Background image

Uncover user behavior with Office 365 activity logs

default post thumbnails default post thumbnails

Habit formation is the process by which our behaviors gradually become automatic. As we continue to repeat behavioral patterns, they become etched into our neural pathways. It’s the reason behind the phrase old habits are hard to break, and is equally why new habits can be hard to form.

The more we repeat these patterns, the more prominent they become in our neural pathways, regardless of whether it’s something healthy, like going for a run; or something harmful, like smoking cigarettes.

It’s not too far-fetched to consider Microsoft’s Office 365 platform as a brain, of sorts—a central location that’s responsible for getting work done, communicating with others, generating and sharing ideas, and much more. Within this technological brain, logging and reporting capabilities form the base on which technological neural pathways are etched. Unlike (and perhaps better than) the human brain, though, we’re able to look at these etchings and make sense of them.

For administrators, activity logs and reports are great methods for finding out the habits and tendencies of your users—how they navigate, where they spend the most time, and what they interact with most frequently. While this is a useful security measure, a better understanding of user activity also allows admins to prioritize and adhere to the more popular sites.

Office 365 Reporting For Duty Sir

The Reports page of the Office 365 Security & Compliance Center offers users a number of audit reports across both SharePoint Online, Exchange Online, and Azure Active Directory (AD). Users can view the following report types on the Report page:

Auditing reports consist of Azure AD reports, Exchange Audit reports and the Office 365 audit log report, the latter of which we’ll be going into more detail today.

Office 365 Audit Log

Originally the Office 365 Activity Report until April 2016, changes to the Office 365 Security & Compliance Center have made the audit log the primary source of viewing user and administrator activity across Office 365. The audit log is unified, meaning users can search for activity from the following locations:

  • SharePoint Online (user & admin activity)
  • OneDrive for Business (user activity)
  • Exchange Online (user activity)
  • Azure Active Directory (admin activity)
  • Sway (user & admin activity)

Audit logging isn’t an automatic feature in Office 365, so you must turn it on before you can begin searching the log. To do so, click start recording user and admin activity on the audit log search page in the Security & Compliance Center. You only have to do this once, and you can run a search just a couple of hours after turning audit logging on.

For a comprehensive guide on how to perform an audit log search, check out this Microsoft article.

PowerShell command for Office 365 Activity logs


For more flexibility over your analysis, you can use the Search-UnifiedAuditLog cmdlet within Exchange Online PowerShell. The unified audit log contains events from Exchange Online, SharePoint Online, OneDrive for Business and Azure AD.

By using the Search-UnifiedAuditLog, you can search for all events in a specified date range, or you can filter the results based on specific criteria. There’s also the ability to run scoped queries against the audit storage log and export those logs to a file. To run this cmdlet, you need to be assigned a certain set of permissions beforehand. You’ll find a full list of parameters, input types and return types, on TechNet.

Office 365 Management APIs

Office 365 Management Activity API

In 2015, Microsoft brought out the Office 365 Management Activity API to provide visibility of both user and administrator transactions encompassing the entirety of Office 365.

A RESTful API, Management Activity API grants users access to over 150 transaction types and activity logs from SharePoint and Exchange Online and Azure AD. For both of these capabilities, Microsoft plan to continue adding to the services over time.

Office 365 Service Communications API

Released in preview mode, this API replaces the old Service Communications API to provide service health information to tenant administrators and partners. Improving on the old version, the new Service Comms API also harnesses built-in REST APIs to deliver a consistent and complete platform experience in the cloud.

Get on the Right Path

Data collected in audit logs can paint a useful picture of what actions have (or haven’t) occurred in a Site or Site Collection, and can be stored for later review at any time. So, whether it’s determining changes to permissions, checking whether a document has been reviewed or items have been deleted or restored, Office 365 logs and reports can help you be the brains behind a healthy and organized site.

Recommended by our team

What did you think of this article?

Live Webinar Join us on February 22 for the unveiling of the new ShareGate experience.