Microsoft Office 365 allows administrators to access full activity and security logs for all activities that happen in your Microsoft 365 subscription. Should a security incident, like an attacker accessing an email inbox, occur these logs provide extremely valuable data needed to investigate and support recovery.
Unfortunately, these logs are not enabled for you by default, meaning this information is not captured. Fortunately, this is easy to address:
- Log in to the Security & Compliance Center of your account here: https://protection.office.com/
- From the left hand panel click Search > Audit log search
- If you see "Turn on auditing" on the next screen, click it - see screenshot below. Note: if you don't see this button, that means auditing is already enabled and you're good to go!
For advanced users or IT support teams, the following PowerShell command can also be used:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Once enabled, audit logs will be available for all future activity, however user activity prior to activation is not included. For most users audit log data is retained for 90 days, but may be held for longer if your Microsoft 365 license includes additional data retention features.