This article describes an overview of the O365 audit log and its features to track user and administrative activity within a Microsoft 365 tenant, such as changes made to their Exchange Online and SharePoint Online tenant configuration settings and changes made by users to documents and other items. Administrators can use the audit information available in Microsoft 365 to fulfill compliance obligations.
Mailbox auditing
Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization.
Here are some benefits of mailbox auditing being on by default:
- Auditing is automatically enabled when you create a new mailbox. You don’t need to manually enable it for new users.
- You don’t need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).
- When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don’t need to monitor and add new actions to mailboxes.
- You have a consistent mailbox auditing policy across your organization (because you are auditing the same actions for all mailboxes).
Verify mailbox auditing on by default is turned on
To verify that mailbox auditing is turned on by default for your organization, run the following command in Exchange Online PowerShell:
Get-OrganizationConfig | FL AuditDisabled
The value False indicates that mailbox auditing is enabled by default for the organization. By default, this organizational value overrides the mailbox auditing setting on specific mailboxes. For example, if mailbox auditing is disabled for a mailbox (the AuditEnabled property is False on the mailbox), the default mailbox actions will still be audited for the mailbox because mailbox auditing is enabled by default for the organization.
To keep mailbox auditing disabled for specific mailboxes, you configure mailbox audit bypass for the mailbox owner and other users who have been delegated access to the mailbox.
Mailbox actions for Microsoft 365 Group mailboxes
By default, mailbox auditing brings mailbox audit logging to Microsoft 365 Group mailboxes, but you can’t customize what’s being logged (you can’t add or remove mailbox actions that are logged for any logon type). Remember, an admin with full access permission to a Microsoft 365 Group mailbox is considered a delegate.
Turn off mailbox auditing by default
You can turn off mailbox auditing by default for your entire organization by running the following command in Exchange Online PowerShell:
Set-OrganizationConfig -AuditDisabled $true
Turning off mailbox auditing by default has the following results:
- Mailbox auditing is disabled for your organization.
- From the time you disable mailbox auditing by default, no mailbox actions are audited, even if auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).
- Mailbox auditing is not enabled for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True will be ignored.
- Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored.
- Existing mailbox audit records are retained until the audit log age limit for the record expires.
Audit log
For compliance in Microsoft 365, the audit log is probably the most important tool of all. It tracks every user and account action across all the Microsoft 365 services. You can run reports on deletions, shares, downloads, edits, reads, etc., for all users and all products. You can also set up custom alerts to receive notifications whenever specific activities occur.
For all of its usefulness, the most amazing thing about it is that it’s not turned on by default.
It can be frustrating when you come across a query or problem that could easily be resolved if you had access to the logs, only to find out they were never enabled in the first place. Here’s how to get it set up in your own organization:
Run the following command to enable the unified audit log:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Enable mailbox auditing
To enable auditing for a single mailbox, use the PowerShell command:
Set-Mailbox -Identity “Display Name” -AuditEnabled $true
To enable auditing for all mailboxes in your organization, use the PowerShell command:
Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled$true
To confirm whether you have successfully enabled the audit or not, you have to run the “Get-Mailbox” command in Exchange Online. AuditEnabled property’s “True” value confirms that you have successfully enabled mailbox audit logging.
Disable mailbox auditing for specific mailboxes
Currently, you can’t disable mailbox auditing for specific mailboxes when mailbox auditing is turned on by default in your organization. For example, setting the AuditEnabled mailbox property to False is ignored.
However, you can still use the Set-MailboxAuditBypassAssociation cmdlet in Exchange Online PowerShell to prevent any and all mailbox actions by the specified users from being logged, regardless of where the actions occur. For example:
- Mailbox owner actions performed by the bypassed users aren’t logged.
- Delegate actions performed by the bypassed users on other users’ mailboxes (including shared mailboxes) aren’t logged.
- Admin actions performed by the bypassed users aren’t logged.
To bypass mailbox audit logging for a specific user:
Set-MailboxAuditBypassAssociation -Identity “Mailbox Name” -AuditByPassEnabled $true
To verify that auditing is bypassed for the specified user, run the following command:
Get-MailboxAuditBypassAssociation “Mailbox Name” | fl auditb*
The value True indicates that mailbox audit logging is bypassed for the user.
Exchange Online Audit Reports
Exchange Online audit reports include details on mailbox access and changes made by administrators to an organization’s Exchange Online tenant.
- Run a non-owner mailbox access report: This displays the list of mailboxes that have been accessed by someone other than the owner of the mailbox. The report contains information about who accessed the mailbox, the actions they took in the mailbox, and whether or not the actions were successful.
- Export mailbox audit logs: Mailbox audit logs contain information on access and actions in a mailbox taken by a user other than the mailbox owner. Administrators can specify mailboxes along with a date range to generate reports. The logs are exported in XML, attached to a message and sent to specific users as determined by the administrator.
- Run an administrator role group report: The administrator role group is used to assign administrative privileges to users. These privileges allow users to perform administrative tasks such as reset passwords, create or modify mailboxes, and assign admin privileges to other users. The admin role group report shows changes to role groups, including the addition or removal of members.
- View the admin audit log: The admin audit log report lists all create, update and delete functions performed by administrators in Exchange Online. Log entries provide information on which cmdlet was run, what parameters were used, who ran the cmdlet, and what objects were affected.
- Export the admin audit log: The admin audit log records specific administrative actions such as create, update and delete in Exchange Online. The results from the log are exported to XML and administrators can choose to send this log to a set of users.
- View and export the external admin audit log: Contains details of actions performed by external administrators. The entries provide information on which cmdlet was run, what parameters were used, and any actions that create, modify or delete objects in Exchange Online.
O365 audit logs powershell
To search a mailbox for auditing:
Search-MailboxAuditLog admin@techieberry.com -ShowDetails -StartDate 01/01/2023 -EndDate 01/31/2023
To export results into a CSV file:
Search-MailboxAuditLog admin@techieberry.com -ShowDetails -StartDate 01/01/2023 -EndDate 01/31/2023 | Export-Csv C:\users\AuditLogs.csv -NoTypeInformation
To view and export logs based on operations:
Search-MailboxAuditLog -Identity admin@techieberry.com -ResultSize 250000 -Operations HardDelete,Move,MoveToDeletedItems,SoftDelete -LogonTypes Admin,Delegate,Owner -StartDate 01/01/2023 -EndDate 01/31/2023 -ShowDetails | Export-Csv C:\AuditLogs.csv -NoTypeInformation
To view and export logs based on logon types:
Search-MailboxAuditLog admin@techieberry.com -ResultSize 250000 -StartDate 01/01/2023 -EndDate 01/31/2023 -LogonTypes Owner,Delegate,Admin -ShowDetails | Export-Csv C:\AuditLogs.csv -NoTypeInformation
To search the unified audit log:
Search-UnifiedAuditLog -StartDate 01/01/2023 -EndDate 01/31/2023 -RecordType SharePointFileOperation
To export certain properties of the unified auditing log to a CSV file:
$auditlog | Select-Object -Property CreationDate,UserIds,RecordType,AuditData | Export-Csv -Append -Path c:\AuditLogs\PowerShellAuditlog.csv -NoTypeInformation
To view transport rule changes:
Search-AdminAuditLog -Cmdlets Set-TransportRule -StartDate 01/01/2023 -EndDate 01/31/2023
Search-UnifiedAuditLog -Operations Set-TransportRule -StartDate 01/01/2023 -EndDate 01/31/2023
To view spam filter changes:
Search-AdminAuditLog -Cmdlets Set-HostedContentFilterPolicy -StartDate 01/01/2023 -EndDate 01/31/2023
Search-UnifiedAuditLog -Operations Set-HostedContentFilterPolicy -StartDate 01/01/2023 -EndDate 01/31/2023
To check connection filter changes:
Search-AdminAuditLog -Cmdlets Set-HostedConnectionFilterPolicy -StartDate 01/01/2023 -EndDate 01/31/2023
Search-UnifiedAuditLog -Operations Set-HostedConnectionFilterPolicy -StartDate 01/01/2023 -EndDate 01/31/2023
Auditing your SharePoint Online environment helps you stay secure and meet the requirements of regulatory compliance. To view the auditing reports that your SharePoint Online native tool provides:
- Login to SharePoint Online.
- Click the Settings icon, and then click Site settings.
- Click Audit log reports in the Site Collection Administration section.
- Select the report (such as deletion) that you want from the View Auditing Reports page.
- Type a URL or browse to the library where you want to save the report and then click OK.
- On the Operation Completed Successfully page, select Click here to view this report.
SharePoint audit log reports let you analyze all activities in your SharePoint environment.
O365 audit logs API
Microsoft provides reporting services that enable administrators to obtain aggregated transactional information about their Microsoft 365 tenant. The Microsoft 365 Management Activity API uses an industry-standard RESTful design and OAuth v2 for authentication, which makes it easy to start experimenting with retrieving data and ingesting it into visualization tools and applications.
The API provides a data feed that includes information about users, administrators, operations, and security activity in Microsoft 365. The data can be kept for regulatory purposes or combined with log data procured from an on-premises infrastructure or other sources to build a monitoring solution for operations, security, and compliance across the enterprise.
The Management Activity API currently provides a comprehensive view of over 150 transaction types from SharePoint Online, OneDrive for Business, Exchange Online and Azure AD. The API provides a consistent audit schema with over 10 fields that are common across all the services.
This allows organizations to make easy connections between events, and it enables new ways to reason over the data. Dozens of independent software vendors (ISVs) have partnered with Microsoft and built solutions based on the API. Some solutions are focused solely on Microsoft 365 data, while others provide the ability to ingest data from multiple cloud providers and on-premises systems to create a unified view of all operations, security, and compliance-related activity. For more information, see the Microsoft 365 Management Activity API reference.
Also read: Microsoft Cloud App Security: The Definitive Guide
Summary
O365 audit logs include several features in the Security Center and programmatic methods for retrieving and analyzing log data using remote PowerShell and a web services REST API. Admins can use the auditing features in Microsoft 365 to track changes made to key tenant and service configuration items, to documents, and to other items.
