Enable Office 365 auditing for admin and user

Introduction

Office 365 Security and Compliance center gives you the capabilities to perform a unified audit log search to track user and admin activities in Office 365. Office 365 Security and Compliance center enables auditing for admin and users to monitor their activities in Office 365. Sometime its required to monitor and track the activities of users and admins for compliance reasons. Large organizations who have multiple admins setup in Office 365 are always looking for a method to track admin activities to ensure data security and track Office 365 changes. Organization with Office 365 infrastructure deployed or planning to move on to Office 365 should consider enabling Office 365 auditing in Security and Compliance to track activities.

Office 365 Security and Compliance center will track the following activities of admin and users.

  • User activities audit by Office 365 includes activity in Power BI, Sway, Exchange online (Mailbox auditing), Yammer, SharePoint online and OneDrive for Business.
  • Admin activities audit by Office 365 includes activity in Power BI, Exchange online, SharePoint online and OneDrive for Business, Azure AD and Yammer.

How to enable Office 365 auditing for admin and user

  • To configure users and admin activity auditing, login to the Office 365 “Security and Compliance” center using the admin credentials.

You can either login to protection.office.com or portal.office.com and navigate to Admin > Security and Compliance

Enable Office 365 auditing for admin and user

  • Once you are logged in, Click on “Start recording now” under Search for Activity

Enable Office 365 auditing for admin and user

  • When you click on the “start recording now” link, it will open a following pop up message asking you to confirm if you would like to Start recording user and admin activities. Click on “Turn on

Enable Office 365 auditing for admin and user

  • Click Yes to confirm these changes, this will start the process of updating the organization settings in Office 365 for Security and Compliance

Enable Office 365 auditing for admin and user

  • Once the organization settings are updated in Office 365, you will see the following screen and a check mark under “Search for Activity” that confirms the feature has been enabled in Office 365

Enable Office 365 auditing for admin and user

  • To run audit reports for user or admin activities in Office 365, Navigate to “Search & Investigate” and click on “Audit log Search

Enable Office 365 auditing for admin and user

  • As we have enabled the auditing a moment ago, it will show the warning message as shown in the below screen. It’s recommended that you recommend the audit search log after 24 hours when you enable the auditing in Office 365.

Enable Office 365 auditing for admin and user

It can take up to 24 Hrs to turn this feature on in Office 365 as per the SLA. I have seen this to be activated within minute and you can still perform the search

Office 365 user and admin audit logging helps  you to view user specific information whether user viewed a specific document or purged an item from their mailbox? Office 365 Security & Compliance Center help you to search the unified audit log to view user and administrator activity in your Office 365 organization and i would highly recommend to activate this feature in your office 365 tenant. More information on this can be found on “Office Security and Compliance” site.