If you need to manage security events, perform investigations and/or monitor compliance, the Microsoft 365 auditing solution could be your answer.

In this article we will explain how the ‘Audit’ capability works in Microsoft 365, and what applications you might want to apply ‘Audit’ too.

If you currently have a Microsoft licence and are not yet exploiting the Audit capability, then this article will help you to understand what it is and how you can utilise it within your company.

If you’d like to learn more about the audit and investigation capabilities of Microsoft 365, we have the prefect recommendation. Leadership Through Data offer a Microsoft 365 Audit & Investigation training course. The course is perfect for anyone associated with a type of role that provides an audit function for internal investigations at all levels, and especially for members of an Audit Team within the Police service. It provides hands on experience through the use of a virtual training environment. Find out more about the course here for UK, US or Australia.

How Microsoft 365 ‘Audit’ works

  1. User and admin tasks are captured, recorded, and retained in your organisation’s unified audit log. These tasks are performed across all Microsoft 365 services and solutions.
  2. Audit records for these events are searchable by roles such as: Security operations, IT admins, insider risk teams, compliance and legal investigators in your organisation.

Both these things provide visibility into the activities performed across your Microsoft 365 ecosystem.

To what content and services can Microsoft 365 ‘Audit’ be applied

The M365 Audit Log is a unified log capturing activities performed by users, automated processes and administrators across the following Microsoft Cloud services/features. 

Below are the Microsoft 365 services that ‘Audit’ may be applied to: 

  • Azure Active Directory
  • Microsoft Information Protection
  • Communication compliance
  • Content explorer
  • Data connectors
  • Data loss prevention (DLP)
  • Dynamics 365 CRM
  • eDiscovery
  • Exact Data Match
  • Exchange Online
  • Forms
  • Information barriers
  • Microsoft 365 Defender
  • Microsoft Teams
  • MyAnalytics, Workplace analytics /Viva Insights
  • OneDrive for Business
  • Power Apps
  • Power Automate
  • Power BI
  • Quarantine
  • Retention policies and retention labels
  • Sensitive information types
  • Sensitivity labels
  • Encrypted message portal
  • SharePoint Online
  • Stream
  • Threat Intelligence
  • Yammer 

How can I enable the Audit Log?

To use the Audit capabilities in Microsoft 365, you’ll need to enable the Audit Log. 

The Audit Log is enabled in current tenants by default. It can be disabled by a Global Administrator if required. 

In older Microsoft 365 tenants it may need to be manually enabled. Your Exchange Administrator will be able to run a PowerShell cmdlet to check the status of your Audit Log within your current Microsoft 365 tenant. 

Find out more about using PowerShell cmdlet.

What Audit Log activities can be searched in Microsoft 365?

There are thousands of searchable audit events, the following lists all activities.

If you want to learn more about each of these activities use this link.

  • Azure AD group administration activities
  • Application administration activities
  • Premium eDiscovery activities
  • Briefing email activities
  • Content explorer activities
  • Directory administration activities
  • Exchange admin activities
  • eDiscovery activities
  • Exchange mailbox activities
  • Folder activities
  • File and page activities
  • Information barriers activities
  • Microsoft Workplace Analytics
  • Microsoft Teams activities
  • Microsoft Teams Healthcare activities
  • Microsoft Teams Shifts activities
  • Microsoft Power Automate activities
  • Microsoft Power Apps activities
  • Microsoft Stream activities
  • Microsoft Forms activities
  • MyAnalytics activities
  • Power BI activities
  • Role administration activities
  • Microsoft Teams Shifts activities
  • Retention policy and retention label activities
  • SharePoint list activities
  • Sharing and access request activities
  • Synchronization activities
  • Sensitivity label activities
  • Site permissions activities
  • Site administration activities
  • Quarantine activities
  • User administration activities
  • Yammer activities

Learn more about Microsoft 365 Audit & Investigation

If you’d like to learn more about audit and investigation capabilities within Microsoft 365 please use the below links to find out more about Leadership Through Data’s Microsoft 365 Audit & Investigation training course. 

Here’s the main reasons why people choose to book onto this course: 

  • Audit for compliance to support company policy 
  • To check if people are doing malicious things 
  • Monitoring and looking for anything unusual 
  • To understand the art of the possible – define your policy using the tools available 

To see the full course overview, click on the country below that most closely matches your time zone: 

Australia – Microsoft 365 Audit & Investigation training course 

United Kingdom – Microsoft 365 Audit & Investigation training course 

United States – Microsoft 365 Audit & Investigation training course