Last week, a colleague asked me what possibilities of auditing that Onedrive has, but to be honest, no one likes being audited.
At the beginning, I was not sure about what to aswer, because I was sure that the Admin center has information about the tenant, but at the same time I was sure enough that the Admin center will not fulfil the requirements of the project.
I started digging into the O365, and I realize that exists and amazing feature called O365 audit log report inside the Compliance Center, it allows to seach the audit log to view user activity in the O365 organization, for example:
· User activity in SharePoint Online and OneDrive for Business
· User activity in Exchange Online (Exchange mailbox audit logging)
· Admin activity in SharePoint Online
· Admin activity in Azure Active Directory (the directory service for Office 365)
· Admin activity in Exchange Online (Exchange admin audit logging)
· User and admin activity in Sway
· User and admin activity in Power BI for Office 365
· User and admin activity in Yammer
If you want to know all the activities that you can select per category, visit: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Protection-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US
Knowing how to audit your information, it is an important feature and skill. Therefore, I want to introduce you how to activate all this data:
Access to you O365 tenant, Inside the Admin, go to Security section:
Then click on Office 365 audit report to access Audition and reports, take into account that before you are able to create new reports, you will need to activate the record. So, let’s begin:
And select “Turn On”
Then, you will need to wait for some time… After this time, you will be able to create activity reports, with many other filters (like date range, folders, etc…)
Currently, the audit history is retained for 90 days, I suppose that will be possible to tell MS to extend the audit log, but take into account that it is possible to export results to CSV.
Another wonderful feature, is to create activity alerts to automate process, imagine that you need to keep an eye on specific events, so you can execute a search, and then click on add an alert, you will need to specify a recipient for the alert
Therefore, when the audit detects a match between the alert and an event, it will trigger an email to the recipient specified.
As you can imagine, there are other options to detect events from the compliance center, for example using the APIs of Office 365.
Hope it helps!!
2 thoughts on “Audit logs for OneDrive”
logs are kept for 90 days only
Correct Chris, if you want to store the information more than that, my recommendation would be to create an azure function that extracts periodically the information and store it in a storage account