When you manage Microsoft 365 tenants you need to audit what is happening in your environment.
Audit logs and usage reports allow to track Office 365 apps, users, admins and activities across data in Microsoft 365.
Learn how to use Office 365 audit log and track activities in a Microsoft 365 environment.
Why you should track Office 365 Audit Logs?
When you need to maintain and administer Office 365 tenant audit logs of all activities are required.
Nowadays more and more critical data is stored in Microsoft 365 services, like SharePoint or OneDrive. C-level users with their emails and data are already there.
And sooner or later you will be asked to audit what happened with critical organization data or who downloaded or stole the specific files about your customers. Thankfully Microsoft 365 gathers detailed logs of all activities across Office 365 apps.
Monitoring Office 365 using audit logs is essential for maintaining a secure, compliant, and efficiently functioning environment. Regular review the helps to recognize threats, offers insights for optimization, and provides a trail of evidence for both operational and legal purposes.
How to use Office 365 Audit Log?
Microsoft 365 Audit logs are available in the dedicated audit search portal in the Microsoft Purview portal. You will find there a section Audit that allows you to search through logs across all Office 365 apps
To open Office 365 Audit logs visit: https://compliance.microsoft.com/auditlogsearch
On the Audit Log search, you will get access to a useful search engine that could help you review gathered logs.
You can use multiple filters to find the precise results:
- Date and time – filter the time when specific activity happened
- Keywords – you add specific Keywords for your search request
- Activity – friendly name – you will find here hundreds of activities, like accessing file, signing to SharePoint, performing email search and more.
- Activity – operational name – you can search for the activities using their specific names, like FileAccessed, FileModified, or SensitivityLabelApplied
- Record types – you can filter specific group of operations
- Users – you can select specific users
- File, folder or site – you can look for the specific address of file or site
- Workloads – you can filter results to specific workloads, like Teams, SharePoint or Exchange
- Admin units – you can also limit search results to Administrative unites created across Microsoft 365 tenant
- Search name – name for your search request
After you set the search filters you can request the preparation of the requested log. It could take some time to deliver the results.
As a result, you receive an ultra-detailed log of all activities gathered in the Office 365 apps.
How long logs are retained in Office 365?
You need to remember that Office 365 logs gathered in Microsoft Purview are stored for 180 days. Previously it was limited to 90 days, but since 17th October 2023, this period has been extended.
You can extend the retention of your Microsoft 365 log for up to 10 years for audit purposes, but this requires additional add-on licenses.
What if data is not available in the Office 365 audit log?
The audit log in Microsoft Purview is turned on by default. If your audit log search does not contain any data it could mean that logging was turned off. To enable logging you will need to turn it on using PowerShell.
Can I export the audit log from Microsoft Purview?
Yes, you can export your filtered search results to a CSV file and use Excel to analyze the results more deeply.
You can also use filters in the generated search result to have more precise results from Office 365 audit logs.
Super! You learned how to audit Microsoft 365 using logs in the Compliance Center. Learn more about tools useful for administrators, like the PowerShell toolset, Rollouts of the new updates and self-service password reset service.
Do you want more?
Track and assess activities across Microsoft 365 using the Office 365 Audit Log service. Audit users, admins and activities using available logs.