SharePoint Online: Enable Auditing using PowerShell

Requirement: Enable Auditing in SharePoint Online using PowerShell.

Update: SharePoint Online Site Collection audit logs are disabled and can’t be accesssed from both Web UI and CSOM methods! Instead, you have to use the Unified Audit Logs from Compliance Center: How to View SharePoint Online Audit Log from Security & Compliance Center?

Auditing in SharePoint Online helps to track user actions in a site collection. We generally use auditing to track how sites, content types, lists, libraries, and list items are used and as part of information management policy – security regularity and legal compliance. Knowing who has done what with which information is critical in many business scenarios. When the auditing feature is enabled, any combination of the following events can be audited:

  • Editing items
  • Checking out or checking in items
  • Moving or copying items to another location on the site
  • Deleting or restoring items
  • Editing Content types and columns
  • Searching site content
  • editing users and permissions

Compared with SharePoint On-premises, in SharePoint Online – viewing items in lists, and viewing item properties, opening or downloading documents are not available because of storage and performance concerns.

How to Enable Auditing in SharePoint Online?

Auditing is not enabled by default. Auditing settings are configured at the site collection level in SharePoint Online. To enable auditing in SharePoint Online,

  1. Go to your SharePoint Online Top-level site collection.
  2. Click on the settings gear and then Site Settings.
  3. In Site Settings page, Click on “Site collection audit settings” under Site Collection Administration.
  4. Specify audit events for “Documents and list items” and “List, libraries, and sites” by enabling check box to audit events such as “Editing items”, “Deleting or restoring items”, etc. 
    sharepoint online audit settings powershell
  5. Click “OK” to save your changes. This enables auditing for the SharePoint Online site collection.

SharePoint Online Auditing Reports
Once auditing is enabled, You can get auditing reports through the “Audit log reports”link in the Site collection settings page.

SharePoint Online: Enable Auditing using PowerShell

Here is the PowerShell to enable auditing in SharePoint Online:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Site collection URL
$SiteURL = "https://crescent.sharepoint.com/"

#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

Try {
    #Setup the context
    $Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Context.Credentials = $credentials

    #Get the Site Collection and Audit Objects
    $Site = $Context.Site
    $Context.Load($Site)
    $Audit = $Site.Audit
    $Context.Load($Audit)
    $Context.ExecuteQuery()

    #Define Audit Flag
    $AuditFlag = [Microsoft.SharePoint.Client.AuditMaskType]::None

    #Set Audit Settings for the Site collection
    $Audit.AuditFlags = $AuditFlag
    $Audit.Update()

    #Set Autdit Log Trimming Options
    $Site.TrimAuditLog = $True
    $Site.AuditLogTrimmingRetention = 90
    $Audit.Update()

    #Set Audit Log location
    $Site.RootWeb.AllProperties["_auditlogreportstoragelocation"] = $SiteURL+"AuditDocuments"
    $Site.RootWeb.Update()

    $Context.ExecuteQuery()

   Write-host "Audit Settings Configured for the Site Collection!" -ForegroundColor Green
}
catch {
    write-host "Error Enabling Audit for Site Collection $($_.Exception.Message)" -Foregroundcolor Red
}

Here is the list of all available audit masks as per https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.client.auditmasktype.aspx

  1. All
  2. None
  3. CheckOut
  4. CheckIn
  5. View
  6. ObjectDelete
  7. Update
  8. ProfileChange
  9. ChildDelete
  10. SchemaChange
  11. SecurityChange
  12. Undelete
  13. Workflow
  14. Copy
  15. Move
  16. Search

SharePoint Online: Set Audit Settings using PowerShell for All Site Collections

Auditing is configured at the site collection level. When you have a large number of site collections, enabling auditing through web UI by going to each site collection would be a tedious job. So, let’s use PowerShell to enable auditing in SharePoint Online for all site collections. 

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Set-SPOSiteAudit($SiteURL, $AuditFlags)
{
    #Setup Credentials to connect
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminCred.Username, $AdminCred.Password)

    Try {
        #Setup the context
        $Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Context.Credentials = $credentials

        #Get the Site Collection and Audit Objects
        $Site = $Context.Site
        $Context.Load($Site)
        $Audit = $Site.Audit
        $Context.Load($Audit)
        $Context.ExecuteQuery()

        #sharepoint online audit settings powershell
        $Audit.AuditFlags = $AuditFlags
        $Audit.Update()
        $Context.ExecuteQuery()

        Write-host -ForegroundColor Green "Audit Settings Configured for the Site Collection:" $SiteURL  
    }
    catch {
        write-host -Foregroundcolor Red "Error Enabling Audit for Site Collection $($_.Exception.Message)"
    }
}

#Set parameter values
$AdminSiteURL = "https://crescent-Admin.sharepoint.com/"
$AuditFlags="ChildDelete, ObjectDelete, Undelete, Update, Move, SecurityChange"

#Get Credentials to Connect
$AdminCred = Get-Credential

#Connect to SharePoint Online Tenant Admin
Connect-SPOService -URL $AdminSiteURL -Credential $AdminCred

#Get all Site Collections
$SitesCollection = Get-SPOSite -Limit ALL

#Iterate through each site collection
ForEach($Site in $SitesCollection)
{
    Write-host -f Yellow "Applying Audit Settings for Site Collection:"$Site.URL

    #Call the function to set auditing for site collection
    Set-SPOSiteAudit -SiteURL $Site.URL -AuditFlags $AuditFlags
}

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

Leave a Reply

Your email address will not be published. Required fields are marked *