Office365 Security Audit: Assess & Improve Your Security

Could a single overlooked log be hiding the clue that changes your risk posture?

We frame a practical program that gives leaders clear visibility across Microsoft 365 services. Audit logs consolidate actions from Exchange, Teams, SharePoint, OneDrive, and Azure AD so we see who did what, when, and where.

Auditing is usually on by default, but we verify settings in the Microsoft Purview Compliance portal and start recording if needed. Event ingestion can take 30 minutes to 24 hours, so we plan monitoring cadence to avoid false gaps.

Exports arrive as CSV with JSON-rich AuditData, ideal for parsing into SIEM or SOAR pipelines. We use PowerShell and the Management Activity API to retrieve records and map them to business goals.

Our aim is measurable risk reduction: retention that matches compliance needs, coverage across workloads, and documented ownership of who reviews and escalates incidents.

• Audit logs give durable records to turn information into investigations and controls.
• Verify recording in Purview and expect ingestion delays when planning reports.
• Use structured CSV/JSON exports for reliable parsing and correlation pipelines.
• Align log retention and coverage to tenant compliance and business objectives.
• Document ownership, review cadence, and escalation paths for actionable results.

A unified activity log is the single source of truth for tracking user and admin behavior across cloud services. You can search by time, activities, and users in the Purview portal or pull records with PowerShell. CSV outputs are useful but often verbose and need parsing.

We connect log outcomes to executive priorities: reduce breach likelihood, harden controls across microsoft 365 and office 365, and sustain compliance in your tenant and environment.

The unified record supports investigations and governance. Clear trails of events and actions speed incident response, eDiscovery, and litigation evidence collection.

Typical use cases: meeting regulatory requirements, investigating compromised accounts, proving evidence for litigation, and tracking adoption to measure ROI.

• We validate and tune policies, then deliver concise reports to stakeholders.
• Audit-driven evidence lets us act with confidence and defend decisions.

Before you collect and analyze event records, confirm who can access them and how collection is enabled.

Required roles. Global Administrators have the Audit Logs role by default in Exchange Online. That role is required to enable and manage unified logging. We also assign Audit Logs or View-Only Audit Logs roles when full admin rights are unnecessary.

To confirm ingestion is active, connect to Exchange and run the check. Use Connect-ExchangeOnline, then:

• Run: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled — True means enabled.
• If scripts are blocked, use Set-ExecutionPolicy RemoteSigned first.
• End sessions with Disconnect-ExchangeOnline to keep accounts secure.

We document permissions and schedule re-checks after major changes. This ensures the tenant and environment keep continuous visibility for critical days and events.

Before relying on logs for investigations, we make sure recording is active and traceable across workloads.

We enable unified recording in the Microsoft Purview (compliance) portal by selecting Audit and clicking Start recording user and admin activity if shown. After enabling, we document the change and capture the record identifier for traceability.

SharePoint Online requires per-site collection configuration. It lacks a raw programmatic endpoint, so we generate Excel reports for each site and record the site scope and owners.

Ingestion can take from 30 minutes up to 24 days—sorry, up to 24 hours—depending on the workload. We set monitoring windows and SLAs to match this time lag and validate capture with targeted actions (file edits, group membership updates, etc.).

• Inventory services and rate criticality for each workload.
• Ensure automatic resource creation (Teams creation linking groups and sites) is covered.
• Schedule periodic health checks and document period and days parameters for reports.

Effective log retrieval balances quick portal searches with automated API collection.

Searching in the Microsoft Purview Compliance portal

In Purview we search by time, activities, and user. Filters let us pivot quickly and narrow results for investigations.

Exports are CSV with a 50,000-row download limit. We segment queries by time or workload to avoid partial exports.

Search-UnifiedAuditLog supports flexible filters and pagination. We connect with Connect-ExchangeOnline, run queries like Search-UnifiedAuditLog -StartDate -EndDate, then close sessions to protect accounts.

We subscribe to content types (Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All). An OAuth token and scoped app permissions are required.

The API delivers blobs (24-hour fetch windows max) and guarantees about seven days of retrievable content. Blobs reflect collection time, so we schedule frequent pulls to avoid gaps.

Export and normalize: parse JSON-in-CSV (AuditData) and map fields like Operation, UserIds, IP, and Target into our schema. We rotate service credentials, enforce least-privilege, and save searches tied to runbooks for incident response and scheduled reports.

Retention choices ensure events remain available for investigations, legal holds, and compliance reviews. We document the tenant’s current default retention period and align it to regulatory and business obligations.

Defaults vary by license. Historically many tenants saw ~90 days for E1/E3, while E5 offered extended retention. Today common windows include 180 or 365 days depending on entitlement and tenant configuration.

We build retention policy entries in Purview with clear name, description, duration, and priority. Note the portal limits: you can create up to 50 policies, so we group targets to avoid management sprawl.

For long-term evidence we evaluate E5 and the 10-year add-on. When cost or licensing isn’t feasible, we design secure off-platform storage and export workflows.

• We operationalize the 50,000-row export limit by segmenting and automating parallel pulls.
• We test that retention policies override default settings and keep logs searchable for the intended period.
• We maintain a retention calendar and renewal alerts to prevent accidental downgrades and data loss.

We track a concise set of events that give early warning of privilege escalation and data exposure.

Focus areas include role and group changes, application consent, automated resource creation, sharing activity, mailbox rules, and access failures. We monitor these to catch risky changes and abnormal actions in the tenant.

• Changes to privileged roles (RoleManagement, Core Directory) — alert and correlate to approval workflows.
• Group and 365 groups membership or ownership changes — track sprawl and external collaborators.
• Application configuration and consent changes — flag risky scopes and new enterprise apps.
• Automated creation of Teams-linked resources — verify downstream controls for sites and mailboxes.
• File sharing and anonymous links — prioritize sensitive libraries and revoke when needed.
• Guest lifecycle in Teams and membership changes — close exposure gaps for channels and files.
• Teams created/deleted and ownership updates — prevent orphaned workspaces and overexposure.
• Inbound email forwarding and suspicious rules (DeliverToMailboxAndForward=True) — detect covert exfiltration.
• Non-owner mailbox access (Send As, On Behalf, delegate changes) — enforce least-privilege.
• Failed sign-ins, risky sign-ins, and MFA/Conditional Access outcomes — correlate to detect brute force, impossible travel, or session takeover.

Operational note: we tune alerts to reduce noise and correlate multiple event types before escalation. Continuous review of these events gives clear coverage of high-risk actions and user behavior in the environment.

We concentrate monitoring on collaboration layers where most data movement happens: sites, libraries, and mailboxes. This gives us quick context for investigations and helps prioritize controls.

File and folder activities are the highest priority. SharePoint Online reports capture edits, check-ins/check-outs, moved or copied items, deletions and restores, content type and column changes, and search queries per site collection.

Because classic SPO reports omit opened/downloaded events, we rely on the unified audit to include page and file view events. SPO lacks a raw programmatic endpoint, so exports remain per site and must be inventoried.

Exchange logging highlights non-owner mailbox access, Send As and On Behalf actions, delegate permission changes, public folder operations, and admin activities. We map these events to users and groups to show who had access when controls changed.

• Capture sharing records (internal and anonymous links) and reconcile with site sensitivity.
• Catalog high-value sites and enforce inheritable retention and sharing baselines.
• Standardize storage of records for investigations to preserve chain-of-custody and reproducible queries.

Our workflows transform CSV and JSON records into concise reports and actionable alerts. We design pipelines that make event data useful for management and leadership. The goal is readable reports, timely alerts, and repeatable automation.

CSV exports include JSON-rich AuditData fields that must be parsed. We extract and normalize operation, actor, target, workload, IP, and time into a consistent schema.

Normalization reduces noise and ensures the same event mapped the same way across tools. This makes long-term reports and usage trends reliable.

The Management Activity API provides content blobs with a seven-day retrieval window. We schedule pulls every 15–60 minutes to avoid missing events and to respect the API window.

Purview downloads limit 50,000 entries, so we segment by workload, time, and user groups. For PowerShell, we use Search-UnifiedAuditLog paging (SessionId and ReturnNextPreviewPage) to handle large pulls.

We build alert rules for role elevation, mass file downloads, suspicious forwarding rules, and policy changes. Alerts include contextual enrichment (who, when, where) and a clear threshold for escalation.

Operational playbooks tie alerts to triage, enrichment, ticketing, and containment with time-bound SLAs. We feed normalized events into SIEM/SOAR for correlation with endpoint and network telemetry.

We align monthly reports to leadership needs: trend lines for events, management exceptions, incident MTTR, and usage patterns across microsoft 365 and office 365. Regular review keeps the program predictable and trusted.

When native logs reach their limits, we evaluate add-on platforms to fill visibility and analytics gaps. Advanced tools (for example, AdminDroid and CoreView) extend telemetry for deeper sign-in analytics, external user monitoring, and enhanced Teams governance.

Why augment? Native collection is reliable for baseline coverage, but third-party solutions deliver centralized dashboards, scheduled reporting, and richer context for rapid decisions.

• Deeper sign-in analysis: MFA method distribution, risky sign-ins (improbable travel, password spray), and geo anomalies.
• Teams usage and governance: file transfers, add-on activity, membership lifecycle in fast-growing collaboration spaces.
• Continuous compliance: near real-time DLP matches, policy drift alerts, and ATP/Defender policy change tracking.
• Mail flow visibility: transport rules, connectors, and anti-phish settings to spot covert exfiltration.

Operational guidance: evaluate API efficiency, retention options, and automation before purchase. Quantify benefits—lower mean time to detect/respond, fewer false positives, and clearer usage metrics—then ensure vendor alignment with internal policies, data residency, and IT management workflows.

Good telemetry is only valuable when it leads to timely action. The unified audit log delivers broad visibility across microsoft 365 and office 365 services, but you must verify enablement via Purview or PowerShell and plan for the 30-minute to 24-hour ingestion window.

Retention and export limits need explicit handling (50,000-row caps, common windows of 90/180/365 days, and an optional 10-year add-on). Use Purview, PowerShell, or the Management Activity API (programmatic blobs have a seven-day window) for reliable searches and collection.

Prioritize monitoring for role and group changes, app consent, Teams/SharePoint creation, file sharing and anonymous links, guest access, forwarding rules, non-owner mailbox access, and failed sign-ins.

Start now: confirm settings, enable parsing and exports, deploy priority alerts, and review quarterly to harden the tenant and improve compliance posture.