Microsoft 365 Audit Logging
For whatever reason the default fresh setup of Microsoft 365 has no audit logging turned on. Audit logging is very useful for IT troubleshooting and auditors love logs.
Microsoft says that it is enabled by default for Microsoft 365 and Office 365 enterprise organizations. I suspect that means only if you have E1 or higher. The new tenants I’ve made recently are not E1 or higher, that could be why I didn’t see it already on.
Someone asked for clarification about this on GitHub however the replies all say that it is on by default for everything but that isn’t true based on my experience. You can read the GitHub issue here.
Microsoft’s documentation also says to double check that audit logging is enabled which you 100% should be doing as if it’s on or not seems inconcistant.
In this post I will detail how to check if audit logging is enabled and how to enable it via the Web UI or PowerShell.
Prerequisites
- Microsoft 365 Customizations needs to be enabled. If you don’t know how to do that my post Microsoft 365 Enable Organization Customization shows you how.
The Web UI Way
- Login to Microsoft 365 Admin center.
- Click on Security or Compliance (you can get to auditing from either one)
- From the Security or Compliance admin centers click on Audit
If audit logging isn’t enable the page will look something like this.
- Click on Start recording user and admin activity
Audit Logging is now enabled it may take a bit for it to actually start working.
The PowerShell Way
- Connect to Exchange Online with PowerShell
- Run the following command to check if Audit Logging is enabled
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
In my example the returned result is false so audit logging isn’t enabled and we want to turn that on.
- To enable audit logging run the following command
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
The process can take up to 60 minutes.
- After 60 minutes double check and confirm that audit logging is enabled by running the following command
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
In my example the returned result is now true so audit logging is now enabled.
Summary
That’s all it take to enable Audit Logging on Microsoft 365.
If you want to read more about the audit log you can do so by reading Microsoft’s documentation about it here.
Leave a comment