SharePoint Online: How to View Audit Log Reports in Security & Compliance Center?
Requirement: View audit log reports in SharePoint Online.
How to view SharePoint Online Audit Logs?
The Audit log reports in SharePoint Online provide detailed information about specific actions that have been taken in your tenant, such as when a user creates, updates, or deletes an item, or when a user views a document. Audit log reports missing SharePoint Online? Well, SharePoint Audit log features are moved to Microsoft 365 Security & Compliance Center unified logging! We can’t trim or restrict audit log events in SharePoint Online anymore! If you go to “Audit Log Settings” on the site collection administration section of the site settings page, you’ll get the following:
So, to view audit logs, you should use Office 365 Security & Compliance Center site! In this tutorial, we will show you how to view audit logs for SharePoint Online in the Office 365 Security & Compliance Center. This will include steps for narrowing down the results to a specific date range, user, or action and also exporting the results to a CSV file if needed.
Enable Audit Settings in Office 365
How to enable audit log reports in SharePoint Online? We must turn ON the audit logs feature in the Compliance Center before you access the audit logs for SharePoint Online.
- Log in to the Microsoft Office 365 admin center with Global Administrator permissions: https://admin.microsoft.com
- Click on the “Show All” link and then “Compliance” under admin Centers in the left navigation.
- In the Compliance center, click on the “Audit” link in the left navigation >> Click on the “Start recording user and admin activity” button and give it a minute to complete. In case, you don’t see this link or button, that means auditing is already turned ON.
You can also enable Audit Logs for SharePoint Online – Office 365 using PowerShell:
#Connect to Exchange Online
Connect-ExchangeOnline -Credential (Get-Credential) -ShowBanner:$False
#Enable Audit Log
If( (Get-AdminAuditLogConfig).UnifiedAuditLogIngestionEnabled)
{
Write-host "Auditing is already Enabled!" -f Yellow
}
Else
{
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
Write-host "Enabled the Auditing Successfully!" -f Green
}
#Disconnect Exchange Online
Disconnect-ExchangeOnline
How to View SharePoint Online Audit Logs?
Once auditing is enabled, it takes some time (30 min to 24 hours!) to collect data and prepare reports. You can perform Office 365 security audit or SharePoint audit log search by:
- Login to Security and Compliance Center https://compliance.microsoft.com/auditlogsearch or https://protection.office.com
- Click on “Search” >> “Audit Log Search” from the left navigation.
- In the search panel, You can apply search criteria such as:
- Activities: There are plenty of activities you can choose from.
- Start date and End date: Specify the time duration of the activity
- Users: Define if you need the report for specific users
- File, Folder or Site: Add all or part of the file name, folder name, or SharePoint site URL.
- Pick relevant activities and other parameters in the search panel. Once set, click on the “Search” button at the bottom to start searching audit logs from SharePoint Online.
From the results panel, you can filter the search results, and you can also export the result data in CSV format.
Search and Export Office 365 Audit Log using PowerShell
With PowerShell, you can query the Audit log and produce reports. E.g., You may want to generate a report on a scheduled basis on a specific event such as “External User Invited”, “Deleted Items”, etc. Here is an example of searching and exporting a unified audit log.
#Connect to Exchange Online
Connect-ExchangeOnline -ShowBanner:$False
#Set Dates
$StartDate = (Get-Date).AddDays(-7)
$EndDate = (Get-Date)
#Search Unified Log
$AuditLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000
$AuditLogResults = $AuditLog.AuditData | ConvertFrom-Json | select CreationTime, UserID, Operation, ClientIP, ObjectID
$AuditLogResults
$AuditLogResults | Export-csv -Path $CSVPath -NoTypeInformation
#Disconnect Exchange Online
Disconnect-ExchangeOnline
This gets all audit logs from all applications from Office 365. Refer to this documentation for all available parameters: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
Get SharePoint Online Audit Logs using PowerShell:
Let’s filter SharePoint Online audit logs on files and generate a report with PowerShell.
#Connect to Exchange Online
Connect-ExchangeOnline -ShowBanner:$False
#Set Date Filters - past 24 hours!
$StartDate = (Get-Date).AddDays(-1)
$EndDate = Get-Date
#Search Unified Log
$SharePointLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType SharePointFileOperation
$AuditLogResults = $SharePointLog.AuditData | ConvertFrom-Json | Select CreationTime,UserId,Operation, ObjectID,SiteUrl,SourceFileName,ClientIP
#Export Audit log results to CSV
$AuditLogResults
$AuditLogResults | Export-csv -Path "C:\Temp\AuditLog.csv" -NoTypeInformation
#Disconnect Exchange Online
Disconnect-ExchangeOnline
To filter all events of a particular user, use this script:
$AuditLogs = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -UserIds "salaudeen@crescent.com"
$AuditLogResults = $AuditLogs.AuditData | ConvertFrom-Json | Select CreationTime,UserId,Operation,Workload, ObjectID
$AuditLogResults
Similarly, we can filter specific events as:
#Filter Audit log to Find specific operations
$SiteURLs = @("https://Crescent.sharepoint.com/*")
$CSVFile = "C:\Temp\AuditLog.csv"
$FileAccessOperations = @('PageViewed', 'PageViewedExtended','FileAccessed', 'FileAccessedExtended','FileDeleted')
$FileAccessLog = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $FileAccessOperations -ResultSize 5000 -ObjectIds $SiteURLs
$FileAccessLog.AuditData | ConvertFrom-Json | Select CreationTime,UserId,Operation, ObjectID,SiteUrl,SourceFileName,ClientIP | Export-csv $CSVFile -NoTypeInformation -Force#Filter Audit log to Find specific operations
Conclusion:
In conclusion, viewing audit logs for SharePoint Online in the Office 365 Security & Compliance Center is a useful way to monitor user activity, troubleshoot issues, and identify potential security breaches. The steps outlined in this tutorial show you how to view audit logs in the Security & Compliance Center and narrow down the results to a specific date range, user, or action. Additionally, you can also use PowerShell to view and export audit logs, which can be useful if you need to automate the process or view large amounts of data. Having access to audit logs and being able to review them regularly is an important aspect of maintaining the security and compliance of your SharePoint Online environment.
Hi Salaudeen,
thanks for sharing the script to download SharePoint logs. The issue I have when using it is that the .csv file only have 100 lines and most of the logs are not exported. Do you know how can I resolve this?
the second issue is when I try to use the filter part I have the following error:
s#Filter : The term ‘s#Filter’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:13 char:1
+ s#Filter Audit log to Find specific operations
+ ~~~~~~~~
+ CategoryInfo : ObjectNotFound: (s#Filter:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Export-Csv : A parameter cannot be found that matches parameter name ‘Force#Filter’.
At line:18 char:167
+ … ientIP | Export-csv $CSVFile -NoTypeInformation -Force#Filter Audit l …
+ ~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Export-Csv], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.ExportCsvCommand
I will appreciate if you can help me with resolution of both issues.
Regards
Mike
“S#” is a typo, that’s fixed now! If you are not getting data – Please check the filters like Start Date – End Date.
Can we use Azure app to retrieve audit logs? My requirement is to use certificate thumbprint to connect to exchange online and get the logs for specific site. Once I connect with EXO and run the command Search-UnifiedAuditLog, I get the error that cmdlet is not recognised. I have provided the ‘View-Only Audit Logs’ permissions through the custom role group to the app using the below solution on the stack overflow
https://stackoverflow.com/questions/74038725/how-can-i-assign-an-exchange-online-role-group-to-a-registered-app
We have resolved this by using the service principal id i.e. (Enterprise app id) instead of regular app id (under App Registration)
Hi there,
Does anyone know the answers to these questions?:
(i) In the output reports is UserKey – eg :”i:0h.f|membership|1003xxxxxxxxxxxx@live.com” – does anyone know how to find the corresponding UserID on the Microsoft system, eg thru admin screens? Does anyone know what this UserKey is?
(ii) for deleted items – eg SharePoint list columns, for example – how can you find out the display name for the item? The audit report shows the ObjectId (xxxxxxxx-exxx-xxx7-bxxx-ab3fxxxfaxxx). Thanks!
Hello – What are the minimum roles required to run Search-UnifiedAuditLog? Possibly Compliance Administrator or Security Administrator, or is Global Administrator required? Thank you
Apart from minimum roles like “View-Only Audit Logs”, “Global Reader”, etc. You can use the Graph API to get the Logs.
How can I fetch large result set audit log, it throws error : Starting a command on the remote server failed with the following error message : The
I/O operation has been aborted because of either a thread exit or an application
request. For more information, see the about_Remote_Troubleshooting Help topic.
And reestablish the connect but in mean while it doesn’t return record for given time interval, I am trying to fetch record of 30 minutes interval for given start and end date, also retry mechanism is applied still getting random result count
I have to extract all events of a specific file.. Please help.
Use “ObjectIds” parameter with your file name. E.g:
$AuditLog = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(+1) -Operations FileModified, FileAccessed, FileUploaded -ObjectIds -ResultSize 1000