Introduction
SharePoint Online and OneDrive for Business audit logging as received an overhaul. For the longest time, there were the following challenges:
- View/down log events were not possible in SharePoint Online.
- To turn on user event logs, you had to go to each site collection and turn it on.
- Getting user event logs out of SharePoint Online was not easy, especially if you wanted to do it in an automate fashion.
These issues were a problem over and over again for enterprise customers who needed access to these logs for compliance scenarios.
I am happy to say, this gap is now gone. This has been on the public roadmap for some time and it is now rolling out. I am really impressed with the solution that been put in place.
Unified Audit Logging
We not have a Unified Audit Logging solution across Office 365. SharePoint Online and OneDrive for Business provide a rich logging experience and is no longer second class to something like Exchange Online (which always had mailbox audit logging and Exchange admin logs). With the new Unified Audit Logging solution in Office 365, you have both a user interface and APIs to go obtain user event logs from:
- Exchange Online
- SharePoint Online
- OneDrive for Business
- Azure AD
For SharePoint Online and OneDrive for Business logs, you now have access to event logs on view, create, edit, upload, download and delete; sharing actions like invitation and access requests; and synchronization activity. You now can see who has accessed or had had potential access to data which has been a big deal for enterprise organizations when they are performing compliance investigations. Cannot underscore how big of a deal this is. See reference below to a detailed listing of the events captured Unified Audit Logging.
Search Audit Log User Experience
Gaining access to these logs is super simple. You do not have to be a super technical person to gain access to these logs and you do not have to go to multiple places. All you need to do is go the Office 365 Compliance Center, and go to the audit log site.
Once you have the search results, you can filter them down to specific log events that you are looking for. You have an export button right there to dump out that set of logs. Having that easy to use export button makes life so easy if you have been asked to turn over user logs.
And remember this is Unified Audit Logs. This means you are getting user event logs across Exchange Online, SharePoint Online, OneDrive for Business and Azure AD all at one time. I am just happy to see this feature.
Other Things You Should Know
Here are some important facts that you should know:
- Exchange Online, SharePoint Online and OneDrive for Business audit logs are retained for 90 days. Azure AD audit logs are retained for 180 days.
- SharePoint Online / OneDrive for Business corresponding logs start to appear in 15 minutes after the event. Exchange Online and Azure AD logs appear after 12 hours.
- If you require longer term retention for audit logs, that are APIs and Web Services available (references below) which can be used to export that data and then retain that data for a longer period of time. Microsoft ISV partners are building rich solutions around these APIs.
- You have the ability to create your own more complex reporting and analysis solutions using these APIs as well.
References
Announcement - https://blogs.office.com/2016/02/17/auditing-reporting-and-storage-improvements-for-sharepoint-online-and-onedrive-for-business/
Announcement - https://blogs.office.com/2016/02/17/auditing-reporting-and-storage-improvements-for-sharepoint-online-and-onedrive-for-business/
Office 365 Management APIs - https://msdn.microsoft.com/en-us/library/office/dn707385.aspx
How to search the audit log - https://support.office.com/en-US/article/Search-the-audit-log-in-the-Office-365-Protection-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c
Detailed listing of all the available log events across Exchange Online, SharePoint Online, OneDrive for Business, and Azure AD - https://support.office.com/en-US/article/Search-the-audit-log-in-the-Office-365-Protection-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c#auditlogevents
Azure AD Audit Report Events - https://azure.microsoft.com/en-us/documentation/articles/active-directory-reporting-audit-events/
Azure AD Audit Reporting API - https://azure.microsoft.com/en-us/documentation/articles/active-directory-reporting-api-getting-started/