LemonBits

  • Home
  • About
  • Contact me
SharePoint

Office 365 auditing

Frane Borozan - June 19, 2019

Office 365 audit logs are your private detective, in case you need to find out what was going on in your Office 365 tenant our you need to perform office 365 auditing then Office 365 audit log is the place where you will find everything needed.

The good thing about the Office 365 logs is it will not cover only specific Azure workload, or that you need to enable every specific workload that you have in your tenant but by default it will cover everything. BTW by default in all the new tenants auditing is enabled by default but if it is not; navigate to https://protection.office.com/unifiedauditlog and click start recording user and admin activity. 

What events I can audit with Office 365 auditing enabled?

When you enable audit logs in your office 365 tenant then you can search following events:

Because you can search for the following types of user and admin activity in Office 365:

  • User activity in SharePoint Online and OneDrive
  • User activity in Exchange Online
  • Admin activity in SharePoint Online
  • Admin activity in Azure AD
  • Admin activity in Exchange Online
  • User and admin activity in Sway
  • eDiscovery activities in the security and compliance center
  • User and admin activity in Power BI
  • User and admin activity in Microsoft Teams
  • User and admin activity in Dynamics 365
  • User and admin activity in Yammer
  • User and admin activity in Microsoft Flow
  • User and admin activity in Microsoft Stream
  • Analyst and admin activity in Microsoft Workplace Analytics
  • User and admin activity in Microsoft PowerApps

What Office 365 license I need for auditing?

Let me provide a bit of the info on how long the logs are retained for different licensing levels

  • Office E3 license is able to retain logs for 90 days
  • Office E5 license is able to retain logs for 90 days (up to 365 days on request BUT Microsoft has finished testing of the new enrollment where up to 365 days should be available by default)
  • Office E3 with Advanced Compliance licenses (up to 365 days on request BUT Microsoft has finished testing of the new enrollment where up to 365 days should be available by default)

Query Office 365 Audit Logs with PowerShell

The Search-UnifiedAuditLog cmdlet you are looking for if you want to utilize PowerShell to extract audit logs from the Office 365 tenant. Play with the switches below, I have explained in the commented section what each switch means. If you have some specific use case where you want to iterate thru all the users, or just some particular users let me know  I will help you edit the script.

Use the PowerShell below to query the audit logs on the Office 365:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection            
Import-PSSession $Session -AllowClobber            
            
$startInterval = "6/16/2019"            
$endInterval  = "6/17/2019"            
            
 $data = Search-UnifiedAuditLog             
         -StartDate $startInterval             
         -EndDate $endInterval             
         -Operations FileAccessed, FilePreviewed, PageViewed, PageViewedExtended, SearchViewed, CompanyLinkUsed, SecureLinkUsed, FileDownloaded, FileModified,FileUploaded, FileDeleted, FolderModified, CompanyLinkCreated, SharingInheritanceBroken, ListUpdated, FileSyncDownloadedFull, FileSyncUploadedFull              
         -SessionCommand ReturnLargeSet             
         -ResultSize 5000            
 ## Start Date - don't need to explain this            
 ## End Date - don't need to explain this            
 ## Operations - For more information see here - https://docs.microsoft.com/en-gb/office365/securitycompliance/search-the-audit-log-in-security-and-compliance#sharing-and-access-request-activities             
 ## Session Command - Determines the size of the data returned            
 ## ResultSize - Limit results to 5k

So the script will return all the data from the Security & Compliance Search center and you have with using this way store the data for auditing purposes. 

Why Office 365 Auditing is required?

With more and more users working from home, companies want to keep control of the organization, because people are connecting from various unsecure devices where with the BYOD philosophy we have little control over how the end user will choose to connect to the company environment.

There are various compliances that organizations need to create a comprehensive compliance plan to fulfill regulations like CCPA, GDPR, HIPAA, PCI DSS and others.

I have explained before on how to perform auditing of the on-prem farm here https://www.lemonbits.com/2018/09/27/sharepoint-audit-logs

The good people at SysKit wrote two similar articles on how to navigate thru Office 365 admin audit logs and please feel free to learn more about Office 365 Auditing in general.

Let me know in the comments below if you would like me to cover Office 365 auditing in more details.

Tags | Office 365 audit, Office 365 auditing, SharePoint audit logs, SharePoint online audit
 0 0
Share Now

Frane Borozan

Helping SBC administrators kick-ass Google+

You Might Also Like

SharePoint

SharePoint audit logs

September 27, 2018

Leave a Reply Cancel Reply

Your email address will not be published. Required fields are marked *

Previous Post Microsoft Edge add google search engine
Next Post Thrive 2019 – 10TH annual conference in Slovenia!

Connect with me on

Latest Posts

  • How to invite guest users to Microsoft shared channels

    How to invite guest users to Microsoft shared channels

  • Creating a secure Microsoft Teams and Shared Channels environment for guest users

    Creating a secure Microsoft Teams and Shared Channels environment for guest users

  • How to create a shared channel and add teams and members?

    How to create a shared channel and add teams and members?

  • Microsoft Syntex Advanced Management’s first capabilities

  • 5 Microsoft Teams management pro-user tips

  • What are roles and permissions in Microsoft Teams?

  • How do you create a team from scratch in Microsoft Teams?

  • Teams governance

  • External sharing in SharePoint

  • SharePoint governance

Recent Comments

  • Frane Borozan on Downloads folder slow to load/sort in Windows 10
  • güvenlik kamerası on Downloads folder slow to load/sort in Windows 10
  • Laki Lakovic on Opening group policy editor on a remote computer and forcing GP Update
  • Diane on Opening group policy editor on a remote computer and forcing GP Update
  • Manoj B on Differences between L1, L2, L3 system administrator guidlines
  • Travis Vroman on Teams slow
  • Yossi B on Remote Desktop Services Manager 2016
  • astha on SharePoint audit logs
  • Frane Borozan on Installing Remote Desktop Services 2016
  • Joe Zhou on Installing Remote Desktop Services 2016
  • Pino on Installing standalone Remote Desktop Gateway on the Windows Server 2012 R2 without complete Remote Desktop Services infrastructure
  • Eddy Wilson on Windows 10: Share a VPN Connection
  • haleybri.com on Remote Desktop Services Manager 2016
  • Atif on Remote Desktop Services Manager 2016
  • Tan Vu on KB2919355 The update is not applicable to your computer
  • Vinay on Installing Remote Desktop Services 2016
  • JOEL FERDY FEUBI TABOUE on KB2919355 The update is not applicable to your computer
  • Delmar on Installing standalone Remote Desktop Gateway on the Windows Server 2012 R2 without complete Remote Desktop Services infrastructure
  • Luke Welden on KB2919355 The update is not applicable to your computer
  • LM on Installing standalone Remote Desktop Gateway on the Windows Server 2012 R2 without complete Remote Desktop Services infrastructure
  • Anonymous987 on KB2919355 The update is not applicable to your computer
  • ANonyommus987 on KB2919355 The update is not applicable to your computer
  • Alan on Remote Desktop Services Manager 2016
  • Jagz on Installing Remote Desktop Services 2016
  • VG on SharePoint audit logs
  • VG on SharePoint audit logs
  • Kalle on SharePoint audit logs
  • 3 pandas on SQL Server security best practices
  • Kalle on SharePoint audit logs
  • Frane Borozan on Installing standalone Remote Desktop Gateway on the Windows Server 2012 R2 without complete Remote Desktop Services infrastructure
  • Erin Platt on Installing standalone Remote Desktop Gateway on the Windows Server 2012 R2 without complete Remote Desktop Services infrastructure
  • Tad Benoit on Remote Desktop Services Manager 2016
  • Dean Hufford on Installing standalone Remote Desktop Gateway on the Windows Server 2012 R2 without complete Remote Desktop Services infrastructure
  • Peter on Remote Desktop Services Manager 2016
  • Chris on Remote Desktop Services Manager 2016

Copyright © 2019 Frane Borozan. All rights reserved