When an organization has a large user base or has a geographically spanned presence, it is normal to have grow the IT department as well in order to administer the organization’s IT infrastructure. A common requirement when the number of people that have access to a system is greater is that the ability to track changes or actions performed on the system by these users. Be it an administrator going rogue or a regular user deleting a business critical document is equally harmful to an organization. While there are many ways to restrict and control access to Office 365, it is still important that there’s an audit log available with this required information.
This is when Audit log search in Office 365 Security & Compliance Center comes to the picture. Audit log search can search following actions that was performed in your Office 365 tenant.
|User Activities in||Admin Activities in|
|SharePoint Online and OneDrive for Business||SharePoint Online|
|Exchange Online (Exchange mailbox audit logging)||Exchange Online (Exchange admin audit logging)|
|Sway||Azure Active Directory (the directory service for Office 365)|
Start Recording User and Admin Activities
In order to use Audit log search you first need to start recording activity from the Office 365 Security & Compliance Center. Follow below steps to enable activity recording.
- Access Security & Compliance center by using the app launcher (figure 1) or by using the Office 365 Admin Center (figure 2).
- Click Start recording now under Recommended for you (figure 3)
- Click Turn On to confirm the action (figure 4).
- If you were able to perform above 3 steps successfully, you will see a screen similar to below screenshot (figure 5).
Performing Audit log search
Follow below steps to perform an Audit log search.
- Visit Security & Compliance center (figure 1 or figure 2).
- Access Search & investigation -> Audit log search (figure 6)
- Enter the search criteria and search. Results of the search will appear on the screen (figure 7).
Within the first 24 hours, the search results might not contain some activities. However, one thing I noticed is that the Audit log search is pretty quick at tracking activities as it showed my activities in a matter of few seconds in above screenshot.