Investigate incidents with Microsoft 365 Audit Log

Thousands of user and admin operations, performed in dozens of Microsoft 365 services and solutions, are captured, recorded, and retained in a unified audit log, available in Microsoft Purview. Using the audit log search tool, you can search for, view, and export the audit records for any of these operations. Typical document management activities that you can search for in the logs are:

  • Accessed or previewed documents
  • Modified documents
  • Uploaded documents
  • Deleted or restored documents
  • Downloaded or synchronized documents
  • Checked in or checked out documents
  • Copied or moved documents

Microsoft 365 provides two auditing solutions:

  1. Basic Audit
    • For Microsoft 365 licenses (non-E5)
    • 90-day audit record retention
    • Access via GUI, PowerShell, and API
  2. Advanced Audit
    • For Microsoft 365 E5 licenses
    • 1-year audit record retention (can be extended to 10 years, with additional licenses)
    • Custom audit retention policies
    • High-value crucial events
    • Higher bandwidth access to API

Basic Audit is enabled by default for all organizations with the appropriate subscription (for a list of subscription and licensing requirements, see Auditing solutions in Microsoft 365). The only setup before you and others in your organization can search in the audit log is to assign the necessary permissions to access the audit log search tool.

Assign permissions to search the audit log

Global Administrators can always search the audit log. To allow searching with minimum priveliges, admins and members of investigation teams, can be assigned the “Security Reader” role. See Assign admin roles in the Microsoft 365 admin center.

The Security Reader role as seen in the Microsoft 365 Admin Center

Search the audit log

To search in the audit log, do the following:

  1. Sign in to Microsoft Purview using an account that has been assigned the appropriate audit permissions.
  2. In the left navigation pane click on “Audit“:

    On the Audit page, configure the search using the following conditions:
    • Date and time range – select a date and time range to display the events that occurred within that period. The date and time are presented in local time.
    • Activities – select the activities to search for. Use the search box to search for activities to add to the list. For a partial list of audited activities, see Audited activities. Leave this box blank to return entries for all audited activities.
    • Users – click in this box and start typing the name of users to display search results for. The audit log entries for the selected activities performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users in your organization.
    • File, folder, or site – type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL of a file or folder, be sure to type the full URL path or if you type a portion of the URL, don’t include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization.
  3. Click on the “Search” button. On the page you now see that the audit log search is running. When the search is completed, audit records are displayed on the page. Click a record to display a flyout page with detailed properties:
  4. The search can now be exported to a CSV-file, by clicking on the “Export” function on the top of the audit report:
  5. The audit report also gets a unique URL, so this can be shared with users that have access to the audit log.

For more detailed information about the audit logs, see Auditing solutions in Microsoft Purview.

Extending the audit record retention period

If you only have the basic 90-day audit record retention, you can, on a regular basis, run audit using PowerShell or APIs, and save the audit reports in an external repository. There are also third-party tools that deliver these capabilities, e.g.:

Secure your documents with MetaShare

Security incidents can happen to everyone. Having a good structure and easy to use tools will however significantly reduce the risks. With MetaShare your workspaces are automatically configured according to best practices, so that it is easy for your collegues to collaborate in a secure way.