Office 365 Audit Log Search
Its Office 365 time again in the lab and this time we are going to take a look at auditing. Do you want to see which admin deleted that user account or which user accessed that file and where from? well you will find out how right now!
First you need to start recording user and admin activities using the link under
Security & Compliance -> Search & investigation -> Audit log search
Click Turn on to start recording information to the logs.
Once enabled you will see a message stating that the logs are being prepared and will be available in a couple of hours.
Once the logs are ready you can search the logs for almost any activity performed on the 365 system. See when files are checked in, see which files get deleted or restored see when files are downloaded to a computer and lots more.
This is a fantastic feature for us admins especially when dealing with user support requests or when trying to find the cause of an issue. Now its all in black and white showing who did what, when and where.
As a test I created a new user called Peter Pan, reset the password and deleted the user. The logs wont show activity straight away, it can take 5-20 minutes after the fact before you see entries in the logs. Once I waited a few minutes everything appeared in the logs as shown below. Brilliant!
You can also search the log to see what users have been accessing files, where they accessed them from and at what time. Here we can see a user accessed a network plan pdf file.
You can select any log entry and view more details including the exact location of the file.
You have now seen how to enable and access the Audit search logs. They are incredibly useful so its worth enabling the feature as soon as possible because you never know when you will need it. This will make your life so much easier especially when users report files have disappeared or if you suspect an employee is downloading files they shouldn’t be to their home computer.
Remember to subscribe to the blog so you don’t miss more of my walkthroughs.