GitBit
BlogFirst lesson
Sign Up

Auditing sign-ins and other actions in Microsoft 365

So now we have Microsoft 365 fairly secure. There's one more question you should be asking yourself. How do we audit/monitor the user's actions? Before we jump into the logs there's something you should know. There are a couple of places for auditing but we'll keep it simple and stick to the two most common. First, let's take a look at sign-in logs. Next, we'll jump into auditing the Active Directory account auditing. Finally, we'll jump into auditing all actions.

Sign-in logs

Sign-in logs are probably the most common logs used in Microsoft 365. From there you can see when a user logs in, what location they signed in from, and much more. Let's jump in and take a look.

How to view sign-in logs

1. Go to Azure Active Directory admin center > Azure Active Directory > Sign-in logs.

Sign-in logs

From here you can see all the sign-ins to your Microsoft 365 tenant. You can filter the log to see more particular information. Finally, you can view the same sign-in logs from Azure Active Directory admin center > Enterprise applications > Sign-in logs.

How to view sign-in logs for a user

Now, you can go to the sign-in logs, then add a filter for a particular user but that's a bit tedious. Since most of the time when you want to review sign-in logs, you are looking at a particular user let's look at the sign-in logs another way. By having it automatically filtered for a user.

1. Go to Azure Active Directory admin center > Users. Select the user you want to view.

Sign-in logs for user

2. Click Sign-in logs.

How to read the sign-in logs

Now that we are at the sign-in logs let's take a look at how to read them. Before we jump into reviewing one of the logs you should know one thing. The sign-in logs will show more than one sign-in for the user. For example, if you sign into the Microsoft 365 admin center and then navigate to the Azure AD admin center you'll see at least two "sign-ins". That's because every time you navigate to a different app in Microsoft 365 you are re-authenticating using the same token. Now, click one of the sign-ins to view the data.

Basic info

On the basic info tab, you can see, basic info on the sign-in. Surprised right? Anyway, from here you can see information like the user that the sign-in is related to, and what application they signed into.

activity details

Location

On the location tab, you'll find the information on where the user logged in from. For example, you'll see the IP address and the best guess on the actual location. For example, Philadelphia, PA, US.

Location tab

Device info

From the device info tab, you'll find information about the device. If the device is in Azure AD, you may see a device name. If the sign-in is from a browser, you'll notice the browser is located in the device info tab.

Device info tab

Authentication Details

The authentication details tab is where you'll find information about how the user signed in. For example, if it's the actual sign-in you may see "Password Hash Sync" or "Password in the cloud". If the user is already signed in and simply connecting to another service you'll see "Previously satisfied"

Authentication Details

Conditional access

The conditional access tab will show you what conditional access policies were applied and which were not. It will also show you the status of the conditional access policy. For example, if the policy failed (and blocked the sign-in) then it will show Failure. Lastly, you can click the policy name to see information about the conditions and access controls. That way you can see why a policy failed, succeeded or didn't apply.

conditional access policy sign-in logs

Report only

The report-only tab will show you conditional access policies that are in report-only mode. They won't block the sign-in but that way you can test your conditional access policies before applying them.

Additional details

This tab is typically empty.

Account auditing

What do I mean by account auditing? Well, every time you make a change to a user account it is logged in the Azure audit logs. For example, if you update the user display name or change the licenses assigned to a user, you'll see it in the account auditing logs.

How to view account logs for the tenant

Just like the sign-in logs except its one option lower (or up depending on where you are)

1. Go to Azure Active Directory admin center > Azure Active Directory > Audit logs.

View audit logs

You can also view an individual's account auditing logs by going to Azure Active Directory > Users > Click the user > Audit Logs.

Auditing actions

Now that you have an understanding of auditing sign-ins and Active Directory account activity let's look at how to audit all the actions in Microsoft 365. You can review almost all activities in Microsoft 365. For example, you can review when a file is accessed and by whom. You can also view changes and access mailboxes. For example, you can view when an item is sent, moved, or updated. Before we can audit activity let's enable auditing.

How to enable auditing in Microsoft 365

1. Go to Microsoft 365 Defender admin center > Audit. Click Start recording user and admin activity.

Start recording user and admin activity

How to enable auditing on mailboxes

Now that auditing is enabled for the Microsoft 365 tenant let's make sure auditing is enabled in Exchange Online. First, we'll enable auditing admin actions. This is good if you need to see who read and deleted items in a mailbox. Next, we'll enable auditing for each mailbox.

How to enable admin auditing

To enable Exchange auditing we'll need to use PowerShell.

1. Open PowerShell and connect to Exchange Online using Connect-ExchangeOnline.

2. Run the following command "Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * -AdminAuditLogParameters *"

3. Then run the following command "Set-OrganizationConfig -AuditDisabled $false"

Note the stars in the log cmdlets and log parameters. These indicate we are auditing all cmdlets and all parameters. We can also limit the number of cmdlets audited by changing the cmdlets to *mailbox*. This will enable auditing for all PowerShell commands that use the mailbox word. For example, Set-Mailbox, Get-Mailbox, Set-MailboxFolder, Get-MailboxFolder, etc.

How to enable auditing per mailbox

Now that we've enabled auditing at the tenant level let's enable auditing on the mailbox level. Again, we'll be using Exchange Online PowerShell.

1. Open PowerShell and connect to Exchange Online using Connect-ExchangeOnline.

2. Run the following command "Get-Mailbox -ResultSize unlimited | Set-Mailbox -AuditEnabled $true -DefaultAuditSet Admin,Delegate,Owner"

Note you can also enable auditing for one mailbox using the following command 'Set-Maibox -Identity "User1" -AuditEnabled $true' and replace User1 with the display name or user principal name of the account you want to enable auditing for.

PreviousNext