Heftruckchauffeur

• How to Monitor Office 365 Activity Logs for Improved Security

Post By
Victor Ashiedu
May 15, 2023
How to Monitor Office 365 Activity Logs for Improved Security. Looking to enhance the
of your
? It’s crucial to
the
of Office 365, and
provides a single platform to do that.
In this article, we explore an overview of the Office
unified
logging. 
Then, we learn the licensing and permission requirements to use the Microsoft 365 unified audit log. Moreover, this section includes steps to check if you meet these requirements and what to do if you don’t. 

Next, we examine how to check if unified audit logging is enabled for your organization. Then, we discuss the steps to enable it through the Microsoft

portal or
.
Once audit logging is enabled, we cover how to search, view, and export Office
audit logs to
. Finally, we show how to monitor and analyse the 365
to improve your organization’s security.

Also Read 

Overview of the Office 365 Unified Audit Logging

Microsoft
(M365) is a set of
based services. Some services included in M365 are
,
, and
Online.
The services included in your
depends on your subscription. 
Now, with so many
services, admins face the considerable challenge to monitor the activity logs of the various services for improved
of the organization. The good news is that the
offers Microsoft 365 admins a single location to enable unified audit. 
Now, you must wonder which of the Microsoft 365 services supports unified
. To view all services you monitor, see the list in the
page. 

Also Read 

Microsoft 365 Audit Log Licensing and Permissions

Microsoft offers two versions of the
which allows you to enable, search for and monitor Microsoft 365 unified audit logs.
So, you get the
or
, depending on your organization’s
. 
Additionally, admins that need to run audit
must be granted the required permissions.
To configure the licensing and user permission requirements, complete these steps. 

Step 1: Confirm that Your Organization Meets Subscription / User Licensing Requirements

To access Microsoft
unified audit log, your organization must have a minimum of Microsoft
Business Basic/Standard
subscriptions. It is the same as the
Premium P1 license. 
On the contrary, to access the Audit (Premium) feature, you require at least the
Microsoft 365 Enterprise E5
subscription. 
Follow the steps below to check your assigned subscription. 
1. Follow the steps in our article –
365 using Powershell- to install the
Module. Then, connect to Office 365. 
2. Run the
MsolAccountSku command to list the Microsoft 365 license available in your tenant. 
Get-MsolAccountSku
2. Next, run the command below to return the license your admin has assigned to you. 
Get-MsolUser | Where-Object { ($_.Licenses[0].AccountSkuId -eq "License_AccountSkuId") -and ($_.UserPrincipalName -eq "name@domainname.com" ) } | Select-Object UserPrincipalName, DisplayName -ExpandProperty Licenses

Replace the License_AccountSkuId with the AccountSkuId (the license name) from the last command. Also, replace name@domainname.com with your Office 365 UPN. 

Check the value of the last command displayed in the
AccountSkuId
property. Then, compare that with the
. 
Finally, if the license your admin assigned you is listed, check the Microsoft
permission requirements using the steps in the following subsection. 

Also Read

Step 2: Confirm that Your Account Meets the Permission Requirements

To view and run Office 365 unified
log searches, admins or
must be assigned the
View Only Audit
Logs
or
Audit Logs
role in
. The
 and 
Organization Management
role groups have the required permissions by default. 
Furthermore, members of the Office 365
Global Administrators
group are added to
Organization Management 
role group in Exchange Online by default.
Follow the steps below to check, if an account has the required permission to enable and search the audit logs. If you’re a Global Admin for your Office

tenant, ignore the steps below and proceed to the next section. 
1. Open the Exchange Online admin center via
. Next, expand 
Roles 
and click “Admin Roles.” 
2. On the search box of the “Admin roles” page, enter “management” to return only roles that include that term. Then, click the

Compliance

Management

role.
3. On the
Management role flyout, click the “Assigned” tab. All
listed in this tab have permission to view search audit logs. 
To add a user to this role, click the “+ Add” button – see the second screenshot. 
4. Repeat step 3 for the
Organization Management
role.

Also Read 

Check the Current Status of Audit Logging for Your Organization

Before using the Microsoft compliance portal to
for improved
of your organization’s services, you must enable audit
. Enabled by default in organizations with
. 
However, Microsoft may not enable auditing in some Microsoft 365 subscriptions by default. So, confirming if auditing is enabled in your O365 tenant before proceeding is a good idea. 

Follow the steps below to check the current auditing status. 
1. Use the steps in our
Online using PowerShell article- to connect to your Exchange Online tenant. 
2. Once you’ve connected to Exchange Online, 
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
The screenshot below shows all the commands you need to install the Exchange Online PowerShell module. Then, connect and run the
AdminAuditLogConfig
to determine, if auditing is enabled for your organization.
If the
Get-AdminAuditLogConfig
command returns the
UnifiedAuditLogIngestionEnabled
property as 
True, 
it indicates that unified auditing is turned on for your organization. If it returns a value of
False
, it means that auditing is
not
turned on. 
So, from the result of my
Get-AdminAuditLogConfig
command, auditing is NOT turned, since the value is False. If this is your situation, proceed to the following section to enable auditing.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out
for
Free
. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Also Read 

Enable Office 365 Unified Audit Logs

Microsoft offers 2 methods to enable Office
audit logs to monitor
activity logs for improved organization
. Specifically, do this via the Compliance Portal or
. 

Enable Auditing Using the Compliance Portal

1. Open-
. 
2. Navigate to the

Solutions

section and click

Audit

. Alternatively, open the Audit section directly by clicking
.
3. Finally, enable Microsoft 365 unified audit log, click “Start recording user and admin activity.”
Please note that it may take up to 60 minutes for the change to take effect.

Also Read 

Enable Auditing Using Windows PowerShell

If you still have the PowerShell
where you connected to the Exchange Online PowerShell module, run the command below to enable unified M365 auditing. You must run the first command before the second. 

You may receive an error message, if you run the Set-AdminAuditLogConfig command without running the Enable-OrganizationCustomization command first.
Enable-OrganizationCustomization
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Note that the Enable-OrganizationCustomization command takes a while to complete. Also, after enabling unified audit logging, may take up 60 mins to take effect. 

Then, re-run the Get-AdminAuditLogConfig command to confirm the audit login status. 
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
If you successfully enabled auditing via the
Portal or
, the last command should return the UnifiedAuditLogIngestionEnabled as 
True.
See the screenshot below. 
Finally, you may turn off the unified audit login for your Microsoft 365 organization by running the command below. 
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

Also Read 

Search and Monitor Office 365 Audit Activity Logs for Improved Security

Let’s explore how to search it for relevant
and admin activities.
In this section, we show you how to run an audit log search and export the result
. Additionally, we explain how you analyse the exported Office 365
for improved Security.

Also Read 

Step 1 (Option 1 of 2):

Run an Office 365 Audit Log Search in the Compliance Portal

1. Open Microsoft Compliance Audit page

. Then, set the search criteria following the numbering in the screenshot below: 

(1) Date and time range (UTC)

: The audit search tool selects the last 7 days by default. 
However, select your data range up to 90 days from the start date. Note that selecting more than 90 days returns an error message. 

(2) Keyword Search

: if you need the Office 365 unified audit tool to find logs about a word or phrase, enter it in this field. 

(3) Activities

: a drop-down with a long list of checkboxes.

(4) Record Type

: search for specific record types like
Directory.

(5) Workload

: To filter the search criteria by workload, click the drop down and check the Office 365 service from which you wish to view audit logs. 

(6) Users

: to filter the
for
users, use the search criterion to enter their names. If you leave the user field blank, the Compliance Portal search tool returns audit logs for
users across your Microsoft
services.

(7) Files, folders, or sites

: search for activity related to a file or folder containing a specific keyword by typing some or all of its name. Also allows to specify a file’s or folder’s URL.

(8) Search name

: give the search a name, then click Search. Finally, to view the status of the reports, click

Refresh

.

Also Read 

Step 1 (Option 2 of 2):

Run an Office 365 Audit Log Search Using PowerShell

Use
meer...

Naar vacature

Meer vacatures van Muldertulips
Meer Heftruckchauffeur vacatures