Knowing who’s taking what action on which content in your site collection can be critical in helping your SharePoint environment stay secure and organized. Learn about SharePoint audit log reports and how to use them effectively.
An unaudited cloud repository, like SharePoint, can pose a risk for your organization. At best, this could be a cluttered IT environment. At worst, it could leave your network vulnerable to a costly data breach.
Fortunately, auditing SharePoint is a fairly simple process. In this blog, we look at SharePoint’s audit mechanisms and how to enable auditing in SharePoint Online.
Table of contents:
Understanding your SharePoint environment with audits and logs
SharePoint has built-in mechanisms for carrying out audits across your environment.
SharePoint audit logs allow you to analyze the files, lists, and folders in your cloud ecosystem and see how employees are using them. They’re a great way to gain wide visibility over your SharePoint environment.
For example, if documents are going missing in the network, or being mislabeled, you can see which users are responsible.
Running an audit log in SharePoint establishes consistency (for example, in how documents are named and stored) and ensures that any mistakes made are addressed quickly. A mislabeled document containing sensitive information (e.g. stored in a public folder) could be costly to an organization in the event of a security breach.
With SharePoint Online, you can audit the following activities:
- File and page activities
- Sharing and access request activities
- Site administration activities
- Directory administration activities
- Power BI activities
- Microsoft Teams Healthcare activities
- Power Automate activities
- Synchronization activities
- SharePoint list activities
- Site permissions activities
For a complete list of audited activities in SharePoint Online, check out the official Microsoft documentation.
How to configure audit settings in a site collection
The audit experience is now powered by the Unified Audit pipeline, and no longer supports trimming as a feature in SharePoint Online. You can access files that have already been trimmed in the document library.
Microsoft also no longer supports choosing specific events to edit. Audit log reports are still available but powered by the Unified Audit pipeline. Microsoft also does not support list items as of now.
To run audit log reports in SharePoint:
- Using a private browsing session (not a regular session), go to https://compliance.microsoft.com and sign in
- In the left pane of the compliance portal, click Audit
If the Start recording user and admin activity link is displayed on the Audit page, click it to turn on auditing. If you don’t see this link, auditing is turned on for your organization.
On the Search tab, configure the following search criteria:
- Start date and End date: Select a date and time range to display the events that occurred within that period. The maximum date range that you can specify is 90 days.
- Activities: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group.
- Users: Select one or more users to display search results or leave this box blank to return entries for all users (and service accounts) in your organization.
- File, folder, or site: Type some or all of a file or folder name to search for related activity. You can also specify a URL of a file or folder. Or, leave this box blank to return entries for all files and folders in your organization.
Then, click Search to run the search using your search criteria.
To learn more about how to run an audit log search, check out the official Microsoft documentation.
Limitations of SharePoint audit logs
SharePoint audit logs can be useful as a basic tool for performing SharePoint audits. They are, however, limited to those organizations wanting to perform ongoing or extensive audits. Here are some limitations of SharePoint audit logs:
No regular reporting capabilities
SharePoint requires that you manually export audit logs. To do this, click Export > Download all results. This option adds the data from the audit log to a CSV. For a large search, it takes a while to prepare the file for download. You can save the CSV file to your computer or access it via the Downloads folder.
No security alerts
SharePoint audit logs provide no security alerts. Users must comb through the data to discover contentious issues or security risks, which can be tricky for organizations with large amounts of audit data. It could also mean potentially missing security risks that can make your organization vulnerable to a data breach.
SharePoint audit trail takes up space
In SharePoint, the audit trail takes up a lot of space. You will have to configure audit log trimming for site collections in SharePoint, which can take time to set up and involves manual effort. You can configure audit log trimming by navigating to site collection audit settings and then going to the audit log trimming section.
Make SharePoint reporting easy
At ShareGate, we specialize in making security and reporting easier for IT admins, and our SharePoint reporting is no exception.
With SharePoint reporting and permissions management, you can automate key metric reporting for more reliable management that doesn’t add to your task lists. Stay on track and in the know, with the power to resolve security issues before they arise.
- Choose from an extensive selection of pre-built reports
- Build your own custom reports
- Schedule recurring reports
- Automatically export results to a SharePoint library
- Validate permissions and external users