit log search, an admin must assign permissions to your account, either “View-Only Audit Logs” or “Audit Logs”.

You may have to wait several hours from the time you enable log auditing before you can run an audit log search.

Note that a unified audit log search consolidates analytics from multiple Office 365 services into a single log report, which requires anywhere from 30 minutes to 24 hours to complete.

Procedure

To run an audit log search, take the following steps:

1. Log In.

Sign in at https://protection.office.com.

Tip: To prevent your current credentials from being used automatically, open a private browsing session:

  • In Internet Explorer or Edge, press CTRL+SHIFT+P.
  • For most other browsers, press CTRL+SHIFT+N.

2. Start a New Search.

In the Security & Compliance Center, click “Search” on the left pane. Then select “Audit log search.”

3. Configure Your Search Criteria.

The main criteria to specify are:

  • Activities — See Microsoft’s list of audited activities. There are over 100, so Microsoft has grouped them into related activities. If you don’t narrow this down, your audit report will include all activities performed during the time frame specified.
  • Dates — The default time frame is the last seven days, but you can configure your search for any period within the last 90 days.
  • Users — Specify which user or group of users you want to include in your report.
  • Location If you want to limit the search to a particular file, folder or site, enter a location or keyword.

Other search criteria include:

  • Activities related to a website — Add an asterisk after the URL to return all entries for that site. For example, “https://contoso-my.sharepoint.com/personal/*”.
  • Activities related to a given file — Add an asterisk before the file name to return all entries for that file. For example, “*Customer_Profitability_Sample.csv”.

4. Filter the Search Results.

The search criteria options are helpful for an overview, but filtering the search results will help you comb through the data more effectively. You can enter keywords, specific dates, users, items or other details.

In addition, note that the search is capped at the 5,000 most recent events. If your search returns exactly 5,000 items, you’ve likely maxed out the search results. Refine your search further to ensure that you see all relevant data within your date and time range without missing crucial information.

Alternatively, you can generate a report of raw data that meets your search criteria by pulling the data into csv. This lets you download up to 50,000 events instead of 5,000. To generate even more than 50,000 events, work in batches of smaller date ranges and combine the results manually.

5. Save your Results.

To save your results, click “Export results” and choose “Save loaded results” to generate a CSV file with your data. You can use Microsoft Excel to access the file or share the results as a report.

You will see a column called “AuditData”, which consists of a JSON object that contains multiple properties from the audit log record. To enable sorting and filtering on those properties, use the JSON transform tool in Excel’s Power Query Editor to split the “AuditData” column and give each property its own column.

See Export, configure, and view audit log records for more information.

Limitations of Native Audit Log Searches in Office 365

Manually digging into the audit logs in Office 365 is often difficult and time-consuming. The search tools are helpful, but consider the following drawbacks when deciding how to handle auditing in your organization:

  • It’s difficult to spot aberrant activity — It takes a trained eye to interpret data, especially if you’re not already aware of a problem with a specific user or file.
  • It’s hard to keep your audit data secure — Detailed data on every event within your system is highly sensitive information. While the default export options are convenient, they make your files more vulnerable.
  • Putting together human-readable reports is very difficult — To get a report, you need to export specific audit data into a CSV file, which then needs to be sorted and interpreted before it becomes actionable.
  • You have limited filtering options — The native audit log search does not provide comprehensive filtering options, making it harder to glean insights and find what you’re looking for.
  • There are only a few predefined log reports available — If you want other reports, you have to create them manually. Also, there’s no report subscription option or native feature to save customized searches.
  • Most properties are lumped into one JSON — The AuditData JSON can contain different properties depending on the auditing event. This produces a lot of unnecessary noise between you and the important details you’re trying to get from your audit data.
  • Audit data is stored for a limited time — Since Microsoft’s standard subscription allows only a 90-day data retention period for audit logs, you’ll have to download and save your audit logs on a regular basis, and then try to merge them together to see the longer term picture of activity. If you forget to save the logs, you’ll have gaps in your record.

Other Ways to Access Audit Log Data

Office 365 Management Activity API

The Office 365 Management Activity API allows you to view data about admin system, user and policy events from Office 365 and Azure AD activity logs. The tool helps you monitor, analyze and visualize audit data.

Netwrix Auditor

Netwrix Auditor dramatically simplifies the task of staying on top of activity in your IT environment, as well as enabling you to proactively prevent issues and keep data organized. The solution provides increased visibility into activity and configurations in your OneDrive for Business, SharePoint Online and Exchange Online environments, as well as Azure AD.

Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.