We’ll admit that while audits may not be altogether interesting or endearing, their design hinges on usefulness and practicality, rather than attractiveness. Then again, there may be some of you out there who live and breathe audit reports. If you fall into that category, we’ve got quite a blog post lined up for you!
Located in the ‘Reports’ section of the Office 365 Compliance Center, auditing reports allow users quick access to information regarding user and administrator activity across their Office 365 instance. Within the reports page, users can access auditing reports, device management reports, and data loss protection reports. Today, we’ll be focusing on the former.
With both Microsoft Azure and Exchange now part of the Office 365 platform, these reports are also available from the Compliance Center. It is these areas - along with the Office 365 Protection Center – that we will be discussing in this post. So, let’s get started!
The Office 365 Protection Center
If you need to find out whether a user viewed a specific document, or purged an item from a mailbox, this can be done in the Office 365 Protection Center. Users can search through the unified audit log to view both user and administrator activity in your Office 365 organization. A unified audit log contains the following types of activity:
User activity in SharePoint Online & OneDrive for Business.
Admin activity in SharePoint Online.
User activity in Exchange Online (Exchange mailbox audit logging).
Admin activity in Exchange Online (Exchange admin audit logging).
Admin activity in Azure Active Directory.
The latter three are the other areas we’ll be discussing in this post.
Let’s start with the basics. Before anything else, an admin must first turn on audit logging before any searching of the audit log can happen. It takes roughly 15 minutes after an event occurs in SharePoint Online or OneDrive for Business for the corresponding log to become viewable. Users can search the audit log for activities that were performed within the previous 90 days.
Performing an Office 365 audit can be done by going to protection.office.com
and signing in with your Office 365 account. From there, simply select your criteria – activities, start/end date, users, and files – and you’re good to go!
You can choose between searching for specific activities through clicking on the activity name or, for all activities in a group (such as folder activities), by clicking the group name.
To display entries from the exchange admin audit log, select ‘show results for all activities’ in the activities list.
The search results have a limit of 1000, so if you return this number of results you should consider refining your search criteria.
Azure Active Directory (AD)
Azure audit reports can be used to identify any privileged actions that occur in their Azure AD, providing the event name, the individual who performed the action, the affected resource, and the date and time. Privileged actions include elevation changes (password reset), policy configurations (password policies), and directory configuration (domain settings changes). Reports are categorized into the following:
Anomaly Report - Sign-in events that were found to be irregular.
Integrated Application Report - Insight into how cloud applications are being used.
Error Report - Indicates errors that may occur when provisioning accounts to external applications.
User-specific Report - Displays device/sign-in activity data for a specific user.
Activity Logs - A record of all audited events within the last 24 hours, 7 days, or 30 days; as well as group activity changes, password reset, and registration activity.
In contrast to the 15 minutes it takes for activities to show up in Office 365 audit logs, it takes up to 12 hours for events to appear in Azure AD (and Exchange online, as well).
For a full list of audit report events, and what each entail, see here. To retrieve your Azure AD audit log, sign into your Azure Management Portal.
Some advanced anomaly and resource usage reports are only available when Azure Active Directory Premium is enabled. Advanced reports help users respond to potential threats, and receive access to analytics on device access and application usage.
Used mainly for troubleshooting configuration issues by tracking any specific changes made by administrators, there are two types of audit logs in Microsoft Exchange.
Any changes made to your Exchange Online organization by a Microsoft data center administrator, or by a delegated administrator, are logged, and these are recorded in Administrator audit logs. Users are able to use the Exchange Admin Center (EAC) or the Shell to search for and view any audit log entries. Admin audit logging is enabled by default.
Exchange Online also provides mailbox audit logging to let you track access to an individual mailbox owner. Mailbox audit logs record whenever a mailbox is accessed by an administrator, a delegated user, or the person who owns the mailbox; providing a comprehensive overview of everyone who has accessed the mailbox. Unlike admin audit logging, this has to be manually enabled - users must enable mailbox audit logging for each mailbox they wish to access a report for.
Both admin and mailbox audit logs are available to export via the EAC or Shell.
Admin audit log entries are, by default, kept for 90 days. For any On-Premises Exchange organization, this can be changed by using the SetAdminAuditLog cmdlet.
So here they are: the audit reports available in the Office 365 Compliance Center. Now, if you want to dig deeper, you might want to look at a third party tool like Sharegate and its reporting capabilities.
Tell me, what are the reports you'd want to be able to run in Office 365?