Core audit capabilities of Microsoft 365

  1. Home
  2. Core audit capabilities of Microsoft 365

Go back to Tutorial

In this, we will learn about the Core audit capabilities of Microsoft 365.

The audit functionality in the Microsoft 365 compliance center allows organizations to view user and administrator activity through a unified audit log. For example, did an administrator reset a password? Did a user change a setting for a team in Microsoft Teams? A unified audit log supports the search of many users and/or admin activities across Microsoft 365 services, Dynamics 365, Microsoft Power Apps, Microsoft Power Automate, Power BI, Azure Active Directory, and more.

When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for the organization. However, the length of time that an audit record depends on the Office 365 or Microsoft 365 Enterprise subscription. And specifically, the type of license that assigns to specific users.

Searching the audit log requires the search capability to be turned on, and for the user doing the search to be assigned the appropriate role. The search criteria can configure depending on:
  • Activities
  • Start date and end date
  • Users
  • File, folder, or site
Practice tests Core audit capabilities
The results of the audit log search, which can filter and export to a CSV file, contain the following information about each event return by the search:
  • Firstly, Date: The date and time (in UTC format) when the event occurred.
  • Secondly, IP address: The IP address of the device that uses when the activity logs. The IP address displays in either an IPv4 or IPv6 address.
  • Thirdly, User: The user (or service account) who completed the action that triggered the event.
  • Fourthly, Activity: The activity completed by the user. This is based on activities configured.
  • Then, Item: The object that creates or modifies because of the corresponding activity.
  • Lastly, Detail: Additional information about an activity. Again, not all activities have value.
A list of results from an audit search.
Image Source: Microsoft

However, it can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to return in the results of an audit log search.

sc-900 online course

Reference: Microsoft Documentation

Go back to Tutorial

Menu