Search audit logs in the Microsoft Purview compliance portal - Microsoft Purview (compliance) (2023)

Want to know if a user viewed a specific document or deleted an item from their mailbox? If so, you can use the audit log search in the Microsoft Purview Compliance Portal to search the consolidated audit log for user and administrator activity across your organization. Thousands of user and administrator actions across dozens of Microsoft 365 services and solutions are logged, logged, and stored in the organization's unified audit log. Users in your organization can use the audit log search to find, view, and export audit records for these actions (to a CSV file).

Microsoft 365 services that support auditing

Why unify audit logs? Because you can search the audit logs for activities performed in different Microsoft 365 services. The following table lists the Microsoft 365 services, apps, and features supported by the unified audit log.

For more information on the controlled operations in each of the services listed in the preceding table, seeAudit log activityarticle.

The table above also identifies record type values ​​for use withSearch - UnifiedAuditLogcmdlets in Exchange Online PowerShell or use PowerShell scripts. Some services have multiple record types for different types of activity within the same service. For a more complete list of audit record types, seeOffice 365 Management Activity API-schema.

For more information about searching audit logs with PowerShell, see:

• Search - UnifiedAuditLog
• Search audit logs using a PowerShell script

Before searching the audit log

Before you begin searching audit logs, review the following items.

• Audit log search is enabled by default for Microsoft 365 and Office 365 enterprises. To check if audit log search is enabled, you can run the following commandExchange Online-PowerShell:

  Get-AdminAuditLogConfig Format List UnifiedAuditLogIngestionEnabled

  the value ofRealforUnifiedAuditLogIngestionEnabledProperty indicates audit log search is enabled. For more information, seeEnable or disable audit log search.

  important

  Make sure to run the previous command in Exchange Online PowerShell. althoughGet-AdminAuditLogConfigcmdlets are also available in Security and Compliance PowerShell,UnifiedAuditLogIngestionEnabledproperty is alwaysIncorrect, even if audit log search is enabled.

• you must be assignedView audit logs onlyofaudit logRole to search audit logs in Exchange Online. By default, these roles are assigned toCompliance managementInorganization managementrole grouprightExchange admin center page. Global admins in Office 365 and Microsoft 365 are automatically added as membersorganization managementRole groups in Exchange Online. To enable users to search the audit log with minimal permissions, you can create a custom role group in Exchange Online,View audit logs onlyofaudit logrole and add the user as a member of the new role group. For more information, seeManage role groups in Exchange Online.

  If you assign a user the View Audit Log or Audit Log rolerightpage in the Compliance Portal, they cannot search the audit log. You must have permissions assigned to you in Exchange Online. This is because the underlying cmdlets used to search the audit log are Exchange Online cmdlets.

• When users or administrators perform audit activities, audit records are generated and stored in your organization's audit log. How long audit records are retained (and searchable in the audit log) depends on your Office 365 or Microsoft 365 Enterprise subscription, specifically the type of license assigned to a particular user.

  • For users assigned an Office 365 E5 or Microsoft 365 E5 license (or users with a Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-on license), audit records for Azure Active Directory, Exchange - and SharePoint activities during a standard year. Organizations can also create audit log retention policies to retain audit records for activity in other services for up to one year. For more information, seeManage audit log retention policies.

    notes

    If your organization participates in the one-year private audit record retention preview program, the retention period for audit records generated before the global rollout date will not be reset.

  • For users assigned a different (non-E5) Office 365 or Microsoft 365 license, audit trails are retained for 90 days. For a list of Office 365 and Microsoft 365 subscriptions that support unified audit logging, seeSecurity and Compliance Portal Service Description.

    (Video) Audit Log Search in Office 365 Step by Step Through Compliance Center

    notes

    Even if mailbox auditing is enabled by default, you may notice that some users' mailbox audit events are not found in audit log searches in the Compliance Portal or through the Office 365 Management Activity API. For more information, seeLearn more about mailbox audit logging.

• To disable audit log search for your organization, run the following command in Exchange Online PowerShell:

  Beheer AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

  To re-enable Audit Search, run the following command in Exchange Online PowerShell:

  Beheer AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

  For more information, seeDisable audit log search.

  See Also

  What's New in Microsoft Purview Compliance Manager - Microsoft Purview (Compliance)Microsoft Purview Compliance Solutions Free Trial - Microsoft Purview (Compliance)

• The underlying cmdlet for searching the audit log is an Exchange Online cmdletSearch - UnifiedAuditLog.This means that you can use this cmdlet to search the audit log instead of usingauditpage in the Compliance Portal. You must run this cmdlet in Exchange Online PowerShell. For more information, seeSearch - UnifiedAuditLog.

  About the export bySearch - UnifiedAuditLogcmdlet to a CSV file, see the "Tips for Exporting and Viewing Audit Logs" section inExport, configure, and view audit logging.

• To programmatically download audit log data, we recommend using the Office 365 Management Activity API instead of using PowerShell scripts. The Office 365 Management Activity API is a REST web service that can be used to develop operational, security, and compliance monitoring solutions for your organization. For more information, seeAPI Reference Office 365 Administration Activities.

• Azure Active Directory (Azure AD) is the directory service for Microsoft 365. Unified audit log of user, group, application, domain, and directory activity performed in Microsoft 365Microsoft 365 admin centerOr in the Azure Management Portal. For a full list of Azure AD events, seeAzure Active Directory audit report events.

• Microsoft cannot guarantee that the correct audit records will be returned in audit log search results at a specific time after an event has occurred. For core services such as Exchange, SharePoint, OneDrive, and Teams, audit record availability is typically available within 60 to 90 minutes of the event. For other services, the availability of audit records may be longer. However, some unavoidable issues (such as server outages) can occur outside of the audit service, delaying the availability of audit records. For this reason, Microsoft cannot commit to a specific timeline.

• To search the audit log for Power BI activity, you must enable auditing in the Power BI admin portal. For instructions, see the "Audit Log" sectionPower BI control portal.

Search audit logs

Here's the process for searching audit logs in Microsoft 365.

• Step 1: Perform an audit log search
• Step two: View search results
• Step 3: Export search results to a file

Step 1: Perform an audit log search

1. gohttps://compliance.microsoft.comand sign in.

   clue

   Please use a private browsing session instead of a regular session to access the Compliance Portal, as this will prevent your currently logged in credentials from being used. according toCTRL+SHIFT+NOpen an InPrivate browsing session in Microsoft Edge or a private browsing session (called an incognito window) in Google Chrome.

2. Select in the left pane of the Compliance Portalaudit.

   itauditThe page appears.

   

   notes

   ifStart logging user and admin activityA link will be displayed, select it to open the review. If you don't see this link, auditing is enabled for your organization.

3. existsearchconfigure the following search criteria:

   (Video) Simplify regulatory compliance with Microsoft Purview Compliance Manager
   1. starting dateInend date: By default, the last seven days are selected. Select a date and time range to view events that occurred during that time period. Dates and times are shown in Coordinated Universal Time (UTC). The maximum date range you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.

   clue

   If you are using the maximum date range of 90 days, select the current timestarting date.Otherwise you will get an error that the start date is earlier than the end date. If you enabled auditing in the last 90 days, the maximum date range cannot begin before the auditing enabled date.

   2. Activity: Select the drop-down list to display the events you can search for. User and administrator activities are organized into related activity groups. You can select a specific activity or choose the name of the activity group to select all activities in the group. You can also choose Selected Activities to clear the selection. After performing a search, only audit log entries for the selected activity are displayed. to electShow results for all eventsShows the results of all activities performed by the selected user or user group.

      More than 100 user and administrator activities are recorded in the audit log. to electcontrolled activityClick on the tabs in this article for a description of each activity in each of the different services.

   3. user: Select in this box and then select one or more users for whom the search results should be displayed. Audit log entries for selected activities performed by the users you select in this box appear in the results list. Leave this box blank to return entries for all users (and service accounts) in the organization.

   4. bestand, map of website: Type part or all of a file or folder name to search for activities related to folder files that contain the specified keywords. You can also specify a URL to a file or folder. If you're using a URL, make sure you type the full URL path, or if you're typing part of the URL, don't include any special characters or spaces (however, wildcards (*) are supported).

      Leave this box blank to return entries for all files and folders in the organization.

   clue

   • If you are looking for all events related to an eventPlace, append a wildcard character (*) to a URL to return all entries for that site; for example"https://contoso-my.sharepoint.com/personal*".

   • If you are looking for all events related to an eventdocument, prefix a file name with a wildcard character (*) to return all entries for that file; for example"*Customer_Profitability_Sample.csv".

4. to electsearchPerform a search using your search criteria.

   The search results are loaded and after a few moments they will appear on a new page. When the search is complete, the number of results found is displayed. Up to 50,000 events can be displayed in increments of 150 events. If more than 50,000 events match the search criteria, only the 50,000 returned unsorted events are displayed.

   

Tips for searching audit logs

• You can select a specific event to search for by selecting the name of the event. Or you can search for all activities in the group (eg.File and folder activity) by selecting the group name. Once an activity is selected, you can select it to deselect it. You can also use the search box to view events that contain keywords that you type.

  

• you have to chooseShow results for all eventsinsideActivitylist to view events from the Exchange administrator's audit log. Events in this audit log show a cmdlet name (for example,set up email) insideActivitycolumns in the result. Select for more informationcontrolled activitytab in this article, then chooseexchange admin activity.

  Likewise, some audit activitiesActivitylist. If you know the action names for these activities, you can search for all activities and then filter the actions after exporting the search results to a CSV file.

• to electknowledgeClear the current search criteria. The date range reverts to the default value of the last 7 days. You can also chooseClear all to view the results of all activitiesCancels all selected events.

• If 50,000 results are found, you can assume that more than 50,000 events match the search criteria. You can refine your search criteria and run the search again to get fewer results, or you can export 50,000 search results by selectingexport results>download all results.

Step two: View search results

The results of the audit log search are displayed in theresultexistSearch audit logPage. As mentioned earlier, up to 50,000 (most recent) events are displayed in increments of 150 events. Use the scroll bar or pressShift + endDisplay the next 150 events.

The results contain the following information about each event returned by the search:

• datum: The date and time (UTC) when the event occurred.

• IP adres: The IP address of the device whose activity was logged. The IP address is displayed in IPv4 or IPv6 address format.

  notes

  For some services, the value displayed in this field may be the IP address of a trusted application (such as an Office on the web application) that has called the service on behalf of the user, rather than the IP address of the device on which the user performed the activity. Also for administrative activity (or activity performed by system accounts) for Azure Active Directory related events, IP addresses are not logged and the value shown in this field isInvalid.

• user: The user (or service account) who performed the action that triggered the event.

• Activity: The activity performed by the user. This value corresponds to theActivitylist box. For Exchange admin audit log events, the value in this column is the Exchange cmdlet.

• ding: An object created or modified as a result of the corresponding activity. For example, viewed or modified files or updated user accounts. Not all activities have a value in this column.

• detail: Additional information about the event. Likewise, not all activities have value.

View details for a specific event

You can view more details about an event by selecting the event record from the search results list. A pop-up page appears with detailed properties of the event record. The properties displayed depend on the service on which the event occurred.

Step 3: Export search results to a file

You can export the results of an audit log search to a comma-separated value (CSV) file on your local computer. You can open this file in Microsoft Excel and use functions such as find, sort, filter, and split a single column (with multiple attributes) into multiple columns.

1. Perform a search in the audit log and change the search criteria until you get the results you want.

2. Select on the search results pageExit>download all results.

   All audit log entries that match the search criteria are exported to a CSV file. The raw data in the audit log is stored in a CSV file. Additional information from audit log entries is contained in a file namedcontrol datain CSV.

   important

   You can download up to 50,000 entries to a CSV file with a single audit log search. If you download 50,000 entries to a CSV file, you can assume that there are more than 50,000 events that match your search criteria. To export beyond this limit, try using date ranges to reduce the number of audit log entries. You may need to perform multiple searches with smaller date ranges to export more than 50,000 entries.

3. When the export process is complete, a message appears at the top of the window prompting you to open the CSV file and save it to your local computer. You can also access the CSV file in the download folder.

Learn more about exporting and viewing audit log search results

• When you download all search results, the CSV file contains the columnsCreation date,user name,serve, Incontrol data.itcontrol dataColumns contain additional information about each incident (similar to the details shown in the popup when viewing search results in the Compliance Portal). The data in this column consists of a JSON object that contains various properties from the audit log record. eachappropriate valueThe pairs in the JSON object are separated by commas. Can be split using the JSON conversion tool in the Power Query editor in Excelcontrol dataColumns are split into columns so that each property in the JSON object has its own column. This allows you to sort and filter on one or more of these properties. For step-by-step instructions on how to convert JSON objects using the Power Query Editor, seeExport, configure, and view audit logging.

  After the splitcontrol datacolumn you can filterservecolumn to display detailed properties for a specific type of activity.

  (Video) How to Turn on the Auditing in Microsoft 365 | Enable Audit Log Search in Office 365

• When you download all results of a search that includes events from different services,control dataThe columns in the CSV file contain different properties depending on the service performing the operation. For example, Exchange and Azure AD audit log entries contain entries namedresult statusIndicates whether the operation was successful. Events in SharePoint do not contain this property. Similarly, SharePoint events have a property that identifies the site URL for file and folder related activities. To mitigate this behavior, consider using different queries to export activity results from a single service.

  Descriptions for many of the properties listed incontrol dataSee the columns in the CSV file when downloading all results and which services each result applies toExtended properties in the audit log.

Frequently Asked Questions

What are the currently reviewed Microsoft 365 services?

Audit the most used services such as Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Dynamics 365, Defender for Office 365 and Power BI. To seebeginning of this articleList of auditing services.

What activity is monitored by the monitoring service in Microsoft 365?

To seeAudit log activityarticle for a list and description of controlled activities.

How long does it take to get audit data after an incident?

Most audit data is available within 60-90 minutes, but it can take up to 24 hours after an event for the corresponding audit log entries to appear in search results. To seeBefore searching the audit logPart of this article shows how long it takes for events to be available in different services.

How long are audit records kept?

As mentioned earlier, audit records of activities performed by users assigned an Office 365 E5 or Microsoft E5 license (or users with a Microsoft 365 E5 add-on license) are retained for one year. For all other plans that support unified audit logging, audit records are retained for 90 days.

Can I programmatically access audit data?

Yes. The Office 365 Administrative Activities API is used to get audit logs programmatically. To begin with, seeGet started with the Office 365 Management API.

Is there another way to retrieve audit logs other than through the Security & Compliance Portal or the Office 365 Management Activity API?

Yes, you can retrieve audit logs with:

• itOffice 365 Admin Activity API.
• itAudit log search utilityIn the Microsoft Purview compliance portal.
• itSearch - UnifiedAuditLogcmdlets in Exchange Online PowerShell.

Do I need to enable auditing separately in each service I want to record audit logs for?

Auditing is enabled by default in most services after you enable auditing for your organization (egBefore searching the audit logsection of this article).

Does the audit service support document deduplication?

No. The audit service pipeline is near real-time and therefore does not support deduplication.

Where is audit data stored?

We currently have audit pipelines implemented in the NA (North America), EMEA (Europe, Middle East and Africa) and APAC (Asia Pacific) regions. Tenants living in these zones have their audit data stored in the zone. For multi-region tenants, audit data collected from all regions of the tenant is stored only in the local region of the tenant. However, we may transfer data between these regions for load balancing and only if there is a problem in the field. When we perform these activities, data is encrypted in transit.

Is audit data encrypted?

Audit data is stored in Exchange mailboxes (data-at-rest) in the same region where the Unified Audit Pipeline is deployed. Exchange does not encrypt mailbox data at rest. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft data centers are encrypted with BitLocker. For more information, seeMicrosoft 365 encryption for Skype for Business, OneDrive for Business, SharePoint Online, and Exchange Online.

Email data in transit is always encrypted.