What is Microsoft 365 audit logging, and how can it be accessed?

Compliance, security, productivity—your audit logs hold the keys. We show you how to access, understand, and act on them. 

For many organizations, Microsoft 365 is the engine behind their operations, with everything from Exchange Online to SharePoint and Outlook fueling collaboration and decision-making across teams. That environment comes with a big responsibility for IT admins: maintaining a secure tenant that empowers compliance and user productivity.

Audit logs are your window into that world, tracking everything from admin actions and file usage to license changes and mailbox access.

But Microsoft 365 audit logs are not always easy to interpret, especially if you’re managing multiple workspaces, permissions, users, and admin roles. 

This article breaks down why logging matters, what audit logs can (and can’t) tell you, and how IT teams can reduce complex PowerShell scripts to gain actionable insights and control over a secure, compliant, and well-run environment.

Why is Microsoft 365 logging important?

Let's say something happens within your Microsoft 365 tenant without explanation. Your IT team can use audit logs to check for answers.

Available in the Microsoft Purview compliance portal —or via PowerShell for advanced scenarios—audit logs let your organization track user and admin activity across Microsoft 365:

• User sign-ins and authentication attempts
• File, folder, and account activity in SharePoint Online and OneDrive
• Teams channel activity and chat edits or deletions
• Exchange Online mailbox access by admins or delegates
• Role assignments and permission changes

Audit logs give IT teams critical visibility and traceability to investigate security events, monitor risk and compliance, detect suspicious or unauthorized user activity in your tenant, and maintain documentation for regulatory audits.

But their importance goes beyond incident response. With Microsoft 365 audit logs, IT teams can tackle persistent governance challenges that risk your operations: ownerless Teams or SharePoint sites, guest access, user permissions for sensitive content, and proving compliance to leadership.

If you're not sure how to interpret the data, tools like ShareGate turn audit logs into clear, actionable insights. No manual digging or PowerShell required! You get the automation and context to clean up, monitor, and stay compliant.

Eager to start using your audit logs? Audit logging is typically on by default for most enterprise subscriptions.. (You can check in your Microsoft Purview compliance portal!) Audit records are retained and searchable via the Purview audit log.

How do I perform an audit log search in Microsoft 365?

To investigate and secure your Microsoft 365 tenant, you’ll first need to know how to search your audit logs in Microsoft Purview:

Step 1: Enable audit logging (if not already enabled)

You can use PowerShell, but it's also as easy as going to the Microsoft 365 compliance center and checking whether audit logging is turned on for your tenant. If not, select “Start recording user and admin activity.” Heads up, it may take up to 60 minutes before data from your audit logs becomes available. And make sure your Entra ID roles and license level (such as E5) support audit logging.

Step 2: Go to the Microsoft Purview Portal

From the Microsoft Purview portal, navigate to Audit → Search. Make sure you’re assigned one of the required roles—Audit Logs or View-Only Audit Logs—before attempting to run searches.

Step 3: Use Audit Search

Set your date range, then filter your audit logs by:

• Activity (using friendly names or exact operation names)
• Users or record types
• Workloads such as Exchange Online, SharePoint Online, OneDrive, or Teams
• Specific files and SharePoint sites. 

Use the search box to get quick info from your audit logs, and name your search to save it for later. For advanced queries, you can also use Exchange Online PowerShell.

Step 4: Export or review results

Export your audit log results directly from the portal, or use Microsoft’s recommended method for automation: the Office 365 Management Activity API, which lets you pull audit data programmatically into other tools and services.

Best practices for working with Microsoft 365 audit logs

Getting meaningful observations about your users from your audit logs takes a structured approach:

• Understand the schema and event names in Microsoft’s audit log system
  This helps you target the right activities and avoid missing critical user data.
  
  
• Export results to a CSV file to simplify filtering and sharing across teams

Quickly surface relevant M365 user activity and share the findings from your audit logs with stakeholders.

• Use third-party dashboards or visualization tools
  Goodbye, PowerShell! With advanced data analysis features, you can easily detect anomalies and user trends in your audit logs.
  
  
• Ensure your team has the necessary roles and licensing in place
  Best to check early if you have the appropriate E5 license so you’re not stuck waiting to investigate your tenant’s audit logs.

Microsoft 365 logging and monitoring: Key activities tracked by audit logs

Microsoft 365 captures thousands of different audit events across services like SharePoint, OneDrive, Teams, Exchange, and Entra ID, with each workload generating its own set of detailed operation names. So understanding the specific activity types available in the Purview audit log is essential for accurate monitoring and investigation.

Tracing user actions from your audit logs and maintaining accountability starts with knowing what Microsoft 365 tracks in Purview.

SharePoint, Teams, and Exchange Online each generate detailed audit logs to monitor access, changes, and communication:

SharePoint audit reports

With SharePoint Online and OneDrive audit logs, you can catch permission changes, group updates, or external file sharing across site collections before any exposure or disruption to these Microsoft services.

Microsoft Teams activity logs

Your IT team wants to keep control over internal and external users. Using audit logs in Microsoft Teams helps you do that, clarifying events like membership changes, shared channel invites, external file sharing, meeting joins, and chat activity.

Exchange Online audit reports

These audit logs show who’s accessing accounts, user mailboxes, deleting emails, or changing permissions, making it easier to secure your email environment.

Remember, tools like ShareGate add more value to these audit logs by pulling your M365 events into centralized reports. IT teams can get clear insights about your Microsoft services without digging through raw data or complex PowerShell commands, which means better visibility for stakeholders and easier policy enforcement with users.

Four challenges of using Microsoft 365 audit logs

When investigating tenant changes, risks, or compliance issues, turning audit logs into something useful isn’t always straightforward. Without the right tools or specialized PowerShell expertise, admins spend more time wrangling user data than acting on insights. Here are a few common roadblocks:

• Complex user interface and search syntax: You need to format searches correctly in Microsoft Purview. Otherwise, even simple queries take time-consuming trial and error.
• Limited retention without premium licensing: Audit log retention varies by Microsoft 365 license. With Standard licensing, many events are only kept for a limited time, while Premium (E5/Audit Premium) tiers offer extended retention. Without the right license in place, older audit data may no longer be available when you need to investigate.
• Data spread across services (Microsoft Teams, SharePoint Online, OneDrive, Exchange Online, etc.): Tracking a user’s activity means jumping between tools and manually piecing together timelines with either PowerShell scripts or Excel formulas.
• Lack of contextual visibility into changes: Audit logs don’t explain how events fit into broader user activity trends in your tenant.

ShareGate helps you cut through these limitations through clear, actionable reports that pull together audit logs from SharePoint and Teams. Rather than being forced to jump between portals and admin centers, dive into PowerShell, or parse raw CSV exports, IT admins have one centralized place to quickly spot changes in your M365 environment, investigate access issues, fix them on the spot, and share findings with stakeholders.

Make M365 reporting easy with ShareGate

Audit logs tell you more than just which user did what. This foundational tool often provides your first clue that something’s off, giving you critical information for enforcing compliance, protecting data, and understanding your Microsoft 365 tenant. But without properly managing your audit logs or the expertise to manage PowerShell-driven workflows, you may miss critical security events or fall short of regulatory requirements.

You probably know ShareGate as one of the world's leading Microsoft 365 migration tools, but it's so much more than that. Built for the day-to-day reality of IT teams and your users, you can get visibility, automation, and answers from your audit logs without PowerShell scripts or digging through a CSV file or multiple admin centers. It’s the kind of reporting that helps your organization improve continuously, not just reactively.

These reporting capabilities also give you a deeper look at your environment—like full inventories, permission matrices, and shareable insights that make it easier to understand what exists today and how it’s being used:

• Get full inventory reports of your sites, lists, libraries, and workflows
• View a comprehensive permissions matrix for deeper access visibility
• Build and schedule reports that actually reflect what’s happening
• Export shareable reports  
• Spot issues earlier with clear, shareable insights you can act on

Want to learn more about optimizing your audit logs and Microsoft license more broadly? Check out ShareGate’s technical documentation and explore the reports that make your job easier and your environment safer.

For ongoing governance, ShareGate Protect builds on that visibility by bringing oversharing, guest access, and workspace activity into one clear, unified view across Teams, SharePoint, Groups, and OneDrive. Protect highlights where risks live, groups issues by oversharing and sprawl, and provides in-context remediation so you can fix problems quickly and keep your environment organized and secure over time.