Office 365 audit logs are your private detective, in case you need to find out what was going on in your Office 365 tenant our you need to perform office 365 auditing then Office 365 audit log is the place where you will find everything needed.
The good thing about the Office 365 logs is it will not cover only specific Azure workload, or that you need to enable every specific workload that you have in your tenant but by default it will cover everything. BTW by default in all the new tenants auditing is enabled by default but if it is not; navigate to https://protection.office.com/unifiedauditlog and click start recording user and admin activity.
What events I can audit with Office 365 auditing enabled?
When you enable audit logs in your office 365 tenant then you can search following events:
Because you can search for the following types of user and admin activity in Office 365:
- User activity in SharePoint Online and OneDrive
- User activity in Exchange Online
- Admin activity in SharePoint Online
- Admin activity in Azure AD
- Admin activity in Exchange Online
- User and admin activity in Sway
- eDiscovery activities in the security and compliance center
- User and admin activity in Power BI
- User and admin activity in Microsoft Teams
- User and admin activity in Dynamics 365
- User and admin activity in Yammer
- User and admin activity in Microsoft Flow
- User and admin activity in Microsoft Stream
- Analyst and admin activity in Microsoft Workplace Analytics
User and admin activity in Microsoft PowerApps
What Office 365 license I need for auditing?
Let me provide a bit of the info on how long the logs are retained for different licensing levels
- Office E3 license is able to retain logs for 90 days
- Office E5 license is able to retain logs for 90 days (up to 365 days on request BUT Microsoft has finished testing of the new enrollment where up to 365 days should be available by default)
- Office E3 with Advanced Compliance licenses (up to 365 days on request BUT Microsoft has finished testing of the new enrollment where up to 365 days should be available by default)
Query Office 365 Audit Logs with PowerShell
The Search-UnifiedAuditLog cmdlet you are looking for if you want to utilize PowerShell to extract audit logs from the Office 365 tenant. Play with the switches below, I have explained in the commented section what each switch means. If you have some specific use case where you want to iterate thru all the users, or just some particular users let me know I will help you edit the script.
Use the PowerShell below to query the audit logs on the Office 365:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection Import-PSSession $Session -AllowClobber $startInterval = "6/16/2019" $endInterval = "6/17/2019" $data = Search-UnifiedAuditLog -StartDate $startInterval -EndDate $endInterval -Operations FileAccessed, FilePreviewed, PageViewed, PageViewedExtended, SearchViewed, CompanyLinkUsed, SecureLinkUsed, FileDownloaded, FileModified,FileUploaded, FileDeleted, FolderModified, CompanyLinkCreated, SharingInheritanceBroken, ListUpdated, FileSyncDownloadedFull, FileSyncUploadedFull -SessionCommand ReturnLargeSet -ResultSize 5000 ## Start Date - don't need to explain this ## End Date - don't need to explain this ## Operations - For more information see here - https://docs.microsoft.com/en-gb/office365/securitycompliance/search-the-audit-log-in-security-and-compliance#sharing-and-access-request-activities ## Session Command - Determines the size of the data returned ## ResultSize - Limit results to 5k So the script will return all the data from the Security & Compliance Search center and you have with using this way store the data for auditing purposes.
Why Office 365 Auditing is required?
With more and more users working from home, companies want to keep control of the organization, because people are connecting from various unsecure devices where with the BYOD philosophy we have little control over how the end user will choose to connect to the company environment.
I have explained before on how to perform auditing of the on-prem farm here https://www.lemonbits.com/2018/09/27/sharepoint-audit-logs
Let me know in the comments below if you would like me to cover Office 365 auditing in more details.