Audit Log Search in Office 365 Security & Compliance Center

When an organization has a large user base or has a geographically spanned presence, it is normal to have grow the IT department as well in order to administer the organization’s IT infrastructure. A common requirement when the number of people that have access to a system is greater is that the ability to track changes or actions performed on the system by these users. Be it an administrator going rogue or a regular user deleting a business critical document is equally harmful to an organization. While there are many ways to restrict and control access to Office 365, it is still important that there’s an audit log available with this required information.

This is when Audit log search in Office 365 Security & Compliance Center comes to the picture. Audit log search can search following actions that was performed in your Office 365 tenant.

User Activities in Admin Activities in
SharePoint Online and OneDrive for Business SharePoint Online
Exchange Online (Exchange mailbox audit logging) Exchange Online (Exchange admin audit logging)
Sway Azure Active Directory (the directory service for Office 365)
Sway

Start Recording User and Admin Activities

In order to use Audit log search you first need to start recording activity from the Office 365 Security & Compliance Center. Follow below steps to enable activity recording.

  1. Access Security & Compliance center by using the app launcher (figure 1) or by using the Office 365 Admin Center (figure 2).
    Access Security and Compliance Center from Launcher

    Figure 1: Access Security and Compliance Center from Launcher

    Access Security and Compliance Center from Admin Center

    Figure 2: Access Security and Compliance Center from Admin Center

  2. Click Start recording now under Recommended for you (figure 3)

    Start recording now

    Figure 3: Start recording now

  3. Click Turn On to confirm the action (figure 4).

    Start recording user and admin activities

    Figure 4: Start recording user and admin activities

  4. If you were able to perform above 3 steps successfully, you will see a screen similar to below screenshot (figure 5).

    Activity recording is started

    Figure 5: Activity recording is started

Performing Audit log search

Follow below steps to perform an Audit log search.

  1. Visit Security & Compliance center (figure 1 or figure 2).
  2. Access Search & investigation -> Audit log search (figure 6)

    Access Audit log search

    Figure 6: Access Audit log search

  3. Enter the search criteria and search. Results of the search will appear on the screen (figure 7).

    Audit log search

    Figure 7: Audit log search

Within the first 24 hours, the search results might not contain some activities. However, one thing I noticed is that the Audit log search is pretty quick at tracking activities as it showed my activities in a matter of few seconds in above screenshot.

Leave a Reply