Gravity Union

View Original

Understanding Microsoft 365 Audit Logs

Microsoft has come a long way in providing a consolidated and detailed audit log of nearly everything and anything that happens in Microsoft 365.

Gone are the days worrying if turning on the view audit in SharePoint would slow things down too much. Organizations are now automatically offered up one of the largest and most in-depth audit trails imaginable. The Audit trail captures more than just SharePoint activities as it audits all events across all workloads from Azure Active Directory to Stream and everything in between.

The audit trail captures hundreds of event types and dozens of metadata points for each audit log entry:

Some of the hundreds of Audit Trail Property Details available in the Microsoft 365 audit trail

What kind of information can we gather from the audit trails?

The type and kinds of information that we can get from the audit trail is only limited by your imagination!

Need a list of items that were deleted to find a missing file? No problem.

Want to see how well your recent fancy SharePoint site is being adopted? Easy.

Need to verify that an updated policy or procedure has been referenced? Simple.

Curious if your Head Researcher downloaded a bunch of proprietary intellectual property before taking a job at your competitor so that your company lawyer can send some emails? It will only take a couple of minutes.

Want to check the IP address of your user to make sure that they (perhaps a Canadian politician) stayed home over holidays during lock down? Or did you want to make sure that your documents covered by the Nuclear Non-proliferation agreement aren’t being viewed outside of your country? Microsoft has you covered.

Looking at data in aggregate

We can glean even more information when we start to look at the data in aggregate. We built reports on the audit trail recently to provide more detail. One example is looking for bulk deletions. After running it for the first time, we noticed that one of our employees deleted a bunch of project artifacts the week prior. As it turns out, they were decluttering their computer’s desktop by removing any files and folders. One of those folders the removed was a synchronized folder pointed to SharePoint. Unbeknownst to them, they had missed a crucial step in un-mapping their synced folder. All is good, we had a good laugh about it, restored the files from the Recycle Bin and educated ourselves on the proper process of deleting synced SharePoint folders.

In another real-world example, I was working with a client to determine if some policies or procedures were being referenced. There were some accidents in the field that the policies and procedures were designed to address, but field workers had confirmed that they were following the procedures to a T. However, after digging around, it appeared that the policies and procedures in SharePoint hadn’t been referenced in over a year. After a little digging and a couple of conversations, it turns out that the original policies and procedures were printed off and kept in a binder for easy access, but were of course out of date.

Or perhaps, like banking software, that doesn’t store your account balance as such (which poses a security risk), but rather shows you the result of all of your deposits and withdrawals, we can calculate information by looking at the summary of activities for a given document. For example, we can look for documents that we would expect to be classified against our file plan and declared as a record, but remain unclassified and undeclared. This could expose a lack of governance, misconfiguration or perhaps something more concerning.


Want to learn more about audit trails? View the recording from a recent webinar: Understanding Microsoft 365 Audit Trails


Audit trails and Compliance

Audit trails do not simply provide us interesting and useful information. We are often obliged to keep it around to meet our needs around compliance.  You may be called upon to prove that an individual had seen a policy or procedure or prove when a contract was signed. Various regulatory authorities may dictate to you for how long the audit trail is kept or may dictate that the audit trail is kept for the life of the document.

Accessing the Audit Trail

The audit trail can be accessed from the Compliance Admin center in Office 365:

The Audit section of the Microsoft 365 Compliance Center

End-users can search for audit entries based on activity, workload, location, and user. They can also export the results to a CSV file for further processing and consumption.

Gaps in the audit trail

I do sincerely apologize if I lulled you into a false sense of security around the audit trail. As cool as it is, there are a couple of issues you want to consider addressing, especially if you’re focused on compliance.

1) It disappears

Let’s start with the biggest issue. Microsoft 365’s audit trail disappears rather quickly. With an E3 license, it hangs out for around 3 months, then never to be seen again.

E5 is a little better by keeping it around for 1 year before pulling the ol’ David Copperfield on us.

Most recently, Microsoft added the ability to create audit trail retention policies as an optional add-on for Microsoft 365 that allows for up to 10 years for audit trail retention. This must be configured against a record type or user, so it’s not automatic.

To a degree, this design pattern makes sense. It is after all a lot of data and not all companies will be concerned about it. They do, after all, let you download the audit logs.

Audit Retention Policy in Microsoft 365

2) You can’t place them on hold

Microsoft does not offer the ability to place audit trail entries on-hold. This means that even though your organization has gone to great lengths to roll out a records management program, the audit trail entries may disappear on you at the most critical moment.

 3) They don’t get deleted when a record is destroyed

The audit trail entries in the Microsoft 365 audit trial do not get destroyed. This can be problematic if a document has reached the end of its life according to your file plan, and been successfully expunged, but you still may be on the hook to produce the corresponding audit trail during legal discovery.

 4) 50,000 download limit

If you do plan on downloading the audit trail to investigate something, note that you are limited to 50,000 items per download. Many organizations will produce more than 50,000 audit trail entries per day or month, so you’ll need a plan on how you’ll slice and dice the audit trail to download the information in a reliable fashion.


These issues, as well as rethinking how we truly manage our audit trail from a compliance perspective inspired us to create Gravity MOAT – a compliance focused audit trail management solution. Interested in learning more? Watch the webinar: A deep dive into Microsoft 365 audit trails