Office 365 Audit Log

  • Blog
  • Office 365 Audit Log

Interpreting the Office 365 MailItemsAccessed Audit Event

If you have Office 365 E5 licenses, your mailboxes generate MailItemsAccessed events. These events are stored in the Office 365 audit log and can be used for investigating potentially compromised mailboxes. Useful information is in the audit events, but some processing is needed to extract the full benefit. Here's how to do it with PowerShell.

Last Update: Aug 22, 2023

LATEST

Identifying Obsolete Guest User Accounts in an Office 365 Tenant

Last Update: Aug 22, 2023

Many Office 365 applications now create Azure Active Directory guest accounts. What’s the best way to discover if the accounts are active and in use? This PowerShell script uses the Office 365 audit log and message trace data to figure out what guest accounts are active and outputs a CSV file for your review and analysis. Like any other PowerShell script, it can be adapted to suit your purposes.

View Article

Managing OneDrive for Business File Upload Requests

Last Update: Apr 15, 2022

The new Request Files feature in OneDrive for Business is great for users but comes with no admin controls. You can block the feature completely with a kludge and use Office 365 audit records to know when people are requesting files. However, Microsoft could make the feature so much better by extending some existing controls to make requesting files work better and more securely.

View Article

Missing Audit Records for Retention Labels Applied to SharePoint Online Documents

Activity Explorer Highlights Label Activities In June 2020, I covered Microsoft’s “Know Your Data” initiative, essentially the introduction of a bunch of new features in the Data classification section of the Microsoft 365 compliance center. Requiring Office 365 E5 or Microsoft 365 E5 (or E5 compliance) licenses, Microsoft targets this functionality at large enterprises who…

View Article

No Way to Stop Gathering Data Used by Productivity Score

Microsoft Graph and Audit Log Too Important to Lose Thinking about the fuss and bother which erupted over Microsoft Productivity Score, I concluded that the people concerned about management oversight of user activity within Microsoft 365 had very little knowledge about the topic. They looked at the pretty graphs and tables of user data and…

View Article

Discover Who Creates Guest Accounts in Office 365 Applications

Office 365 applications now create many guest accounts in Azure Active Directory. You can see what accounts exist, but it’s more difficult to discover who created the accounts – or why they were created. Fortunately, the Office 365 audit log holds a lot of useful data that can be interrogated to find some answers and PowerShell is a great tool for slicing and dicing audit data. See what you think of the answers I’ve come up with.

View Article

Microsoft Finally Makes Mailbox Auditing Happen for Exchange Online

The news that Microsoft will make mailbox auditing the default in Exchange Online is very welcome, as is the new mechanism they plan to use. Microsoft won’t get the new feature rolled out across Office 365 until the end of 2018, so there’s still a gap to fill to make sure that audit records are gathered for mailbox activity.

View Article

Office 365 Snippets — October 20, 2016

Some interesting announcements during the last week informed us about Yammer getting better at compliance and a new Office 365 connector. I’m not so hot on the bots, though. In other news, MyAnalytics has an unexplained love for Internet Explorer and the topic of password trimming and the Office 365 maximum password length caused some confusion – at least for one administrator! And some news about an interesting Exchange 20th anniversary video and a VDI collaboration project between VMware and Microsoft for Skype for Business rounds out the week.

View Article

Office 365 at Ignite — SharePoint, Exchange, Auditing, and More

There’s lots to hear and learn about with regard to Office 365 at the Microsoft Ignite conference in Atlanta this week. All of the product groups are putting their best face forward to impress and amaze customers with what has happened or what will happen inside the service. Here’s some of what I have been hearing.

View Article

Why an Office 365 Connector Generates Multiple SendAs Audit Events

Office 365 Connectors allow data drawn from multiple internet sources like Twitter to be imported into Office 365. This article explains why imported tweets result in multiple SendAs events logged in the Office 365 Audit log.

View Article