November 8, 2022
min read
The CoreView Team
Two developers working on a computer

The Office 365 audit log is your go-to tool for tracking user and administrative activity in your tenant. You can check user log-in patterns, communication, file view, edit, and share actions. 

Office 365 audit logs show administrators what, who, where, when, and how of any event (user action) in their environment. 

By default, audit logging is turned on for Office 365 and Microsoft 365 enterprise organizations. That means you can review past user actions in your tenant if you've never done so. 

Audit logging can be turned off by a global administrator. So only trusted senior managers should have global admin access. 

How to Check Audit Logs in Office 365

Go to the Microsoft 365 Admin Center and select the security tab in the left pane. Click on the audit button to open the audit log page. You can search the audit log based on time, activities, and users. 

For example, if you consider an employee or guest user a data leak risk, you can check their activities through audit logs. 

Enter and select the suspected user's name in the user field, choose a date range, and specify an activity to filter for. In this case, you should enter "deleted file," or "file download" as the activity you want to check for.

Office 365 Audit Log Features 

Office 365 audit trail offers an array of functions compared to the SharePoint audit logs. 

Central location for all logs: Office 365 collates the audit logs of all the apps in your environment in one unified, searchable log. 

As an admin, you can view the logs for SharePoint, One Drive, Azure AD, Teams, etc. You will find the audit logs for your organization in Office 365 security & compliance center. 

Over 999 event types recorded: Microsoft 365 audit log captures about 1000 event types in an environment, including edit, share, create a folder, file download, etc. 

100s of metadata stored: Office 365 shares what, when, where, how, and who for every event in your environment. It also shares granular information such as the IP, location, username, time zone, and browser of the user who performed an action under review. 

How to Set Audit Log Retention Policy in Office 365

You can only create an audit log retention policy from the compliance portal. Visit and log in with a user account enabled to configure your organization's policy. 

Once logged in, find the audit tab in the left side pane. Click on the tab to access the audit log retention setup page. 

To create a policy, you need to fill in the policy name, description, duration, priority, users, and record type fields. Every field is required except the users and record type fields, which are interdependent. You can skip filling in the user field if you specify the record type for the policy.  

Must-know Office 365 Audit Log Retention Policy Setup Rules

Policy creation limit: Your organization can have a maximum of 50 audit log retention policies.

Special License for longer log retention period: Logs are retained for 90 days/365 days, depending on your license. The E3/E1 license saves audit data for 90 days (per user). 

You need an E5 license to retain an audit log for more than 90 days from the time the log was generated. If you want to retain an audit log for the maximum duration of 10 years, you will need a 10-year audit log retention add-on license in addition to an E5 license.

Depending on the industry, your company may need to keep data longer than 90 days or 365 days. This makes the 10-year audit log retention license important. If you cannot justify the cost, consider downloading and storing audit logs outside Office 365. 

Your audit data will be deleted after your audit trail retention period expires. You can use the add-on 10-year storage license to keep your audit data for up to 10 years. Again, your industry determines how long you should keep your data. 

Custom policy prioritization: Office 365 will honor your custom retention policy over the default retention policies in your environment. If you create a retention policy for Exchange mailbox activity that is longer than the default settings, the custom settings will override the default setting.

Audit download limit: Admins cannot download more than 50,000 event entries per download. So if your company creates between 50,000 – 100,000 events per day, you have to download the audit twice.

Office 365 Audit Log Use Cases for an Admin

The audit log is an Office 365 admin's silent watchdog. You can use it to implement and maintain compliance rules within the organization. It can also help you prevent data breaches, check fraud, and monitor performance. 

Meet compliance requirements: Office 365 audit log makes it easy for your company to file data handling reports to meet regulatory requirements. As an admin, you are responsible for ensuring compliance requirements are met in your department or across the board. 

Provide evidence for investigators or litigation: Audit log reports make it easy to prosecute erring team members who leak or misuse sensitive company data. You can pull records of the employee's activity in the 365 environment and answer what, when, where, and how of the event. 

Also, when investigators request specific user activity data during an investigation, you can provide an accurate report. In the EU, companies are required to provide the information requested by a reliable institution for an ongoing investigation.

Investigate a compromised account: Using Audit log eliminates guesswork when investigating a compromised account. 

Admins are responsible for filling in reports when a breach occurs, and these reports need to be as clear as day. You can rely on audit logs for information to create a detailed report for investigation. 

Gain insight into product adoption and ROI on investment: Audit logs product usage insights allows you to review a product's adoption level and determine the ROI. 

Purchasing an Office 365 service is a significant investment that must be justified in business use. You can use the Office 365 audit log to determine how your team is getting value from a service. 

Ensure Data sovereignty: You can use Office 365 audit log to get detailed information about access to company data from an unauthorized location.

If your company operates in a country with data sovereignty laws, you must monitor where users access company data. An employee on holiday outside the country shouldn't access geo-restricted data.

Top 10 Security Events to Monitor in Microsoft 365

Below are the ten most important security events to monitor in order to keep your privileged accounts and sensitive data out of the wrong hands.

  1. Changes to important roles
  2. Changes to groups
  3. Changes to applications
  4. Resource Creation
  5. Sharing Important Files/Links
  6. Guest Access in Teams
  7. Teams being created or deleted
  8. Forwarding of emails
  9. Non-Owner Mailbox Activity
  10. Failed Sign-in Attempts

1. Changes to Important Roles

APT29, also known as Cozy Bear, has been actively pursuing M365 deployments in 2022. In order to access Microsoft 365 resources covertly, the gang is disabling Microsoft Purview in order to gain admin rights and attack from within.

That is why it is important that administrators need to know when changes are made to important roles. To find this information, they can visit the Azure portal, and perform a search on the Core Directory service and RoleManagement categories, which will return a list of all changes to roles within their environment.

Alternatively, they can search the Unified Audit Log via the Office 365 Security & Compliance Center, which will also include the logs of all Microsoft 365 applications.

2. Changes to Groups

The main method for granting access to Active Directory resources is through groups. Additional group kinds are supported by Azure AD. 

Users can make their own groups and add other users to them while using programs like Teams and Outlook, for instance. Users occasionally form groups to facilitate more effective communication with customers, suppliers, and business partners, which raises the risk of unintentional disclosure of sensitive information. 

Go to the Azure portal and choose either the Directory service or GroupManagement categories under the Audit logs section to identify group changes in Azure AD.

3. Changes to Applications

Multiple bridges between apps and services, including those hosted on-premises, are maintained by Azure AD. This introduces failure spots while also being a tool for collaboration and communication.

Any improperly configured applications could end up being highly disruptive, especially if customers can't access the business' website or make payments, or if staff can't use the apps they need to do their jobs. As a result, it is necessary to be able to recognize and react to changes in applications in order to avoid potential downtime and lost income.

In the Azure portal, you can view the audit logs for each application you have installed. Most audit events come from either the ApplicationManagement or UserManagement categories, although you may need to drill through numerous events in order to find the ones that are relevant to you.

4. Resource Creation

When a user creates a Teams site, a number of additional resources are also created, such as Outlook calendars and group inboxes, a OneNote notebook, a SharePoint site, and more.

As one might anticipate, the fact that resources are being created automatically "under the hood" can pose a security risk if administrators are unaware of them or don't keep a close eye on them.

You can find the audit logs relating to the creation of resources in the Azure portal, by searching the UserManagement and GroupManagement categories under the Azure Active Directory section. Alternatively, you can search the Unified Audit Log in the Office 365 Security & Compliance Center, which will list all resources that are created and modified.

5. Sharing of Important Files and Anonymous Links

The open sharing capabilities of both SharePoint Online and OneDrive for Business introduce a number of security risks, as it makes it a lot easier to accidentally share sensitive data with the wrong recipients. 

To make matters worse, users are sometimes allowed to share a link to a document containing sensitive data, which external users can access anonymously.

In addition to monitoring the audit logs for anomalous sharing practices, it is generally a good idea to restrict the sharing capabilities of both platforms. 

To find events relating to file sharing and access request activities in SharePoint and OneDrive you will need to search the Unified Audit Logs in the Office 365 Security & Compliance Center.

6. Guest Access in Teams

As above, the ability for users to grant “Guest access” in Teams is another area that needs close attention.

In the wake of the pandemic, many organizations were scrambling to switch to a remote working model, and thus many chose to use Teams for remote collaboration and communication.

With that shift came a plethora of security challenges. Few organizations had spent the time to carefully review the sharing settings, and thus prevent users from inviting guests – some of whom may be granted full access to Team’s files, chats, meetings, and so on.

To find a list of all Guest users (or user creation events), search the Unified Audit Log in the Office 365 Security & Compliance Center. You can also limit the search by date range. Alternatively, in the Azure portal you can perform a search using the following filters:

  • Service — Core Directory
  • Category — UserManagement
  • Activity — Add user

7. Teams Being Created or Deleted

In addition to monitoring Guest access in Teams, you will also want to keep a close eye on which Teams are being created and deleted. By default, users are granted the ability to create and delete Teams, as and when they choose.

While it is possible to disable this functionality, doing so will hinder collaboration. Not only that, but administrators may also want to create and delete Teams themselves, and those actions will also need to be monitored. Unfortunately, there’s no distinction between Microsoft 365 groups created by Teams, and other groups in Azure AD.

However, in the Azure portal you can narrow down the results by setting the Service to Core Directory and the Category to GroupManagement. As always, you can also search the Unified Audit Log in the Office 365 Security & Compliance Center, although this will take longer, and you will still need to filter the Microsoft 365 groups to find out which teams were created/deleted.

8. Forwarding of Inbound Email Messages

Forwarding inbound email messages is a perfectly sound practice. 

That said, it is generally a good idea for administrators to keep track of changes to email forwarding, as malicious actors will sometimes set up auto-forwarding on email accounts that they have compromised.

The problem, however, is that neither Azure AD nor Microsoft 365 allow administrators to monitor these changes in the audit logs. Instead, they must export the full Exchange Online audit logs as a CSV file, and search for {“name”:”DeliverToMailboxAndForward”,”value”:”True”}.

9. Non-Owner Mailbox Activity

It is not uncommon for a member of the technical support team to access mailbox accounts that are not theirs, and in some cases, employees use shared mailbox accounts. 

Likewise, administrators could easily grant themselves access to an executive’s account and snoop around.

Whatever the scenario, it’s generally not a good idea to allow users to access mailbox accounts that don’t belong to them, and if you do, be sure to monitor them for suspicious activity. 

Mailbox events can only be found in the Unified Audit Log, which allows you to view the following events;

  • Sent message using Send On Behalf permission
  • Added or removed user with delegate access to calendar/folder
  • Sent message using Send As permission
  • Added delegate mailbox permission
  • Removed delegate mailbox permission

10. Failed Sign-in Attempts

It is crucially important that you monitor all failed sign-in attempts, as attackers will frequently try to brute-force account passwords. 

To see a list of failed sign-in attempts, go to the Sign-ins screen under Monitoring, and select Failure from the Status drop-down menu. Then, you will need to scrutinize each of the listed sign-in events for malicious activity

Maximize Office 365 Services and Security 

Microsoft has an array of security tools to help you use Office 365 services securely. However, you play a significant role in keeping your tenant secure. You must adopt a proactive approach to monitoring and managing your environment with Office 365 security tools. 

 Adopting the CoreSuite is a simpler and resource-efficient approach to using Office 365 service optimally. The CoreSuite provides a single interface to manage your Office 365 tenant. You can create security alerts based on your audit data in CoreSuite. 

If you want to optimize license expenditure, tighten access control, automate repetitive tasks, and drive team productivity, try CoreView.

For regular email updates on our most recent blogs!

Ready to Conquer Microsoft 365?

Request a Demo