Tuesday 9 February 2021

Microsoft 365 the basic of audit logs

 At the moment the audit logs can be found at Audit log search - Security & Compliance (office.com) (09/02/2021) with a user that at a minimum needs View-Only Audit Logs role but this needs to be assigned via Exchange on-line as the underlaying commands are exchange related.

This is the old way to see them and it is moving over to Audit - Microsoft 365 compliance which will have more powerful tools rolled out to it as this is were Microsoft will be putting in the dev work.

Audit logs are a great place to start when you need to track a users activity or a file / email but if you are looking for a breach and you believe its recent then the Azure User AD | Sign in logs and activity will give you a quicker over view of what's been happening with the users which you can then use in the audit logs too get more information.

Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs

Log Retention
Log retention is a mixed bag.  by default most logs are only retained for 90 days but some are kept for 1 year such as AzureActiveDirectory, Exchange, or SharePoint for the Workload property.  You can change this with custom rentention policy which can be set in the following location Audit - Microsoft 365 compliance under the Audit section.

You will need Organization Configuration role role to carry this out.  but as a side note you can go lower then the default but if you wish to go longer then each user will need the correct Microsoft 365 license either Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license, these license will need to be assigned to each user where you require over 90 days of audit logs.

Manage audit log retention policies - Microsoft 365 Compliance | Microsoft Docs

No comments:

Post a Comment