Search the audit log in the Security & Compliance Center. 6/20/2019. 66 minutes to read.In this article IntroductionNeed to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the Office 365 Security & Compliance Center to search the unified audit log to view user and administrator activity in your Office 365 organization. Why a unified audit log? NoteWe're in the process of turning on auditing by default. Until then, you can turn it on as previously described.You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Office 365 audit log.
Jon Honeyball recounts the difficulty he experienced when his Office 365 password timed-out. I thought it a good idea to keep you up to date on my efforts to move all of my day-to-day computing activities into Office 365, Microsoft’s cloud-based Exchange Server environment. This video covers how to log a user out of all devices. Best used for when you have someone who leaves the company. This setting is best to use when you have someone who is leaving a company.
By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Note that global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online.
To give a user the ability to search the Office 365 audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see. ImportantIf you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Security & Compliance Center, they won't be able to search the Office 365 audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.When an audited activity is performed by a user or admin, an audit record is generated and stored in the Office 365 audit log for your organization. The length of time that an audit record is retained (and searchable in the audit log) depends on your Office 365 subscription, and specifically the type of the license that is assigned to a specific user.Office 365 E3 - Audit records are retained for 90 days.
That means you can search the audit log for activities that were performed within the last 90 days.Office 365 E5 - Audit records are also retained for 90 days. Retaining audit records for one year may eventually be available for E5 users and users with an E3 license and an Office 365 Advanced Compliance add-on license. NoteThe private preview program for the one-year retention period for audit records for E5 organizations (or for users in E3 organizations that have Advanced Compliance add-on licenses) is closed to new enrollment. TipUse a private browsing session (not a regular session) to access the Security & Compliance Center because this will prevent the credential that you are currently logged on with from being used. To open an InPrivate Browsing session in Internet Explorer or Microsoft Edge, just press CTRL+SHIFT+P.
To open a private browsing session in Google Chrome (called an incognito window), press CTRL+SHIFT+N.Sign in to Office 365 using your work or school account.In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.The Audit log search page is displayed. NoteYou have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing.
If you don't see this link, auditing has already been turned on for your organization.Configure the following search criteria:a. Activities Click the drop-down list to display the activities that you can search for. User and admin activities are organized in to groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group.
You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting Show results for all activities will display results for all activities performed by the selected user or group of users.Over 100 user and admin activities are logged in the Office 365 audit log. Click the Audited activities tab at the topic of this article to see the descriptions of every activity in each of the different Office 365 services.b. Start date and End date The last seven days are selected by default.
Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days.
An error is displayed if the selected date range is greater than 90 days. TipIf you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.c. Users Click in this box and then select one or more users to display search results for.
The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.d.
File, folder, or site Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. TipClick a column header under Results to sort the results. You can sort the results from A to Z or Z to A. Click the Date header to sort the results from oldest to newest or newest to oldest. View the details for a specific eventYou can view more details about an event by clicking the event record in the list of search results.
A Details page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the Office 365 service in which the event occurs. To display these details, click More information. For descriptions, see.Step 3: Filter the search resultsIn addition to sorting, you can also filter the results of an audit log search. This is a great feature that can help you quickly filter the results for a specific user or activity. You can initially create a wide search and then quickly filter the results to see specific events. Then you can narrow the search criteria and re-run the search to return a smaller, more concise set of results.To filter the results:.Run an audit log search.When the results are displayed, click Filter results.Keyword boxes are displayed under each column header.Click one of the boxes under a column header and type a word or phrase, depending on the column you're filtering on.
The results will dynamically readjust to display the events that match your filter.To clear a filter, click the X in the filter box or just click Hide filtering. TipTo display events from the Exchange admin audit log, type a - (dash) in the Activity filter box. This will display cmdlet names, which are displayed in the Activity column for Exchange admin events.
Then you can sort the cmdlet names in alphabetical order. Step 4: Export the search results to a fileYou can export the results of an audit log search to a comma separated value (CSV) file on your local computer. You can open this file in Microsoft Excel and use features such as search, sorting, filtering, and splitting a single column (that contains multi-value cells) into multiple columns.Run an audit log search, and then revise the search criteria until you have the desired results.Click Export results and select one of the following options:.Save loaded results – Choose this option to export only the entries that are displayed under Results on the Audit log search page. The CSV file that is downloaded contains the same columns (and data) displayed on the page (Date, User, Activity, Item, and Details). An additional column (named More) is included in the CSV file that contains more information from the audit log entry.
Because you're exporting the same results that are loaded (and viewable) on the Audit log search page, a maximum of 5,000 entries are exported.Download all results – Choose this option to export all entries from the Office 365 audit log that meet the search criteria. For a large set of search results, choose this option to download all entries from the audit log in addition to the 5,000 results that can be displayed on the Audit log search page. This option will download the raw data from the audit log to a CSV file, and contains additional information from the audit log entry in a column named AuditData. It may take longer to download the file if you choose this export option because the file may be much larger than the one that's downloaded if you choose the other option. ImportantYou can download a maximum of 50,000 entries to a CSV file from a single audit log search.
If 50,000 entries are downloaded to the CSV file, you can probably assume there are more than 50,000 events that met the search criteria. To export more than this limit, try using a date range to reduce the number of audit log entries. You might have to run multiple searches with smaller date ranges to export more than 50,000 entries.After you select an export option, a message is displayed at the bottom of the window that prompts you to open the CSV file, save it to the Downloads folder, or save it to a specific folder.More information about exporting audit log search results.The Download all results option downloads the raw data from the Office 365 audit log to a CSV file. This file contains different column names (CreationDate, UserIds, Operation, AuditData) than the file that's downloaded if you select the Save loaded results option. The values in the two different CSV files for the same activity may also be different.
For example, the activity in the Action column in the CSV file and may have a different value than the 'user-friendly' version that's displayed in the Activity column on the Audit log search page; for example, MailboxLogin vs. User signed in to mailbox.If you download all results, the CSV file contains a column named AuditData, which contains additional information about each event.
As previously stated, this column contains a multi-value property for multiple properties from the audit log record. Each of the property:value pairs in this multi-value property are separated by a comma. You can use the Power Query in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. To learn how to do this, see the 'Split a column by delimiter' section in.After you split the AuditData column, you can filter on the Operations column to display the detailed properties for a specific type of activity.There's a 3,060-character limit for the data that's displayed in the AuditData field for an audit record. If the 3,060-character limit is exceeded, the data in this field is truncated.When you download all results from a search query that contains events from different Office 365 services, the AuditData column in the CSV file contains different properties depending on which service the action was performed in.
For example, entries from Exchange and Azure AD audit logs include a property named ResultStatus that indicates if the action was successful or not. This property isn't included for events in SharePoint. Similarly, SharePoint events have a property that identifies the site URL for file and folder related activities. To mitigate this behavior, consider using different searches to export the results for activities from a single service.For a description of the properties that are listed in the AuditData column in the CSV file when you download all results, and the service each one applies to, see.Audited activitiesThe tables in this section describe the activities that are audited in Office 365.
You can search for these events by searching the audit log in the security and compliance center.These tables group related activities or the activities from a specific Office 365 service. The tables include the friendly name that's displayed in the Activities drop-down list and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.
For descriptions of the detailed information, see.Click one of the following links to go to a specific table.File and page activitiesThe following table describes the file and page activities in SharePoint Online and OneDrive for Business. Friendly nameOperationDescriptionAccessed fileFileAccessedUser or system account accesses a file.(none)FileAccessedExtendedThis is related to the 'Accessed file' (FileAccessed) activity. A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period of time (up to 3 hours). The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileAccessed event.Changed compliance policy labelComplianceSettingChangedA retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.Changed record status to lockedLockRecordThe record status of a retention label that classifies a document as a record was locked.
This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.Changed record status to unlockedUnlockRecordThe record status of a retention label that classifies a document as a record was unlocked. This means the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.Checked in fileFileCheckedInUser checks in a document that they checked out from a document library.Checked out fileFileCheckedOutUser checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.Copied fileFileCopiedUser copies a document from a site.
The copied file can be saved to another folder on the site.Deleted fileFileDeletedUser deletes a document from a site.Deleted file from recycle binFileDeletedFirstStageRecycleBinUser deletes a file from the recycle bin of a site.Deleted file from second-stage recycle binFileDeletedSecondStageRecycleBinUser deletes a file from the second-stage recycle bin of a site.Deleted record compliance policy labelComplianceRecordDeleteA document that was classified as a record was deleted. A document is considered a record when a retention label that classifies content as a record is applied to the document.Detected document sensitivity mismatchDocumentSensitivityMismatchDetectedUser uploads a document classified with a sensitivity label that has a higher priority than the sensitivity label that's applied to the site the document is uploaded to.
Note this event isn't triggered if the sensitivity label applied to a site has a higher priority than the sensitivity label applied to a document that's uploaded to the site. For more information about sensitivity label priority, see the 'Label priority' section in.Detected malware in fileFileMalwareDetectedSharePoint anti-virus engine detects malware in a file.Discarded file checkoutFileCheckOutDiscardedUser discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.Downloaded fileFileDownloadedUser downloads a document from a site.Modified fileFileModifiedUser or system account modifies the content or the properties of a document located on a site.(none)FileModifiedExtendedThis is related to the 'Modified file' (FileModified) activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period of time (up to 3 hours). The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified.
How To Sign Out Of Outlook
This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileModified event.Moved fileFileMovedUser moves a document from its current location on a site to a new location.Recycled all minor versions of fileFileVersionsAllMinorsRecycledUser deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin.Recycled all versions of fileFileVersionsAllRecycledUser deletes all versions from the version history of a file. The deleted versions are moved to the site's recycle bin.Recycled version of fileFileVersionRecycledUser deletes a version from the version history of a file. The deleted version is moved to the site's recycle bin.Renamed fileFileRenamedUser renames a document on a site.Restored fileFileRestoredUser restores a document from the recycle bin of a site.Uploaded fileFileUploadedUser uploads a document to a folder on a site.Viewed pagePageViewedUser views a page on a site. This doesn't include using a Web browser to view files located in a document library.(none)PageViewedExtendedThis is related to the 'Viewed page' (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period of time (up to 3 hours). The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed.
How To Log Out Of Office 365 On Laptop
This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.View signaled by clientClientViewSignaledA user’s client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page.NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy.
However, because the user’s identity is validated by the token used to create the signal, the user’s identity listed in the corresponding audit record is accurate.(none)PagePrefetchedA user’s client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate the page content has been served to the user’s client; this event isn't a definitive indication that the user actually navigated to the page. When the page content is rendered by the client (as per the user’s request) a ClientViewSignaled event should be generated. Note that not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events.Folder activitiesThe following table describes the folder activities in SharePoint Online and OneDrive for Business. Friendly nameOperationDescriptionCopied folderFolderCopiedUser copies a folder from a site to another location in SharePoint or OneDrive for Business.Created folderFolderCreatedUser creates a folder on a site.Deleted folderFolderDeletedUser deletes a folder from a site.Deleted folder from recycle binFolderDeletedFirstStageRecycleBinUser deletes a folder from the recycle bin on a site.Deleted folder from second-stage recycle binFolderDeletedSecondStageRecycleBinUser deletes a folder from the second-stage recycle bin on a site.Modified folderFolderModifiedUser modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.Moved folderFolderMovedUser moves a folder to a different location on a site.Renamed folderFolderRenamedUser renames a folder on a site.Restored folderFolderRestoredUser restores a deleted folder from the recycle bin on a site.SharePoint list activitiesThe following table describes activities related to when users interact with lists and list items in SharePoint Online. Friendly nameOperationDescriptionCreated listListCreatedA user created a new SharePoint list.Created list columnListColumnCreatedA user created a new SharePoint list column.
A list column is a column that's attached to one or more SharePoint lists.Created list content typeListContentTypeCreatedA user created a new list content type. A list content type is a content type that's attached to one or more SharePoint lists.Created list itemListItemCreatedA user created a new item in an existing SharePoint list.Created site columnSiteColumnCreatedA user created a new SharePoint site column. A site column is a column that isn't attached to a list. A site column is also a metadata structure that can be used by any list in a given web.Created site content typeSite ContentType CreatedA user created a new site content type. NoteUsers can be either members or guests based on the UserType property of the user object. A member is usually an employee, and a guest is usually a collaborator outside of your organization. When a user accepts a sharing invitation (and isn't already part of your organization), a guest account is created for them in your organization's directory.
Once the guest user has an account in your directory, resources may be shared directly with them (without requiring an invitation). Friendly nameOperationDescriptionAdded permission level to site collectionPermissionLevelAddedA permission level was added to a site collection.Accepted access requestAccessRequestAcceptedAn access request to a site, folder, or document was accepted and the requesting user has been granted access.Accepted sharing invitationSharingInvitationAcceptedUser (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.Blocked sharing invitationSharingInvitationBlockedA sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because:The target user's domain isn't included in the list of allowed domains.OrThe target user's domain is included in the list of blocked domains.For more information about allowing or blocking external sharing based on domains, see.Created access requestAccessRequestCreatedUser requests access to a site, folder, or document they don't have permissions to access.Created a company shareable linkCompanyLinkCreatedUser created a company-wide link to a resource. Company-wide links can only be used by members in your organization. They can't be used by guests.Created an anonymous linkAnonymousLinkCreatedUser created an anonymous link to a resource.
NoteIt takes up to 30 minutes for events that result from the activities listed under eDiscovery activities in the Activities drop-down list to be displayed in the search results. Conversely, it takes up to 24 hours for the corresponding events from eDiscovery cmdlet activities to appear in the search results. Advanced eDiscovery activitiesThe following table lists activities that result from IT and legal professionals performing tasks in Advanced eDiscovery in Microsoft 365.
For more information, see. NoteAs previously explained, the private preview program for the one-year retention period for audit records for E5 organizations (or E3 organizations that have Advanced Compliance add-on licenses) is closed to new enrollment. This article will be updated when the one-year retention period is available in public preview or released for general availability.Also note that the duration of the retention period for audit records is based on per-user licensing. For example, if a user in your organization is assigned an Office 365 E3 or E5 license, then the audit records for activities performed by that user are retained for 90 days.Can I access the auditing data programmatically?Yes. The Office 365 Management Activity API is used to fetch the audit logs programmatically.
To get started, see.Are there other ways to get auditing logs other than using the security and compliance center or the Office 365 Management Activity API?No. These are the only two ways to get data from the Office 365 auditing service.Do I need to individually enable auditing in each service that I want to capture audit logs for?In most Office 365 services, auditing is enabled by default after you initially turn on auditing for your Office 365 organization (as described in the section in this article). However, you have to enable mailbox auditing in Exchange Online for each mailbox that you want to audit. We are working on enabling mailbox auditing by default for all mailboxes in an Office 365 organization. For more information, see 'Exchange mailbox auditing will be enabled by default' in the.Does the Office 365 auditing service support de-duplication of records?No.
How To Log Out Of Office 365 Mail
The auditing service pipeline is near real time, and therefore can't support de-duplication.Does Office 365 auditing data flow across geographies?No. We currently have auditing pipeline deployments in the NA (North America), EMEA (Europe, Middle east and Africa) and APAC (Asia Pacific) regions. However, we may flow the data across these regions for load-balancing and only during live-site issues. When we do perform these activities, the data in transit is encrypted.Is auditing data encrypted?Auditing data is stored in Exchange mailboxes (data at rest) in the same region where the auditing pipeline is deployed. This data is not encrypted.
However, data in transit is always encrypted.