SharePoint Online: Enable Auditing using PowerShell
Requirement: Enable Auditing in SharePoint Online using PowerShell.
Auditing in SharePoint Online helps to track user actions in a site collection. We generally use auditing to track how sites, content types, lists, libraries, and list items are used and as part of information management policy – security regularity and legal compliance. Knowing who has done what with which information is critical in many business scenarios. When the auditing feature is enabled, any combination of the following events can be audited:
- Editing items
- Checking out or checking in items
- Moving or copying items to another location on the site
- Deleting or restoring items
- Editing Content types and columns
- Searching site content
- editing users and permissions
Compared with SharePoint On-premises, in SharePoint Online – viewing items in lists, and viewing item properties, opening or downloading documents are not available because of storage and performance concerns.
How to Enable Auditing in SharePoint Online?
Auditing is not enabled by default. Auditing settings are configured at the site collection level in SharePoint Online. To enable auditing in SharePoint Online,
- Go to your SharePoint Online Top-level site collection.
- Click on the settings gear and then Site Settings.
- In Site Settings page, Click on “Site collection audit settings” under Site Collection Administration.
- Specify audit events for “Documents and list items” and “List, libraries, and sites” by enabling check box to audit events such as “Editing items”, “Deleting or restoring items”, etc.
- Click “OK” to save your changes. This enables auditing for the SharePoint Online site collection.
SharePoint Online Auditing Reports
Once auditing is enabled, You can get auditing reports through the “Audit log reports”link in the Site collection settings page.
SharePoint Online: Enable Auditing using PowerShell
Here is the PowerShell to enable auditing in SharePoint Online:
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Site collection URL
$SiteURL = "https://crescent.sharepoint.com/"
#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
Try {
#Setup the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Context.Credentials = $credentials
#Get the Site Collection and Audit Objects
$Site = $Context.Site
$Context.Load($Site)
$Audit = $Site.Audit
$Context.Load($Audit)
$Context.ExecuteQuery()
#Define Audit Flag
$AuditFlag = [Microsoft.SharePoint.Client.AuditMaskType]::None
#Set Audit Settings for the Site collection
$Audit.AuditFlags = $AuditFlag
$Audit.Update()
#Set Autdit Log Trimming Options
$Site.TrimAuditLog = $True
$Site.AuditLogTrimmingRetention = 90
$Audit.Update()
#Set Audit Log location
$Site.RootWeb.AllProperties["_auditlogreportstoragelocation"] = $SiteURL+"AuditDocuments"
$Site.RootWeb.Update()
$Context.ExecuteQuery()
Write-host "Audit Settings Configured for the Site Collection!" -ForegroundColor Green
}
catch {
write-host "Error Enabling Audit for Site Collection $($_.Exception.Message)" -Foregroundcolor Red
}
Here is the list of all available audit masks as per https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.client.auditmasktype.aspx
- All
- None
- CheckOut
- CheckIn
- View
- ObjectDelete
- Update
- ProfileChange
- ChildDelete
- SchemaChange
- SecurityChange
- Undelete
- Workflow
- Copy
- Move
- Search
SharePoint Online: Set Audit Settings using PowerShell for All Site Collections
Auditing is configured at the site collection level. When you have a large number of site collections, enabling auditing through web UI by going to each site collection would be a tedious job. So, let’s use PowerShell to enable auditing in SharePoint Online for all site collections.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
Function Set-SPOSiteAudit($SiteURL, $AuditFlags)
{
#Setup Credentials to connect
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminCred.Username, $AdminCred.Password)
Try {
#Setup the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Context.Credentials = $credentials
#Get the Site Collection and Audit Objects
$Site = $Context.Site
$Context.Load($Site)
$Audit = $Site.Audit
$Context.Load($Audit)
$Context.ExecuteQuery()
#sharepoint online audit settings powershell
$Audit.AuditFlags = $AuditFlags
$Audit.Update()
$Context.ExecuteQuery()
Write-host -ForegroundColor Green "Audit Settings Configured for the Site Collection:" $SiteURL
}
catch {
write-host -Foregroundcolor Red "Error Enabling Audit for Site Collection $($_.Exception.Message)"
}
}
#Set parameter values
$AdminSiteURL = "https://crescent-Admin.sharepoint.com/"
$AuditFlags="ChildDelete, ObjectDelete, Undelete, Update, Move, SecurityChange"
#Get Credentials to Connect
$AdminCred = Get-Credential
#Connect to SharePoint Online Tenant Admin
Connect-SPOService -URL $AdminSiteURL -Credential $AdminCred
#Get all Site Collections
$SitesCollection = Get-SPOSite -Limit ALL
#Iterate through each site collection
ForEach($Site in $SitesCollection)
{
Write-host -f Yellow "Applying Audit Settings for Site Collection:"$Site.URL
#Call the function to set auditing for site collection
Set-SPOSiteAudit -SiteURL $Site.URL -AuditFlags $AuditFlags
}