These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. The following table lists the activities in content explorer that are logged in the audit log. Content explorer, which is accessed on the Data classifications tool in the Microsoft compliance center.
For more information, see Using data classification content explorer. The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see Quarantine email messages. The tables in this section the user and admin activities in Microsoft Forms that are logged in the audit log. Where noted below in the descriptions, some operations contain additional activity parameters.
If a Forms activity is performed by a coauthor or an anonymous responder, it will be logged slightly differently. For more information, see the Forms activities performed by coauthors and anonymous responders section. Some Forms audit activities are only available in Advanced Audit. Forms supports collaboration when forms are designed and when analyzing responses. A form collaborator is known as a coauthor.
Coauthors can do everything a form owner can do, except delete or move a form. Forms also allows you to create a form that can be responded to anonymously. This means the responder doesn't have to be signed into your organization to respond to a form.
The following table describes the auditing activities and information in the audit record for activities performed by coauthors and anonymous responders. The following table lists events that result from using sensitivity labels. The following table describes the configuration activities for retention policies and retention labels when they were created, reconfigured, or deleted. The following table lists the activities in Briefing email that are logged in the Microsoft audit log.
For more information about Briefing email, see:. Overview of Briefing email. The following table lists the activities in MyAnalytics that are logged in the Microsoft audit log. For more information about MyAnalytics, see MyAnalytics for admins. The following table lists the activities in information barriers that are logged in the Microsoft audit log. For more information about information barriers, see Learn about information barriers in Microsoft The following table lists the activities a disposition reviewer took when an item reached the end of its configured retention period.
For more information, see Viewing and disposing of content. The following table lists communication compliance activities that are logged in the Microsoft audit log. For more information, see Learn about communication compliance in Microsoft The following table lists the activities for usage reports that are logged in the Microsoft audit log. Exchange administrator audit logging which is enabled by default in Microsoft logs an event in the audit log when an administrator or a user who has been assigned administrative permissions makes a change in your Exchange Online organization.
Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs Get- , Search- , or Test- are not logged in the audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.
Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log or in the audit log. Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events.
To return entries from the Exchange admin audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.
To display events from the Exchange admin audit log, filter the search results and type a - dash in the Activity filter box. This displays cmdlet names, which are displayed in the Activity column for Exchange admin events. Then you can sort the cmdlet names in alphabetical order. To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the Download all results option.
For more information, see Export, configure, and view audit log records. It may take up to 30 minutes after an Exchange cmdlet is run for the corresponding audit log entry to be returned in the search results. This is a good way to specifically search for activity performed by Exchange Online administrators. For instructions, see:. View the administrator audit log. Keep in mind that the same Exchange admin activities are logged in both the Exchange admin audit log and audit log.
See the beginning of this article for a list of services that are audited. See the Audited activities section in this article for a list and description of the activities that are audited. How long does it take for an auditing record to be available after an event has occurred? Most auditing data is available within 30 minutes but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results.
See the table in the Before you search the audit log section of this article that shows the time it takes for events in the different services to be available. As previously explained, audit records for activities performed by users assigned an Office E5 or Microsoft E5 license or users with a Microsoft E5 add-on license are retained for one year.
For all other subscriptions that support unified audit logging, audit records are retained for 90 days. Are there other ways to get auditing logs other than using the security and compliance center or the Office Management Activity API? Do I need to individually enable auditing in each service that I want to capture audit logs for?
In most services, auditing is enabled by default after you initially turn on auditing for your organization as described in the Before you search the audit log section in this article. However, we may flow the data across these regions for load-balancing and only during live-site issues. When we do perform these activities, the data in transit is encrypted. Auditing data is stored in Exchange mailboxes data at rest in the same region where the unified auditing pipeline is deployed.
Mailbox data at rest is not encrypted by Exchange. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft datacenters are encrypted via BitLocker. Skip to main content.
This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Important If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Microsoft compliance center, they won't be able to search the audit log.
Note If your organization participated in the private preview program for the one-year retention of audit records, the retention duration for audit records that were generated before the general availability rollout date will not be reset. Note Even when mailbox auditing on by default is turned on, you might notice that mailbox audit events for some users aren't found in audit log searches in the Microsoft compliance center or via the Office Management Activity API.
Tip Use a private browsing session not a regular session to access the Microsoft compliance center because this will prevent the credential that you are currently logged on with from being used.
Note If the Start recording user and admin activity link is displayed, click it to turn on auditing. Tip If you're using the maximum date range of 90 days, select the current time for the Start date. Note For some services, the value displayed in this field might be the IP address for a trusted application for example, Office on the web apps calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.
Tip Click a column header under Results to sort the results. Important You can download a maximum of 50, entries to a CSV file from a single audit log search. File and page activities. Folder activities. Power BI activities. Yammer activities.
Quarantine activities. Briefing email activities. MyAnalytics activities. Report activities. Exchange admin activities. Note Users can be either members or guests based on the UserType property of the user object. Note The operation names listed in the Operation column in the following table contain a period. Note It takes up to 30 minutes for events that result from the activities listed under eDiscovery activities and Advanced eDiscovery activities in the Activities drop-down list to be displayed in the search results.
Note Some Yammer audit activities are only available in Advanced Audit. Note Some Forms audit activities are only available in Advanced Audit. Important Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log or in the audit log. Submit and view feedback for This product This page. View all page feedback. In this article. This is related to the "Accessed file" FileAccessed activity.
A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period up to 3 hours. The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial and more important FileAccessed event. A retention label was applied to or removed from a document.
This event is triggered when a retention label is manually or automatically applied to a message. The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. User checks in a document that they checked out from a document library. User checks out a document located in a document library.
Users can check out and make changes to documents that have been shared with them. User copies a document from a site. The copied file can be saved to another folder on the site. A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
User uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled Confidential is uploaded to a site labeled General. This event isn't triggered if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential.
For more information about sensitivity label priority, see Label priority order matters. User discards or undoes a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
User or system account modifies the content or the properties of a document on a site. This is related to the "Modified file" FileModified activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period up to 3 hours.
The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified. This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial and more important FileModified event.
User moves a document from its current location on a site to a new location. These events typically occur in high volumes based on a single activity, such as viewing an image gallery. Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and auto-applying retention or sensitivity labels to site content.
User deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin. User deletes all versions from the version history of a file. User deletes a version from the version history of a file. The deleted version is moved to the site's recycle bin. User views a page on a site.
This doesn't include using a Web browser to view files located in a document library. This is related to the "Viewed page" PageViewed activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period up to 3 hours. The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed.
This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial and more important PageViewed event. A user's client such as website or mobile app has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page.
NOTE : Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.
A user's client such as website or mobile app has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client.
This event isn't a definitive indication that the user navigated to the page. When the page content is rendered by the client as per the user's request a ClientViewSignaled event should be generated. Not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events. User modifies a folder on a site.
This includes changing the folder metadata, such as changing tags and properties. A user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists. A user created a list content type.
A list content type is a content type that's attached to one or more SharePoint lists. A user created a SharePoint site column. A site column is a column that isn't attached to a list.
A site column is also a metadata structure that can be used by any list in a given web. A user created a site content type. A site content type is a content type that's attached to the parent site. A user updated a SharePoint list column by modifying one or more properties.
A user updated a list content type by modifying one or more properties. A user updated a SharePoint list item by modifying one or more properties. A user updated a SharePoint site column by modifying one or more properties. A user updated a site content type by modifying one or more properties. An access request to a site, folder, or document was accepted and the requesting user has been granted access. User member or guest accepted a sharing invitation and was granted access to a resource.
This event includes information about the user who was invited and the email address that was used to accept the invitation they could be different. This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because: The target user's domain isn't included in the list of allowed domains. Or The target user's domain is included in the list of blocked domains. For more information about allowing or blocking external sharing based on domains, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
User requests access to a site, folder, or document they don't have permissions to access. User created a company-wide link to a resource. They can't be used by guests. User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated. User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.
User removed a company-wide link to a resource. The link can no longer be used to access the resource. User removed an anonymous link to a resource. User member or guest shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory.
The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource. User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
An anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address. User member or guest unshared a file, folder, or site that was previously shared with another user. A user was added to the list of entities who can use a secure sharing link. A user was removed from the list of entities who can use a secure sharing link. User successfully establishes a sync relationship with a site.
The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains called the safe recipients list that can access document libraries in your organization. For more information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains called the safe recipients list that can access document libraries in your organization.
The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list. This event has been deprecated along with the old OneDrive for Business sync app Groove.
Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites.
This activity is also logged when an admin gives themselves access to a user's OneDrive account by editing the user profile in the SharePoint admin center or by using the Microsoft admin center. User added a member or guest to a SharePoint group.
This might have been an intentional action or the result of another activity, such as a sharing event. An item was changed so that it no longer inherits permission levels from its parent. An item was changed so that it no longer inherits sharing permissions from its parent.
Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site.
This event can also be a result of a user creating a link with edit permissions to a shared file. The Members Can Share setting was modified on a site. Site administrator or owner or system account changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group. To find related events, you can search for other permission-related activities such as Added site collection admin , Added user or group to SharePoint group , Allowed user to create groups , Created group , and Deleted group.
View all page feedback. In this article. Specifies the location where log files should be stored. Local and UNC paths are accepted.
When logging to the network, be sure to grant access for the Computer Object to the network share and the folder. New log files are begun each day. This specifies how many to keep.
If the value is not set, the default is '7'. Default set by install is 2. This value can be '0', '1', or '2'. When set to '0', the specific settings for each log file are ignored and all log files are disabled. When set to '1' the specific settings for each log file are honored.
When set to '2', the specific settings for each log file are ignored and all log files are enabled. This value is set between 0 and 3 inclusive, with the following meanings. The SNL manager has a default time out of 2 hours or 7, seconds. Here is an example of that:.
Here is another example of a Timeout Option File. Once you get your information into the Option File, save and close the file, then proceed through the rest of the license reactivate s. Here is another great article from blogs.
Editor's Note: This article was originally published in January and has been been updated for accuracy and comprehensiveness. Michael Nolte is a Sr. Applications Engineer at GoEngineer with over 14 years of technical experience in the reseller channel. View all posts by Michael Nolte. Get our wide array of technical resources streamlined to your inbox.
0コメント