November 8, 2022
min read
Roy Martinez
With over 16 years in Microsoft and IT infrastructure, Roy uses his SharePoint, Power Automate, and Microsoft Teams expertise to help organizations develop strategies for adoption, collaboration, automation, and governance.
Two developers working on a computer

The Office 365 audit log should be your go-to tool for tracking user and administrative activity in your tenant. Use it to check user log-in patterns, communication, file view, edit, and share actions. Ultimately, it’s one of the best tools available for governing your Microsoft 365 and seeing what’s happening in your environment.

In this article:

  1. How to set up and enable audit logs in Office 365
  2. Creating audit log retention policies
  3. Recommendations for security events to audit
  4. Use cases for Microsoft 365 audit logs
  5. An alternative to Office 365 audit logs

Set up and enable audit logs in Office 365

Enabling audit logs within your organization requires distinct admin privileges. For example, the Audit Logs role is required to enable audit logs in Exchange Online. These privileges are assigned to global administrators by default. You can read more about the specific permissions levels required here.

Before you turn on audit logs in your M365 tenant, you’ll first need to confirm whether audit logging is currently enabled. To do so, you can run the following command in Exchange Online PowerShell:

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled  

A response of “True” to the above command indicates that audit logging is currently enabled. Conversely, a response of “False” indicates that logging is currently disabled for your M365 environment.

It is worth noting that SharePoint logging needs to be turned on separately for each site collection. This can be accomplished in an automated fashion with PowerShell; however, there are limitations to this approach. You cannot, for example, connect to an exposed endpoint to collect specific logs for custom reports. Additionally, when retrieving logs from SharePoint, logs from all other services will be ignored, and thus won’t be included in the search results.

You will be able to see audit logs in M365 audit log search results for specific services as soon as 30 minutes after setup, but it can take up to 24 hours for all services to begin storing logs.

Checking audit logs in Microsoft 365

Go to the Microsoft 365 Admin Center and select the security tab in the left pane. Click on the audit button to open the audit log page. You can search the audit log based on time, activities, and users. 

Enter and select the suspected user's name in the user field, choose a date range, and specify an activity to filter for. In this case, you should enter "deleted file," or "file download" as the activity you want to check for.

Alternatively, you can access aggregated logs from these M365 services via the Microsoft Purview compliance portal or use the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell to search this centralized collection of logs.

Your search results can be exported to a CSV file for additional processing as needed; however, log data retrieved in this format can be unwieldy as it will contain all manner of metadata that you will more than likely not need, and that will likely mask the data that you do need.

In addition to the above methods of accessing audit logs, you can also retrieve them programmatically via the available REST APIs.

For more insights on pulling log-on reports from Azure Active Directory, read this blog.

Creating audit log retention policies in Office 365

You can only create an audit log retention policy from the compliance portal. Visit and log in with a user account enabled to configure your organization's policy. 

Once logged in, find the audit tab in the left side pane. Click on the tab to access the audit log retention setup page. 

To create a policy, you need to fill in the policy name, description, duration, priority, users, and record type fields. Every field is required except the users and record type fields, which are interdependent. You can skip filling in the user field if you specify the record type for the policy.  

Did you know? According to research, 50% of Microsoft 365 users are not managed by default security policies. Read more here.

Rules for setting up Microsoft 365 audit log retention policies

Policy creation limits

Your organization can have a maximum of 50 audit log retention policies.

Special licenses for longer log retention periods

Logs are retained for 90 days/365 days, depending on your license. The E3/E1 license saves audit data for 90 days (per user). 

You need an E5 license to retain an audit log for more than 90 days from the time the log was generated. If you want to retain an audit log for the maximum duration of 10 years, you will need a 10-year audit log retention add-on license in addition to an E5 license.

Depending on the industry, your company may need to keep data longer than 90 days or 365 days. This makes the 10-year audit log retention license important. If you cannot justify the cost, consider downloading and storing audit logs outside Office 365. 

Your audit data will be deleted after your audit trail retention period expires. You can use the add-on 10-year storage license to keep your audit data for up to 10 years. Again, your industry determines how long you should keep your data. 

Custom policy prioritization

Office 365 will honor your custom retention policy over the default retention policies in your environment. If you create a retention policy for Exchange mailbox activity that is longer than the default settings, the custom settings will override the default setting.

Audit download limit

Admins cannot download more than 50,000 event entries per download. So if your company creates between 50,000 – 100,000 events per day, you have to download the audit twice.

Use cases for Microsoft 365 audit logs

Audit logs can help you better govern your Microsoft 365 environment for your organization. Here are use cases for using them to implement and maintain compliance rules within the organization—ultimately helping you prevent data breaches, check fraud, and monitor performance. 

Meet compliance requirements:

Office 365 audit log makes it easy for your company to file data handling reports to meet regulatory requirements. As an admin, you are responsible for ensuring compliance requirements are met in your department or across the board. 

Govern your Microsoft 365 environment: 

Audit logs provide a comprehensive view of activities within your Microsoft 365 environment, enabling you to identify patterns, detect anomalies, and see when certain policies are not being followed.

Watch my recent webinar on-demand for insights on how to create an action plan for governance in Microsoft 365.  

Provide evidence for investigators or litigation:

Audit log reports make it easy to prosecute erring team members who leak or misuse sensitive company data. You can pull records of the employee's activity in the 365 environment and answer what, when, where, and how of the event. 

Also, when investigators request specific user activity data during an investigation, you can provide an accurate report. In the EU, companies are required to provide the information requested by a reliable institution for an ongoing investigation.

Investigate a compromised account:

Using Audit log eliminates guesswork when investigating a compromised account. 

Admins are responsible for filling in reports when a breach occurs, and these reports need to be as clear as day. You can rely on audit logs for information to create a detailed report for investigation. 

Understand product adoption and ROI on investment:

Audit logs product usage insights allows you to review a product's adoption level and determine the ROI. 

Purchasing an Office 365 service is a significant investment that must be justified in business use. You can use the Office 365 audit log to determine how your team is getting value from a service. 

Ensure data sovereignty:

You can use Office 365 audit log to get detailed information about access to company data from an unauthorized location.

If your company operates in a country with data sovereignty laws, you must monitor where users access company data. An employee on holiday outside the country shouldn't access geo-restricted data.  

Recommended security events to monitor and audit in Microsoft 365

From my 16 years of experience in Microsoft and IT, these are the top security events I recommend you to monitor. Auditing these events regularly will help your organization ensure better governance, compliance and security for Microsoft 365.  

See how to automate governance to monitor and enforce policies with CoreView.

1. Changes to important roles

APT29, also known as Cozy Bear, has been actively pursuing M365 deployments since 2022. In order to access Microsoft 365 resources covertly, the gang is disabling Microsoft Purview in order to gain admin rights and attack from within.

That is why it is important that administrators need to know when changes are made to important roles. To find this information, they can visit the Azure portal, and perform a search on the Core Directory service and RoleManagement categories, which will return a list of all changes to roles within their environment.

Alternatively, they can search the Unified Audit Log via the Office 365 Security & Compliance Center, which will also include the logs of all Microsoft 365 applications.

2. Changes to Groups

The main method for granting access to Active Directory resources is through groups. Additional group kinds are supported by Azure AD. 

Users can make their own groups and add other users to them while using programs like Teams and Outlook, for instance. Users occasionally form groups to facilitate more effective communication with customers, suppliers, and business partners, which raises the risk of unintentional disclosure of sensitive information. 

Go to the Azure portal and choose either the Directory service or GroupManagement categories under the Audit logs section to identify group changes in Azure AD.

PULL BOX:  “Coreview gives the subsidiaries of large groups autonomy in the administration of M365 subscriptions, while reducing risk.” Read the rest of the review here.

3. Changes to applications

Multiple bridges between apps and services, including those hosted on-premises, are maintained by Azure AD. This introduces failure spots while also being a tool for collaboration and communication.

Any improperly configured applications could end up being highly disruptive, especially if customers can't access the business' website or make payments, or if staff can't use the apps they need to do their jobs. As a result, it is necessary to be able to recognize and react to changes in applications in order to avoid potential downtime and lost income.

In the Azure portal, you can view the audit logs for each application you have installed. Most audit events come from either the ApplicationManagement or UserManagement categories, although you may need to drill through numerous events in order to find the ones that are relevant to you.

4. Resource creation

When a user creates a Teams site, a number of additional resources are also created, such as Outlook calendars and group inboxes, a OneNote notebook, a SharePoint site, and more.

As one might anticipate, the fact that resources are being created automatically "under the hood" can pose a security risk if administrators are unaware of them or don't keep a close eye on them.

You can find the audit logs relating to the creation of resources in the Azure portal, by searching the UserManagement and GroupManagement categories under the Azure Active Directory section. Alternatively, you can search the Unified Audit Log in the Office 365 Security & Compliance Center, which will list all resources that are created and modified.

5. Sharing important files and anonymous links

The open sharing capabilities of both SharePoint Online and OneDrive for Business introduce a number of security risks, as it makes it a lot easier to accidentally share sensitive data with the wrong recipients. 

To make matters worse, users are sometimes allowed to share a link to a document containing sensitive data, which external users can access anonymously.  

Check out these tips for managing external users in your Microsoft 365 tenant. Download now.  

In addition to monitoring the audit logs for anomalous sharing practices, it is generally a good idea to restrict the sharing capabilities of both platforms. 

To find events relating to file sharing and access request activities in SharePoint and OneDrive you will need to search the Unified Audit Logs in the Office 365 Security & Compliance Center.

6. Guest access in Teams

As above, the ability for users to grant “Guest access” in Teams is another area that needs close attention.

In the wake of the pandemic, many organizations were scrambling to switch to a remote working model, and thus many chose to use Teams for remote collaboration and communication.

With that shift came a plethora of security challenges. Few organizations had spent the time to carefully review the sharing settings, and thus prevent users from inviting guests – some of whom may be granted full access to Team’s files, chats, meetings, and so on.

To find a list of all Guest users (or user creation events), search the Unified Audit Log in the Office 365 Security & Compliance Center. You can also limit the search by date range. Alternatively, in the Azure portal you can perform a search using the following filters:

  • Service — Core Directory
  • Category — UserManagement
  • Activity — Add user

7. Teams being created or deleted

In addition to monitoring Guest access in Teams, you will also want to keep a close eye on which Teams are being created and deleted. By default, users are granted the ability to create and delete Teams, as and when they choose.

While it is possible to disable this functionality, doing so will hinder collaboration. Not only that, but administrators may also want to create and delete Teams themselves, and those actions will also need to be monitored. Unfortunately, there’s no distinction between Microsoft 365 groups created by Teams, and other groups in Azure AD.

However, in the Azure portal you can narrow down the results by setting the Service to Core Directory and the Category to GroupManagement. As always, you can also search the Unified Audit Log in the Office 365 Security & Compliance Center, although this will take longer, and you will still need to filter the Microsoft 365 groups to find out which teams were created/deleted.

Looking for an alternative way to manage and secure Microsoft Teams? See how CoreView helps organizations with Teams governance and compliance.

8. Forwarding inbound email messages

Forwarding inbound email messages is a perfectly sound practice. 

That said, it is generally a good idea for administrators to keep track of changes to email forwarding, as malicious actors will sometimes set up auto-forwarding on email accounts that they have compromised.

The problem, however, is that neither Azure AD nor Microsoft 365 allow administrators to monitor these changes in the audit logs. Instead, they must export the full Exchange Online audit logs as a CSV file, and search for {“name”:”DeliverToMailboxAndForward”,”value”:”True”}.

9. Non-owner mailbox activity

It is not uncommon for a member of the technical support team to access mailbox accounts that are not theirs, and in some cases, employees use shared mailbox accounts. 

Likewise, administrators could easily grant themselves access to an executive’s account and snoop around.

Whatever the scenario, it’s generally not a good idea to allow users to access mailbox accounts that don’t belong to them, and if you do, be sure to monitor them for suspicious activity. 

Mailbox events can only be found in the Unified Audit Log, which allows you to view the following events;

  • Sent message using Send On Behalf permission
  • Added or removed user with delegate access to calendar/folder
  • Sent message using Send As permission
  • Added delegate mailbox permission
  • Removed delegate mailbox permission
“Coreview is an easy to use Microsoft 365 license and governance management tool.” Read the full review on G2.

10. Failed sign-in attempts

It is crucially important that you monitor all failed sign-in attempts, as attackers will frequently try to brute-force account passwords. 

To see a list of failed sign-in attempts, go to the Sign-ins screen under Monitoring, and select Failure from the Status drop-down menu. Then, you will need to scrutinize each of the listed sign-in events for malicious activity

What are audit logs?

Audit logs are an internal record of events that take place in your M365 environment. They show administrators what, who, where, when, and how of any event (user action) in their environment.

These events can be all sorts of things, such as administrative actions like changes in tenant configuration settings in Exchange and SharePoint and user actions like page and file views throughout the system.

They are collected from services within your M365 environment independently from each other, and so they contain distinct information according to their source. For example, audit logs collected from SharePoint sites include the following information:

  • Items that have been edited
  • Items that have been checked in and checked out
  • Items that have been moved or copied to other locations in the site collection
  • Items that have been deleted or restored
  • Changes to content types and columns
  • Search queries
  • Changes to user accounts and permissions
  • Changed audit settings and deleted audit log events
  • Workflow events
  • Custom events

By default, audit logging is turned on for Office 365 and Microsoft 365 enterprise organizations. That means you can review past user actions in your tenant if you've never done so. Since it can be turned off by a global administrator, only trusted senior managers should have global admin access. 

When audit logs are enabled, user and admin activity within your M365 environment is collected and stored for 90 days, and potentially longer depending on your license type.

Microsoft 365 audit log features

Office 365 audit trail offers an array of functions compared to the SharePoint audit logs. It collates the audit logs of all the apps in your environment in one unified, searchable log.  

As an admin, you can view the logs for SharePoint, One Drive, Azure AD, Teams, etc. You will find the audit logs for your organization in Office 365 security & compliance center.  

Over 999 event types recorded: Microsoft 365 audit log captures about 1000 event types in an environment, including edit, share, create a folder, file download, etc.  

100s of metadata stored: Office 365 shares what, when, where, how, and who for every event in your environment. It also shares granular information such as the IP, location, username, time zone, and browser of the user who performed an action under review.

An alternative solution to audit and govern Microsoft 365

Microsoft has an array of tools to help you govern and secure Microsoft 365. But, that still means you must be proactive when monitoring and managing your environment with the tools available.

Adopting CoreSuite is a simpler and resource-efficient approach to using Office 365 service optimally. With CoreSuite, you can:

  • Monitor and alert IT admins if something unusual occurs with advanced auditing & incident response
  • Ensure ongoing compliance with both internal and external policies and regulations with continuous monitoring and alerting
  • Prevent future security threats with automated resolution

Learn how CoreView helps organizations govern Microsoft 365 with automation or explore the benefits of our advanced auditing and incident response. Or, if you’d like to see for yourself how it works, take a self-guided tour of the product today.​

Get a personalized demo today

Created by M365 experts, for M365 experts.