Heftruckchauffeur
Muldertulips - 10-06-2021
Naar vacature
- How to Monitor Office 365 Activity Logs for Improved Security
Victor Ashiedu
May 15, 2023
How to Monitor Office 365 Activity Logs for Improved Security. Looking to enhance the
of your
? It’s crucial to
the
of Office 365, and
provides a single platform to do that.
In this article, we explore an overview of the Office
unified
logging.
Then, we learn the licensing and permission requirements to use the Microsoft 365 unified audit log. Moreover, this section includes steps to check if you meet these requirements and what to do if you don’t.
Next, we examine how to check if unified audit logging is enabled for your organization. Then, we discuss the steps to enable it through the Microsoft
portal or
.
Once audit logging is enabled, we cover how to search, view, and export Office
audit logs to
. Finally, we show how to monitor and analyse the 365
to improve your organization’s security.
Also Read
Overview of the Office 365 Unified Audit Logging
Microsoft(M365) is a set of
based services. Some services included in M365 are
,
, and
Online.
The services included in your
depends on your subscription.
Now, with so many
services, admins face the considerable challenge to monitor the activity logs of the various services for improved
of the organization. The good news is that the
offers Microsoft 365 admins a single location to enable unified audit.
Now, you must wonder which of the Microsoft 365 services supports unified
. To view all services you monitor, see the list in the
page.
Also Read
Microsoft 365 Audit Log Licensing and Permissions
Microsoft offers two versions of thewhich allows you to enable, search for and monitor Microsoft 365 unified audit logs.
So, you get the
or
, depending on your organization’s
.
Additionally, admins that need to run audit
must be granted the required permissions.
To configure the licensing and user permission requirements, complete these steps.
Step 1: Confirm that Your Organization Meets Subscription / User Licensing Requirements
To access Microsoftunified audit log, your organization must have a minimum of Microsoft
Business Basic/Standard
subscriptions. It is the same as the
Premium P1 license.
On the contrary, to access the Audit (Premium) feature, you require at least the
Microsoft 365 Enterprise E5
subscription.
Follow the steps below to check your assigned subscription.
1. Follow the steps in our article –
365 using Powershell- to install the
Module. Then, connect to Office 365.
2. Run the
MsolAccountSku command to list the Microsoft 365 license available in your tenant.
Get-MsolAccountSku
2. Next, run the command below to return the license your admin has assigned to you.
Get-MsolUser | Where-Object { ($_.Licenses[0].AccountSkuId -eq "License_AccountSkuId") -and ($_.UserPrincipalName -eq "name@domainname.com" ) } | Select-Object UserPrincipalName, DisplayName -ExpandProperty Licenses
Replace the License_AccountSkuId with the AccountSkuId (the license name) from the last command. Also, replace name@domainname.com with your Office 365 UPN.
Check the value of the last command displayed in the
AccountSkuId
property. Then, compare that with the
.
Finally, if the license your admin assigned you is listed, check the Microsoft
permission requirements using the steps in the following subsection.
Also Read
Step 2: Confirm that Your Account Meets the Permission Requirements
To view and run Office 365 unifiedlog searches, admins or
must be assigned the
View Only Audit
Logs
or
Audit Logs
role in
. The
and
Organization Management
role groups have the required permissions by default.
Furthermore, members of the Office 365
Global Administrators
group are added to
Organization Management
role group in Exchange Online by default.
Follow the steps below to check, if an account has the required permission to enable and search the audit logs. If you’re a Global Admin for your Office
tenant, ignore the steps below and proceed to the next section.
1. Open the Exchange Online admin center via
. Next, expand
Roles
and click “Admin Roles.”
2. On the search box of the “Admin roles” page, enter “management” to return only roles that include that term. Then, click the
Compliance
Management
role.3. On the
Management role flyout, click the “Assigned” tab. All
listed in this tab have permission to view search audit logs.
To add a user to this role, click the “+ Add” button – see the second screenshot.
4. Repeat step 3 for the
Organization Management
role.
Also Read
Check the Current Status of Audit Logging for Your Organization
Before using the Microsoft compliance portal tofor improved
of your organization’s services, you must enable audit
. Enabled by default in organizations with
.
However, Microsoft may not enable auditing in some Microsoft 365 subscriptions by default. So, confirming if auditing is enabled in your O365 tenant before proceeding is a good idea.
Follow the steps below to check the current auditing status.
1. Use the steps in our
Online using PowerShell article- to connect to your Exchange Online tenant.
2. Once you’ve connected to Exchange Online,
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
The screenshot below shows all the commands you need to install the Exchange Online PowerShell module. Then, connect and run the
AdminAuditLogConfig
to determine, if auditing is enabled for your organization.
If the
Get-AdminAuditLogConfig
command returns the
UnifiedAuditLogIngestionEnabled
property as
True,
it indicates that unified auditing is turned on for your organization. If it returns a value of
False
, it means that auditing is
not
turned on.
So, from the result of my
Get-AdminAuditLogConfig
command, auditing is NOT turned, since the value is False. If this is your situation, proceed to the following section to enable auditing.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us outfor
Free
. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Also Read
Enable Office 365 Unified Audit Logs
Microsoft offers 2 methods to enable Officeaudit logs to monitor
activity logs for improved organization
. Specifically, do this via the Compliance Portal or
.
Enable Auditing Using the Compliance Portal
1. Open-.
2. Navigate to the
Solutions
section and clickAudit
. Alternatively, open the Audit section directly by clicking.
3. Finally, enable Microsoft 365 unified audit log, click “Start recording user and admin activity.”
Please note that it may take up to 60 minutes for the change to take effect.
Also Read
Enable Auditing Using Windows PowerShell
If you still have the PowerShellwhere you connected to the Exchange Online PowerShell module, run the command below to enable unified M365 auditing. You must run the first command before the second.
You may receive an error message, if you run the Set-AdminAuditLogConfig command without running the Enable-OrganizationCustomization command first.
Enable-OrganizationCustomization
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Note that the Enable-OrganizationCustomization command takes a while to complete. Also, after enabling unified audit logging, may take up 60 mins to take effect.
Then, re-run the Get-AdminAuditLogConfig command to confirm the audit login status.
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
If you successfully enabled auditing via the
Portal or
, the last command should return the UnifiedAuditLogIngestionEnabled as
True.
See the screenshot below.
Finally, you may turn off the unified audit login for your Microsoft 365 organization by running the command below.
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
Also Read
Search and Monitor Office 365 Audit Activity Logs for Improved Security
Let’s explore how to search it for relevantand admin activities.
In this section, we show you how to run an audit log search and export the result
. Additionally, we explain how you analyse the exported Office 365
for improved Security.
Also Read
Step 1 (Option 1 of 2):
Run an Office 365 Audit Log Search in the Compliance Portal
1. Open Microsoft Compliance Audit page. Then, set the search criteria following the numbering in the screenshot below:
(1) Date and time range (UTC)
: The audit search tool selects the last 7 days by default.However, select your data range up to 90 days from the start date. Note that selecting more than 90 days returns an error message.
(2) Keyword Search
: if you need the Office 365 unified audit tool to find logs about a word or phrase, enter it in this field.(3) Activities
: a drop-down with a long list of checkboxes.(4) Record Type
: search for specific record types likeDirectory.
(5) Workload
: To filter the search criteria by workload, click the drop down and check the Office 365 service from which you wish to view audit logs.(6) Users
: to filter thefor
users, use the search criterion to enter their names. If you leave the user field blank, the Compliance Portal search tool returns audit logs for
users across your Microsoft
services.
(7) Files, folders, or sites
: search for activity related to a file or folder containing a specific keyword by typing some or all of its name. Also allows to specify a file’s or folder’s URL.(8) Search name
: give the search a name, then click Search. Finally, to view the status of the reports, clickRefresh
.Also Read
Step 1 (Option 2 of 2):
Run an Office 365 Audit Log Search Using PowerShell
Usemeer...
Naar vacature
Meer vacatures van Muldertulips
Meer Heftruckchauffeur vacatures