kwizcom banner advertisement

SharePoint Online: Enable Auditing using PowerShell

Auditing in SharePoint Online helps to track user actions in a site collection. We generally use auditing to track how sites, content types, lists, libraries, and list items are used and as part of information management policy - security regularity and legal compliance. Knowing who has done what with which information is critical at many business scenarios. When the auditing feature is enabled, any combination of the following events can be audited:
  • Editing items
  • Checking out or checking in items
  • Moving or copying items to another location in the site
  • Deleting or restoring items
  • Editing Content types and columns
  • Searching site content
  • editing users and permissions
Compared with SharePoint On-premises, in SharePoint Online - viewing items in lists, and viewing item properties, opening or downloading documents are not available because of storage and performance concerns.

How to Enable Auditing in SharePoint Online? 
Auditing is not enabled by default. Auditing settings are configured at the site collection level in SharePoint Online. To enable auditing in SharePoint Online,
  • Go to your SharePoint Online Top level site collection
  • Click on Settings gear and then Site Settings
  • In Site Settings page, Click on "Site collection audit settings" under Site Collection Administration.
  • Specify audit events for "Documents and list items" and "List, libraries, and sites" by enabling check box to audit events such as "Editing items", "Deleting or restoring items", etc. 
    sharepoint online audit settings powershell
  • Click "OK" to save your changes. This enables auditing for the SharePoint Online site collection.

SharePoint Online Auditing Reports
Once auditing is enabled, You can get auditing reports through "Audit log reports"link in Site collection settings page.

SharePoint Online: Enable Auditing using PowerShell
Here is the PowerShell to enable auditing in SharePoint Online
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Site collection URL
$SiteURL = "https://crescent.sharepoint.com/"

#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

Try {
    #Setup the context
    $Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Context.Credentials = $credentials

    #Get the Site Collection and Audit Objects
    $Site = $Context.Site
    $Context.Load($Site)
    $Audit = $Site.Audit
    $Context.Load($Audit)
    $Context.ExecuteQuery()

    #Define Audit Flag
    $AuditFlag = [Microsoft.SharePoint.Client.AuditMaskType]::None

    #Set Audit Settings for the Site collection
    $Audit.AuditFlags = $AuditFlag
    $Audit.Update()

    #Set Autdit Log Trimming Options
    $Site.TrimAuditLog = $True
    $Site.AuditLogTrimmingRetention = 90
    $Audit.Update()

    #Set Audit Log location
    $Site.RootWeb.AllProperties["_auditlogreportstoragelocation"] = $SiteURL+"AuditDocuments"
    $Site.RootWeb.Update()

    $Context.ExecuteQuery()

   Write-host "Audit Settings Configured for the Site Collection!" -ForegroundColor Green
}
catch {
    write-host "Error Enabling Audit for Site Collection $($_.Exception.Message)" -Foregroundcolor Red
}

Here is the list of all available audit masks as per https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.client.auditmasktype.aspx
  1. All
  2. None
  3. CheckOut
  4. CheckIn
  5. View
  6. ObjectDelete
  7. Update
  8. ProfileChange
  9. ChildDelete
  10. SchemaChange
  11. SecurityChange
  12. Undelete
  13. Workflow
  14. Copy
  15. Move
  16. Search

SharePoint Online: Set Audit Settings using PowerShell for All Site Collections:
Auditing is configured at site collection level. When you have a large number of site collections, enabling auditing through web UI by going to each site collection would be a tedious job. So, lets use PowerShell to enable auditing in SharePoint Online for all site collections. 
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Set-SPOSiteAudit($SiteURL, $AuditFlags)
{
    #Setup Credentials to connect
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminCred.Username, $AdminCred.Password)

    Try {
        #Setup the context
        $Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Context.Credentials = $credentials

        #Get the Site Collection and Audit Objects
        $Site = $Context.Site
        $Context.Load($Site)
        $Audit = $Site.Audit
        $Context.Load($Audit)
        $Context.ExecuteQuery()

        #Set Audit Settings for the Site collection
        $Audit.AuditFlags = $AuditFlags
        $Audit.Update()
        $Context.ExecuteQuery()

        Write-host -ForegroundColor Green "Audit Settings Configured for the Site Collection:" $SiteURL  
    }
    catch {
        write-host -Foregroundcolor Red "Error Enabling Audit for Site Collection $($_.Exception.Message)"
    }
}

#Set parameter values
$AdminSiteURL = "https://crescent-Admin.sharepoint.com/"
$AuditFlags="ChildDelete, ObjectDelete, Undelete, Update, Move, SecurityChange"

#Get Credentials to Connect
$AdminCred = Get-Credential

#Connect to SharePoint Online Tenant Admin
Connect-SPOService -URL $AdminSiteURL -Credential $AdminCred

#Get all Site Collections
$SitesCollection = Get-SPOSite -Limit ALL

#Iterate through each site collection
ForEach($Site in $SitesCollection)
{
    Write-host -f Yellow "Applying Audit Settings for Site Collection:"$Site.URL

    #Call the function to set auditing for site collection
    Set-SPOSiteAudit -SiteURL $Site.URL -AuditFlags $AuditFlags
}
SharePoint Online: Enable Auditing using PowerShell SharePoint Online: Enable Auditing using PowerShell Reviewed by Salaudeen Rajack on July 25, 2017 Rating: 5

No comments:

Please Login and comment to get your questions answered!

Powered by Blogger.