As IT professionals we get asked to fix things daily (which is fine because that’s our job), but every once in a while, we find ourselves fixing the same issue over and over again. Something like a file getting deleted typically isn’t a huge issue since it can be restored. If the same file has to be restored multiple times, there may be a deeper problem. For Office 365 users, this is where audit logs come in handy.
Office 365 audit logs capture activities in Exchange, SharePoint, Yammer, PowerBI, Sway, and Azure Active Directory. Once it’s turned on, it records almost every major action you can think of including Office 365 logins, viewing documents, downloading documents, sharing documents, setting changes, and password resets (a full list can be found here).
In addition to recording actions, you can set alerts for certain activities. Some of the most common we set up for customers are alerts for log in attempts from other countries and too many failed log in attempts. Other common include alerts for downloading multiple files in a short period of time or mass deleting files from SharePoint.
So why is this information useful? It's useful both from a security aspect (getting alerts for suspicious activity) and just keeping up with what's going on in your environment. Audit logs can be key in figuring out the root cause of an ongoing issue. In the case of the deleted file, we found who had been deleting the file and then went and spoke to the employee – it was a training issue and was easy to fix. We haven’t had any issues since.
How to Use Office 365 Audit Logs
Office 365 audit logs are not enabled by default, so to start using them, you'll need to turn them on and set up a few configurations (please note, your Office 365 Admin will need to do this):
- Enable audit logs in the Office 365 Security and Compliance Center (an admin will need to do this step). On the Audit Log Search page, click "Start recording user and admin activity."
- If you want to track activities in Exchange, you'll need to set up additional configurations. Read full directions here.
- Set up permissions for your users. In the Exchange admin center, change the permissions for any users who will need access to audit logs. They will need to be assigned the ‘View-Only Audit Logs’ or ‘Audit Logs’ role. Please note, only users who are assigned these roles can get alerts.
- Set up your alerts. To do this, in the Security & Compliance Center, go to the Audit Log Search (under Search & investigation), then click the "+Create an Alert" button under the search area.
Logs are only kept for 90 days, so if you don't set up alerts, it's a good idea to periodically review them for suspicious activity.