fbpx
Active Directory & Office 365 Reporting Tool

How to Monitor Office 365 Activity Logs for Improved Security. Looking to enhance the security of your Office 365? It’s crucial to monitor the activity logs of Office 365, and Microsoft’s unified Office 365 audit logging portal provides a single platform to do that.

In this article, we explore an overview of the Office 365 unified audit logging. 

Then, we learn the licensing and permission requirements to use the Microsoft 365 unified audit log. Moreover, this section includes steps to check if you meet these requirements and what to do if you don’t. 

Next, we examine how to check if unified audit logging is enabled for your organization. Then, we discuss the steps to enable it through the Microsoft compliance portal or Windows PowerShell.

Once audit logging is enabled, we cover how to search, view, and export Office 365 audit logs to CSV. Finally, we show how to monitor and analyse the 365 activity logs to improve your organization’s security.

Overview of the Office 365 Unified Audit Logging

Microsoft 365 (M365) is a set of cloud based services. Some services included in M365 are Azure Active Directory, Exchange Online, and SharePoint Online.

The services included in your M365 subscription depends on your subscription. 

Now, with so many Office 365 services, admins face the considerable challenge to monitor the activity logs of the various services for improved security of the organization. The good news is that the Microsoft Purview compliance portal offers Microsoft 365 admins a single location to enable unified audit. 

Now, you must wonder which of the Microsoft 365 services supports unified auditing. To view all services you monitor, see the list in the Microsoft 365 services that support auditing page. 

Microsoft 365 Audit Log Licensing and Permissions

Microsoft offers two versions of the Microsoft Purview Audit, which allows you to enable, search for and monitor Microsoft 365 unified audit logs.

So, you get the Microsoft Purview Audit (Standard) or (Premium), depending on your organization’s Microsoft 365 subscription and licensing

Additionally, admins that need to run audit log reports must be granted the required permissions.

To configure the licensing and user permission requirements, complete these steps. 

Step 1: Confirm that Your Organization Meets Subscription / User Licensing Requirements

To access Microsoft 365 unified audit log, your organization must have a minimum of Microsoft Business Basic/Standard subscriptions. It is the same as the Azure AD Premium P1 license. 

On the contrary, to access the  Audit (Premium) feature, you require at least the Microsoft 365 Enterprise E5 subscription. 

Follow the steps below to check your assigned subscription. 

1. Follow the steps in our article – How to Connect to Office 365 using Powershell- to install the MSOnline PowerShell Module. Then, connect to Office 365. 
2. Run the Get-MsolAccountSku command to list the Microsoft 365 license available in your tenant. 

				
					Get-MsolAccountSku
				
			

2. Next, run the command below to return the license your admin has assigned to you. 

				
					Get-MsolUser | Where-Object { ($_.Licenses[0].AccountSkuId -eq "License_AccountSkuId") -and ($_.UserPrincipalName -eq "name@domainname.com" ) } | Select-Object UserPrincipalName, DisplayName -ExpandProperty Licenses
				
			

Replace the License_AccountSkuId with the AccountSkuId (the license name) from the last command. Also, replace name@domainname.com with your Office 365 UPN. 

Check the value of the last command displayed in the AccountSkuId property. Then, compare that with the Microsoft 365 Licensing requirements

Finally, if the license your admin assigned you is listed, check the Microsoft 365 permission requirements using the steps in the following subsection. 

Step 2: Confirm that Your Account Meets the Permission Requirements

To view and run Office 365 unified audit log searches, admins or users must be assigned the View Only Audit Logs or Audit Logs role in Exchange Online. The Compliance Management and Organization Management role groups have the required permissions by default. 

Furthermore, members of the Office 365 Global Administrators group are added to Organization Management role group in Exchange Online by default.

Follow the steps below to check, if an account has the required permission to enable and search the audit logs. If you’re a Global Admin for your Office 365 tenant,  ignore the steps below and proceed to the next section. 

1. Open the Exchange Online admin center via admin.exchange.microsoft.com. Next, expand Roles and click “Admin Roles.” 
2. On the search box of the “Admin roles” page, enter “management” to return only roles that include that term. Then, click the Compliance Management role.

3. On the Compliance Management role flyout, click the “Assigned” tab. All users listed in this tab have permission to view search audit logs. 

To add a user to this role, click the “+ Add” button – see the second screenshot. 

4. Repeat step 3 for the Organization Management role.

Check the Current Status of Audit Logging for Your Organization

Before using the Microsoft compliance portal to monitor Office 365 activity logs for improved security of your organization’s services, you must enable audit monitoring. Enabled by default in organizations with Microsoft 365 and Office 365 enterprise subscriptions

However, Microsoft may not enable auditing in some Microsoft 365 subscriptions by default. So, confirming if auditing is enabled in your O365 tenant before proceeding is a good idea. 

Follow the steps below to check the current auditing status. 

1. Use the steps in our Connect to Exchange Online using PowerShell article- to connect to your Exchange Online tenant. 
2. Once you’ve connected to Exchange Online, 

				
					Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
				
			

The screenshot below shows all the commands you need to install the Exchange Online PowerShell module. Then, connect and run the Get-AdminAuditLogConfig to determine, if auditing is enabled for your organization.

If the Get-AdminAuditLogConfig command returns the UnifiedAuditLogIngestionEnabled property as True, it indicates that unified auditing is turned on for your organization. If it returns a value of False, it means that auditing is not turned on. 

So, from the result of my Get-AdminAuditLogConfig command, auditing is NOT turned, since the value is False. If this is your situation, proceed to the following section to enable auditing.  

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Enable Office 365 Unified Audit Logs

Microsoft offers 2 methods to enable Office 365 audit logs to monitor user activity logs for improved organization security. Specifically, do this via the Compliance Portal or PowerShell

Enable Auditing Using the Compliance Portal

1. Open- compliance.microsoft.com
2. Navigate to the Solutions section and click Audit. Alternatively, open the Audit section directly by clicking compliance.microsoft.com/auditlogsearch.

3. Finally, enable Microsoft 365 unified audit log, click “Start recording user and admin activity.”

Please note that it may take up to 60 minutes for the change to take effect.

Enable Auditing Using Windows PowerShell

If you still have the PowerShell console, where you connected to the Exchange Online PowerShell module, run the command below to enable unified M365 auditing. You must run the first command before the second. 

You may receive an error message, if you run the Set-AdminAuditLogConfig command without running the Enable-OrganizationCustomization command first.

				
					Enable-OrganizationCustomization
				
			
				
					Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
				
			

Note that the Enable-OrganizationCustomization command takes a while to complete. Also, after enabling unified audit logging, may take up 60 mins to take effect. 

Then, re-run the Get-AdminAuditLogConfig command to confirm the audit login status. 

				
					Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
				
			

If you successfully enabled auditing via the Compliance Portal or Windows PowerShell, the last command should return the UnifiedAuditLogIngestionEnabled as True. See the screenshot below. 

Finally, you may turn off the unified audit login for your Microsoft 365 organization by running the command below. 

				
					Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
				
			

Search and Monitor Office 365 Audit Activity Logs for Improved Security

Let’s explore how to search it for relevant user and admin activities.

In this section, we show you how to run an audit log search and export the result to CSV. Additionally, we explain how you analyse the exported Office 365 Activity Logs for improved Security.

Step 1 (Option 1 of 2):

Run an Office 365 Audit Log Search in the Compliance Portal

1. Open Microsoft Compliance Audit page compliance.microsoft.com/auditlogsearch. Then, set the search criteria following the numbering in the screenshot below: 

(1) Date and time range (UTC): The audit search tool selects the last 7 days by default. 

However, select your data range up to 90 days from the start date. Note that selecting more than 90 days returns an error message. 

(2) Keyword Search: if you need the Office 365 unified audit tool to find logs about a word or phrase, enter it in this field. 

(3) Activities: a drop-down with a long list of checkboxes.

(4) Record Type: search for specific record types like Azure Active Directory.

(5) Workload: To filter the search criteria by workload, click the drop down and check the Office 365 service from which you wish to view audit logs. 

(6) Users: to filter the audit logs for specific users, use the search criterion to enter their names. If you leave the user field blank, the Compliance Portal search tool returns audit logs for all users across your Microsoft 365 services.

(7) Files, folders, or sites: search for activity related to a file or folder containing a specific keyword by typing some or all of its name. Also allows to specify a file’s or folder’s URL.

(8) Search name: give the search a name, then click Search. Finally, to view the status of the reports, click Refresh.

Step 1 (Option 2 of 2):

Run an Office 365 Audit Log Search Using PowerShell

Use PowerShell to perform Office 365 audit log searches. You do not need to use PowerShell if you have already used the Compliance Portal

1. Connect to Exchange Online using PowerShell-by running the following commands in order:

				
					Install-Module -Name ExchangeOnlineManagement
Import-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName username@DomainNAme.com #change "username@DomainNAme.com" to your M365 UPN

				
			

2. Once connected to Exchange Online, run the Search-UnifiedAuditLog to search the Microsoft 365 unified audit log. 

The StartDate and EndDate parameters are the only required parameters for this cmdlet. However, the cmdlet has other parameters. 

The commands below search for all audit logs in the past 30 days. 

				
					$EndDate = Get-date
$StartDate = (Get-date).AddDays(-30)
Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate
				
			

The command returns audit log data for the date range you specify with the StartDate and EndDate parameters. Note that the Start date must be earlier than the end date.

Step 2: View and Export the Office 365 Audit Activity Logs

Export the report to CSV from the Compliance Portal or via PowerShell.

Click on a report to export it from the Compliance Portal. Then, click the Export button. 

The New Search audit report yielded no results when we wrote this article in May 2023. I suspect that there was a bug with it. 

So, we used the Classic Search instead. Finally, to download the audit logs, click “Export,” then select “Download all results”

Alternatively, if you prefer to export the result of your Microsoft 365 unified audit log using PowerShell, use the script below. 

The script includes some of the commands in the “Step 1 (Option 2 of 2): Run an Office 365 Audit Log Search Using PowerShell“.

				
					Install-Module -Name ExchangeOnlineManagement
Import-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName "username@DomainNAme.com" #change "username@DomainNAme.com" to your M365 UPN
$StartDate = (Get-date).AddDays(-30)
$EndDate = Get-date
# Run the Search-UnifiedAuditLog cmdlet and store the results in a variable
$auditLogResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate

# Convert the AuditData property of each NoteProperty object into a PowerShell object and select the desired properties
$table = $auditLogResults.AuditData | ForEach-Object {
    $auditData = ConvertFrom-Json $_
    [PSCustomObject] @{
        CreationTime = $auditData.CreationTime
        RecordType = $auditData.RecordType
        "Op Performed By" = $auditData.UserDisplayName
        "Op UserType" = $auditData.UserType
        "Op UserKey" = $auditData.UserKey
        "Op ClientIP" = $auditData.ClientIP
        Operation = $auditData.Operation
        ResultStatus = $auditData.ResultStatus
        ModifiedProperties = ($auditData.ModifiedProperties | Out-String).Trim()
    }
}

# Display the resulting table
$table | Format-Table
# Export the resulting table to a CSV file
$table | Export-Csv -Path "D:\report\auditLogResults.csv" -NoTypeInformation

				
			

The script displays results on the PowerShell console and exports it to a CSV file. 

Step 3: Analyze the 365 Activity Logs and Use them for Improved Security

Some organizations monitor Office 365 activity logs for improved security, while others do so for compliance purposes.
After exporting M365 audit logs, the next step is to analyse them.

We included a sample report we exported using the above PowerShell script. 

When using the report to improve security, look for patterns and potential actions that may lead to security breaches. Conversely, if you require the audit logs for compliance purposes, search for instances of compliance breaches.

How to Monitor Office 365 Activity Logs for Improved Security Conclusion

In conclusion, by monitoring Office 365 activity logs, you enhance security of your organization. Throughout this guide, we covered the following:

  • An overview of the Office 365 Unified Audit Logging, including the Microsoft 365 services it supports.
  • Microsoft 365 Audit Log licensing and permissions, which are necessary for monitoring Office 365 activity logs.
  • The steps to check the current status of audit logging for your organization.
  • The steps to enable Office 365 Unified Audit Logs via Compliance Portal and PowerShell.
  • How to search and monitor the Office 365 audit activity logs, allowing you to use them to improve your organization’s security.

By following these steps, you stay on top of potential security breaches and protect your organization’s sensitive information. 

InfraSOS-AD-Tools

Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *