Office 365 audit logs are records that provide detailed information about activities that occur within a Microsoft Office 365 environment. These activities can be performed by users, administrators, or the system itself. The logs capture a wide range of events and activities, such as file and folder accesses, downloads, edits, deletions, sharing activities, changes in settings, user sign-ins, and many more. This is important for two reasons:
- Security: Audit logs are an essential tool for security analysis and incident response. They allow security teams to track user behavior and investigate suspicious activities. For instance, if there's an unexpected spike in file downloads or deletions, it could indicate a potential security breach. By examining the audit logs, teams can identify the user who performed these actions and the exact time they occurred, which can be instrumental in understanding the scope and nature of the incident.
- Compliance: For organizations subject to regulations that require certain controls over data access and modifications, audit logs provide the necessary documentation. They can demonstrate that the organization has visibility into and control over its data. For example, regulations like GDPR, HIPAA, and SOX require businesses to have a clear understanding of who has access to sensitive data, when they access it, and what they do with it. Office 365 audit logs provide this information, helping organizations meet their compliance obligations.
However, if you don't know what to look for, navigating and interpreting the mess of information in the audit logs can be an endless hassle. Today, let's take a look at the different types of data collected and stored in these audit logs, understand how they are formatted, and learn how to interpret them properly for different use cases.
This article covers:
Understanding the Office 365 Admin Logs
Given the vast amount of information included within each entry, it's important to know how to read and interpret the audit logs for Microsoft 365. First, let's take a look at the different components that make up each entry:
- Date and Time: The exact date and time when the activity occurred.
- User: The user (or system component) that performed the action. This could be an end user, an administrator, or a service account.
- Activity: The specific action that was performed. This could be anything from viewing a document, editing a file, deleting an item, to administrative actions like changing user permissions or system settings.
- Item: The specific object that was affected by the activity. This could be a file, folder, user account, system setting, etc.
- Details: Additional information about the activity, such as the location from which the activity was performed, the client used (e.g., web browser, mobile app, desktop app), and other relevant data.
Audit logs play a crucial role in tracking user and admin activities. They help you address vulnerabilities in the system and ensure accountability across your organization's chain of command. Here are a few reasons why they're so important:
- Security Monitoring: Audit logs help identify unusual or suspicious activities that could indicate a security threat, such as a potential data breach or misuse of privileges.
- Incident Investigation: In the event of a security incident, audit logs provide detailed information that can help determine what happened, when it happened, who was involved, and what was affected.
- Compliance Monitoring: Many regulatory standards require organizations to maintain detailed logs of user and admin activities. Audit logs can provide the necessary documentation to demonstrate compliance with these regulations.
- Operational Oversight: Audit logs can help administrators understand how users are interacting with the Office 365 environment, which can inform decisions about resource allocation, training needs, policy updates, and more.
Activities Tracked by the Office 365 Logs
Office 365 Audit Logs track a wide variety of activities to provide comprehensive visibility into the actions taken within an organization's Office 365 environment. Here are some of the key types of activities tracked:
- File and Folder Activities: These include actions such as viewing, editing, downloading, moving, copying, or deleting files and folders. This also covers activities related to sharing files and folders, like creating and managing sharing invitations or accessing shared files.
- Email Activities: These involve actions taken in Outlook, such as sending, receiving, or deleting emails. It also includes activities like setting mailbox permissions, mailbox login events, and changes to mailbox settings.
- SharePoint and OneDrive Activities: These include actions like uploading, downloading, viewing, editing, moving, or deleting documents in SharePoint or OneDrive. It also tracks activities like sharing documents, adding or removing apps, and changes to site settings.
- Teams Activities: These involve actions taken in Microsoft Teams, such as creating or deleting teams, adding or removing members, creating or deleting channels, and posting or deleting messages.
- User Administration Activities: These include actions related to managing users in Office 365, such as creating or deleting users, changing user roles or permissions, resetting passwords, and managing user licenses.
- Group and Directory Activities: These involve actions related to managing groups and directories in Office 365, such as creating or deleting groups, adding or removing members from groups, and changes to group settings.
- Role Administration Activities: These include actions related to managing roles in Office 365, such as assigning or removing roles to users, and changes to role settings.
- Synchronization Activities: These involve actions related to synchronizing directories and files in Office 365, such as starting or stopping synchronization, and changes to synchronization settings.
- Exchange Mailbox Activities: These include actions taken in an Exchange mailbox, such as logging into a mailbox, sending or receiving mail, creating or deleting mailbox items, and changes to mailbox properties.
- Security and Compliance Activities: These involve actions related to managing security and compliance features in Office 365, such as managing security policies, conducting audit log searches, and managing data governance policies.
Each of these activities provides valuable insights into how users and administrators are interacting with the Office 365 environment, which can be crucial for security monitoring, incident response, operational oversight, and compliance reporting.
How to Enable or Disable the Microsoft 365 Audit Log?
Microsoft 365 audit logs are always turned on by default for every organization. To turn auditing on or off in your Microsoft 365 organization, you need to be assigned the Audit Logs role in Exchange Online. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Here's how it works:
Enabling the Microsoft 365 Audit Log
- Go to the Microsoft Purview compliance portal.
- Navigate to "Solutions > Audit".
- If auditing isn't turned on for your organization, a banner will be displayed prompting you to start recording user and admin activity.
- Click on the "Start recording user and admin activity" banner. It may take up to 60 minutes for the change to take effect.
You can also enable auditing using Exchange Online PowerShell:
- Connect to Exchange Online PowerShell.
- Run the following PowerShell command to turn on auditing: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
- A message will be displayed saying that it may take up to 60 minutes for the change to take effect.
Disabling the Microsoft 365 Audit Log
Disabling the audit log can only be done using Exchange Online PowerShell:
- Connect to Exchange Online PowerShell.
- Run the following PowerShell command to turn off auditing: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
After a while, you can verify that auditing is turned off (disabled) in two ways:
- In Exchange Online PowerShell, run the following command: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled. The value of False for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned off.
- Go to the Audit page in the compliance portal. If auditing isn't turned on for your organization, a banner will be displayed prompting you to start recording user and admin activity.
How to Search the Logs When Auditing Office 365
When you're running an audit across your organization's cloud environment, knowing how to search and locate specific information within the audit logs is a crucial skill. Here's a step by step guide on searching the Office 365 audit logs for various activities and events:
Step 1: Run an audit log search
- Go to https://compliance.microsoft.com and sign in.
- In the left pane of the compliance portal, select "Audit".
- On the Search tab, configure the following search criteria:
- Start date and End date: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC). The maximum date range that you can specify is 90 days.
- Activities: Select the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can select the activity group name to select all activities in the group.
- Users: Select in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results.
- File, folder, or site: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder.
- Select "Search" to run the search using your search criteria.
Step 2: View the search results
The results of an audit log search are displayed under Results on the Audit log search page. A maximum of 50,000 (newest) events are displayed in increments of 150 events. Use the scroll bar or press Shift + End to display the next 150 events.
Step 3: Export the search results to a file
- Run an audit log search, and then revise the search criteria until you have the desired results.
- On the search results page, select "Export > Download all results". All entries from the audit log that meet the search criteria are exported to a CSV file. The raw data from the audit log is saved to a CSV file. Additional information from the audit log entry is included in a column named AuditData in the CSV.
- After the export process is complete, a message is displayed at the top of the window that prompts you to open the CSV file and save it to your local computer.
Please note that you can download a maximum of 50,000 entries to a CSV file from a single audit log search. If 50,000 entries are downloaded to the CSV file, you can probably assume there are more than 50,000 events that met the search criteria. To export more than this limit, try using a date range to reduce the number of audit log entries. You might have to run multiple searches with smaller date ranges to export more than 50,000 entries.
What You Need to Know About Office 365 Audit Log Retention
Audit log retention in Office 365 is an important aspect of the platform's security and compliance features. By default, audit records are retained for 90 days. This means that any action or event that is audited and logged by Office 365 will be kept in the audit log for a period of 90 days from the date of the event.
After this period, the audit record is automatically deleted and is no longer available for audit log searches. This 90-day retention period applies to all user and admin activities across various services in Office 365, including Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory.
However, the retention period for audit logs can be affected by changes to user licensing or retention policies. For instance, users assigned an Office 365 E5 or Microsoft 365 E5 license, or users with a Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-on license, have their audit records for Azure Active Directory, Exchange, and SharePoint activity retained for one year by default. Organizations can also create audit log retention policies to retain audit records for activities in other services for up to one year.
If a user's license is changed, the retention period for their audit data will adjust according to the new license. For example, if a user is moved from an Office 365 E3 license (which has a 90-day retention period) to an Office 365 E5 license (which has a one-year retention period), their audit data will be retained for one year from the date of each event moving forward. However, the retention period for events that occurred before the license change will not be extended.
Similarly, changes to retention policies can also affect the expiration date of audit data. If an organization decides to extend the retention period for certain types of audit data, the new retention period will apply to all future events of that type. However, it will not retroactively extend the retention period for events that occurred before the policy change.
How to Simplify Office 365 Audit Log Management With CoreView
CoreView offers a premium end-to-end configuration management solution for enterprise organizations and managed service providers running Microsoft 365. It uses configuration-as-code technology to automate the setup and maintenance of Microsoft 365 services like Office 365, Intune, and Azure AD.
When it comes to managing Office 365 Audit Logs, CoreView offers several key features that simplify the process of navigating and interpreting them:
- Verification of Audit Log Status: With CoreView Configuration Manager, you can easily verify the status of the audit log feature for every tenant you currently manage. You can make sure that the Unified Audit Log is working for a particular tenant, and if not, you can switch it on directly through CoreView.
- Enhanced Audit Log Reports: CoreView Configuration Manager enhances and improves the cumbersome audit log provided by Microsoft by breaking it down into daily reports that update you on changes made to the default configurations of all your tenants. It offers a single-pane-of-glass view for implementing, reviewing, and managing changes to your multi-tenant ecosystem in Microsoft 365.
- Searchable Inventory of Changes: From the Sync tab in your Configuration Manager dashboard, you can access a searchable inventory of all the changes made to your tenant configurations. Here, you can review deviations from your baseline configuration and choose to approve, reject, or roll back configuration changes to your organization’s tenants.
- Simplified Rollback of Changes: CoreView Configuration Manager improves upon the existing documentation provided by Microsoft by making it more digestible and search-friendly, while also letting you roll back changes with a single click from within the same UI. That way, you can always rest assured knowing that your organization has proper access to detailed documentation on all your tenants in case of a security breach as well as the ability to revert those tenants back to a known good state should a disaster occur.
CoreView provides a powerful and user-friendly solution for managing Office 365 Audit Logs. It not only ensures that audit logging is enabled for all your tenants but also provides enhanced reporting, searchable inventory of changes, and simplified rollback capabilities. Want to learn more? Sign up for a free demo with our sales team, today!