Audit Logs in Microsoft 365

Why you should be using Office 365 Audit Logs

Office 365 Audit logs let you know who has access to your information and what they are doing with it.

The Audit logs capture activities in Exchange, SharePoint, Yammer, PowerBI, Sway, and Azure Active Directory. Once it’s turned on, it records almost every major action you can think of including Office 365 logins, viewing documents, downloading documents, sharing documents, setting changes, and password resets (a full list can be found here). 

In addition to recording actions, you can set alerts for certain activities. Some of the most common are alerts for log in attempts from other countries and too many failed log in attempts. Other common alerts, include alerts for downloading multiple files in a short period of time or mass deleting files from SharePoint, which may indicate an employer has pressed the wrong button, or worse.

So why is this information useful? It’s useful both from a security aspect (getting alerts for suspicious activity) and just keeping up with what’s going on in your environment. Audit logs can be key in figuring out the root cause of an ongoing issue or pre-empting an issue that may be about to occur.

With all this information and interaction, you need tighter controls on the security of your data, and you need to know who has access and where your information has gone.

For this – you need the Office 365 Audit logs.

How to Use Office 365 Audit Logs

Office 365 audit logs are not enabled by default, so to start using them, you’ll need to turn them on and set up a few configurations (please note, your Office 365 Admin will need to do this):

  1. Enable audit logs in the Office 365 Security and Compliance Center (an admin will need to do this step). On the Audit Log Search page, click “Start recording user and admin activity.”
  2. If you want to track activities in Exchange, you’ll need to set up additional configurations. Read full directions here
  3. Set up permissions for your users. In the Exchange admin center, change the permissions for any users who will need access to audit logs. They will need to be assigned the ‘View-Only Audit Logs’ or ‘Audit Logs’ role. Please note, only users who are assigned these roles can get alerts. 
  4. Set up your alerts. To do this, in the Security & Compliance Center, go to the Audit Log Search (under Search & investigation), then click the “+Create an Alert” button under the search area.

Logs are only kept for 90 days, so if you don’t set up alerts, it’s a good idea to periodically review them for suspicious activity. 


If you have any questions or wish to discuss your options, please feel free to contact us at any time.
We are always ready to help you to get the right outcome for your Business.
Send your enquiry to support@prettyclever.com.au or call us on 9629 7733 during business hours.

PrettyClever Consulting – Making I.T. Happen.