Thousands of user and admin operations, performed in dozens of Microsoft 365 services and solutions, are captured, recorded, and retained in a unified audit log, available in Microsoft Purview. Using the audit log search tool, you can search for, view, and export the audit records for any of these operations. Typical document management activities that you can search for in the logs are:
- Accessed or previewed documents
- Modified documents
- Uploaded documents
- Deleted or restored documents
- Downloaded or synchronized documents
- Checked in or checked out documents
- Copied or moved documents
Microsoft 365 provides two auditing solutions:
- Basic Audit
- For Microsoft 365 licenses (non-E5)
- 90-day audit record retention
- Access via GUI, PowerShell, and API
- Advanced Audit
- For Microsoft 365 E5 licenses
- 1-year audit record retention (can be extended to 10 years, with additional licenses)
- Custom audit retention policies
- High-value crucial events
- Higher bandwidth access to API
Basic Audit is enabled by default for all organizations with the appropriate subscription (for a list of subscription and licensing requirements, see Auditing solutions in Microsoft 365). The only setup before you and others in your organization can search in the audit log is to assign the necessary permissions to access the audit log search tool.
Assign permissions to search the audit log
Global Administrators can always search the audit log. To allow searching with minimum priveliges, admins and members of investigation teams, can be assigned the “Security Reader” role. See Assign admin roles in the Microsoft 365 admin center.
Search the audit log
To search in the audit log, do the following:
- Sign in to Microsoft Purview using an account that has been assigned the appropriate audit permissions.
- In the left navigation pane click on “Audit“:
On the Audit page, configure the search using the following conditions:
- Date and time range – select a date and time range to display the events that occurred within that period. The date and time are presented in local time.
- Activities – select the activities to search for. Use the search box to search for activities to add to the list. For a partial list of audited activities, see Audited activities. Leave this box blank to return entries for all audited activities.
- Users – click in this box and start typing the name of users to display search results for. The audit log entries for the selected activities performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users in your organization.
- File, folder, or site – type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL of a file or folder, be sure to type the full URL path or if you type a portion of the URL, don’t include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization.
- Click on the “Search” button. On the page you now see that the audit log search is running. When the search is completed, audit records are displayed on the page. Click a record to display a flyout page with detailed properties:
- The search can now be exported to a CSV-file, by clicking on the “Export” function on the top of the audit report:
- The audit report also gets a unique URL, so this can be shared with users that have access to the audit log.
For more detailed information about the audit logs, see Auditing solutions in Microsoft Purview.
Extending the audit record retention period
If you only have the basic 90-day audit record retention, you can, on a regular basis, run audit using PowerShell or APIs, and save the audit reports in an external repository. There are also third-party tools that deliver these capabilities, e.g.:
- Lepide Auditor for SharePoint
- ManageEngine SharePoint Manager Plus
- Solarwinds SharePoint Online Audit Log Tool
- Netwrix Auditor for SharePoint and Teams
- Splunk Add-on for Microsoft Office 365
- SysKit SPDocKit
- Intelex Audit Management Software
Secure your documents with MetaShare
Security incidents can happen to everyone. Having a good structure and easy to use tools will however significantly reduce the risks. With MetaShare your workspaces are automatically configured according to best practices, so that it is easy for your collegues to collaborate in a secure way.