officeturnonauditlogging
office 365 turn on audit logging

How to Configure the Office 365 Audit Log?

Microsoft Office 365 is a large and diverse ecosystem that includes Microsoft Teams, Exchange Online, Azure AD, SharePoint Online, and OneDrive for Business, among other services. It’s a lot to keep track of, and global admins are frequently responsible for numerous sub-admins and thousands of users.

Audit logs in Office 365 allow you to keep track of admin and user activities, such as who is accessing, viewing, or moving documents, and how resources are being used. These records are necessary for determining the cause of security issues as well as demonstrating compliance. However, because native logs have a number of limitations, additional services are frequently required to efficiently monitor activity, maintain system security, and assure regulatory compliance.

How to Set Up Audit Logging in Office 365?

Auditing of native logs is disabled by default. To enable native log auditing, follow these steps:

You may also use this PowerShell command to activate log auditing:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Set-AdminAuditLog

Audit logging for Power BI and other auxiliary programmes is likewise not enabled by default; to receive such audit records, you’ll have to enable it in the individual admin portals.

To find out how long your log data can be saved, check your licence regulations. For example, an Office 365 E3 licence has a 90-day limit, while an Office 365 E5 subscription has a one-year limit.

How to Search an Audit Log?

Prerequisites

An admin must provide rights to your account, either “View-Only Audit Logs” or “Audit Logs,” before you may execute an audit log search.

It’s possible that you’ll have to wait several hours after enabling log auditing before running an audit log search.

It’s worth noting that a unified audit log search combines data from several Office 365 services into a single log report that can take anywhere from 30 minutes to 24 hours to complete.

Procedure

Follow these procedures to conduct an audit log search:

1. Log in to your account.

Go to https://protection.office.com and log in.

2. Begin a brand-new search.

On the left pane of the Security & Compliance Center, click “Search.” Then choose “Audit log search” from the drop-down menu.

3. Create a set of search criteria.

The following are the most important criteria to consider:

Microsoft’s list of audited activities may be found here. Because there are so many, Microsoft has categorised them into similar activities. If you don’t choose a time period, your audit report will cover all activities carried out during that time.

Dates – The default time limit is the last seven days, but you can choose any period within the last 90 days in your search.

Users — Choose the individual or group of users you’d like to see in your report.

Enter a location or phrase if you wish to narrow the search to a certain file, folder, or website.

Other search criteria include the following:

Activities involving a website — If you add an asterisk after the URL, all items for that site will be returned. “https://contoso-my.sharepoint.com/personal/*,” for example.

Activities pertaining to a specific file — If you put an asterisk before the file name, you’ll get all of the entries for that file. “*Customer Profitability Sample.csv,” for example.

4. Filter the results of your search.

The search criterion options are useful for getting a quick overview, but refining the search results can help you dig through the information more efficiently. You can enter keywords, dates, users, items, and other information.

Also, keep in mind that the search is limited to the most recent 5,000 events. If your search yields exactly 5,000 results, you’ve probably reached the limit of your search. Refine your search to make sure you see all relevant data within your date and time range without missing important details.

Alternatively, you can pull the data into csv and get a report of raw data that satisfies your search parameters. Instead of 5,000 events, you can now download up to 50,000. Work in batches of narrower date ranges and manually merge the findings to get even more than 50,000 events.

5. Save your findings.

To save your results, go to “Export results” and select “Save loaded results” to create a CSV file. You can open the file in Microsoft Excel and share the results as a report.

A column called “AuditData” will appear, which is a JSON object containing several properties from the audit log record. Use the JSON convert tool in Excel’s Power Query Editor to separate the “AuditData” column and give each property its own column to enable sorting and filtering on those attributes.

Turn auditing on or off

For Microsoft 365 and Office 365 enterprise enterprises, audit logging will be enabled by default. However, you should check your organization’s auditing status when creating a new Microsoft 365 or Office 365 organisation. See the part in this page called “Verify the auditing status for your organisation” for further information.

When auditing is enabled in the Microsoft 365 compliance centre, user and admin activity from your business is logged in the audit log and kept for 90 days, or up to a year, depending on the licence issued to users. However, there may be reasons why your company does not want to record and keep audit log data. In such instances, a global administrator may choose to disable auditing in Microsoft 365.

Before you turn auditing on or off, make sure you know what you’re doing.

To turn auditing on or off in your Microsoft 365 organization, you must be assigned the Audit Logs role in Exchange Online. On the Permissions tab in the Exchange admin centre, this role is assigned by default to the Compliance Management and Organization Management role groups. Members of the Organization Management role group in Exchange Online are global admins in Microsoft 365.

See Search the audit log for step-by-step instructions on how to search the audit log. See Get started with Microsoft 365 Management APIs for more information on the Microsoft 365 Management Activity API.

Check your organization’s auditing status.

In Exchange Online PowerShell, run the following command to see if auditing is enabled for your organization:

FL UnifiedAuditLogIngestionEnabled | Get-AdminAuditLogConfig

The UnifiedAuditLogIngestionEnabled attribute has a value of True, indicating that auditing is enabled. If the answer is False, it means that auditing is disabled.

Activate auditing

If your organization’s auditing isn’t enabled, you can enable it in the Microsoft 365 compliance centre or by using Exchange Online PowerShell. When you turn on auditing, it may take many hours before you can search the audit log and get results.

  1. Turn on auditing in the compliance Centre.
  2. Sign in at https://compliance.microsoft.com.
  3. Click Audit in the Microsoft 365 compliance center’s left navigation pane.
  4. If your organization’s auditing isn’t enabled, a banner will appear asking you to start logging user and admin activity.
  5. The banner appears on the Audit page.
  6. Start recording user and admin activity by clicking the Start recording user and admin activity banner.
  7. The modification could take up to 60 minutes to take effect.
  8. To enable auditing, use PowerShell.

Connect to PowerShell for Exchange Online.

To enable auditing, run the PowerShell command below.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Set-AdminAuditLog

A warning appears stating that the modification may take up to 60 minutes to take effect.

Turn off auditing

  1. Auditing should be disabled.
  2. To disable auditing, you must utilize Exchange Online PowerShell.
  3. Connect to PowerShell for Exchange Online.
  4. To disable auditing, run the PowerShell command below.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled Set-AdminAuditLogConfig $false

After a while, double-check that auditing is disabled (disabled). There are two options for accomplishing this:

Run the following command in Exchange Online PowerShell:

FL UnifiedAuditLogIngestionEnabled | Get-AdminAuditLogConfig

The UnifiedAuditLogIngestionEnabled property’s value of False indicates that auditing is disabled.

In the Microsoft 365 compliance centre, go to the Audit page.

If your organization’s auditing isn’t enabled, a banner will appear asking you to start logging user and admin activity.

Native Audit Log Searches in Office 365 Have Some Limitations

Manually sifting through the audit logs in Office 365 can be time-consuming and complex. While the search tools are useful, keep in mind the following disadvantages when deciding how to manage audits in your company:

It needs a trained eye to notice anomalous activity – interpreting data, especially if you’re not already aware of a problem with a certain person or file, requires a skilled eye.

It’s difficult to keep your audit data safe – detailed data on every event that occurs in your system is extremely sensitive data. While the default export options are convenient, they increase the vulnerability of your data.

Creating human-readable reports is challenging – to get a report, you must first export specific audit data into a CSV file, which must then be sorted and analysed before it can be used.

Filtering options are limited — The native audit log search lacks comprehensive filtering options, making it more difficult to gather insights and identify what you’re looking for.

There are only a few predefined log reports; if you need more, you’ll have to manually make them. There’s also no opportunity to subscribe to reports or a native tool to keep customized searches.

Most properties are combined into a single JSON — depending on the auditing event, the AuditData JSON may have multiple properties. This adds a lot of unneeded noise between you and the vital information you’re looking for in your audit data.

Because Microsoft’s standard subscription only provides for a 90-day data retention period for audit logs, you’ll have to download and preserve your audit logs on a regular basis, then try to combine them together to get a better picture of activity over time. You’ll have gaps in your record if you forget to preserve the logs.

Other Methods of Obtaining Audit Log Data

Management Activity API for Office 365

The Office 365 Management Activity API allows you to view data from Office 365 and Azure AD activity logs concerning admin system, user, and policy events. The program allows you to keep track of, analyze, and visualize audit data.

LEAVE A REPLY

Please enter your comment!
Please enter your name here