Microsoft Teams: Audit Log of Activity


Introduction: The purpose of this blog post is to describe how to use the audit log in Office 365 to understand what changes occurred in Microsoft Teams, when and by whom. For example, the date and time when a team was deleted and who deleted it. This can be extremely powerful evidence when conducting investigations.

What is the audit log? The audit log is a reporting tool that allows you to view both user and IT admin activity in Office 365. For example, when a user's password wash changed and by whom in IT, or when a user accessed their mailbox and the activity they performed while connected. This log is a unified log and all activities are recorded in a centralized location allowing you to search them through a single console. The following services can be searched for user and administrator activity:

  • SharePoint
  • OneDrive
  • Exchange
  • Azure Active Directory
  • Sway
  • Microsoft Teams
  • Power BI
  • Yammer
  • Dynamics 365
  • File activities
  • Page activities
  • Folder activities
  • Sharing and access request activities
  • Synchronization activities
  • Site administration
  • Role administration activities
  • eDiscovery

How long is data stored? Activity in the audit log is stored for 90 days.

How do I access the audit log? The audit log is accessible in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. It can also be accessed via the Office 365 Management API in addition it can also be accessed via PowerShell using Search-UnifiedAuditLog, see this article for more information.

How do I enable the audit log? By default, the audit log is disabled in your Office 365 tenant. In order for the activity to be recorded and searchable, the log needs to be enabled. Note, the audit log can be connected to a SIEM (Security Incident and Event Manager) via the Office 365 Management API. See this article for more information. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:

In addition, the audit log can be turned on using PowerShell:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

 

What activity in Microsoft Teams is recorded? The following user and admin activity in Microsoft Teams is recorded to the Office 365 audit log:

  • Created team
  • Deleted team
  • Added channel
  • Deleted channel
  • Changed organization setting
  • Changed team setting
  • Changed channel setting
  • Changed setting (legacy)
  • User signed in to Teams
  • Added bot to team
  • Removed bot from team
  • Added Tab
  • Removed tab
  • Added connector
  • Removed Connector

How long does it take for activity to be written to the audit log? After the activity has been performed in the tenant (i.e deleting a team) it can take up to 24 hours for that activity to be written to the audit log.

How do I search the audit log? You can search the audit log by specifying start/end dates/times, specific user accounts, or specific files, folders or sites.

What does the Microsoft Teams activity look like in the audit log? Below are screenshots of how Microsoft Teams activities appear in the audit log.

Filtering on Microsoft Teams:


Activity in the search results:


Details of a specific activity, in this example deleting a team:


Clicking on the hyperlink of the user's email address, then clicking the Recent Activity tab, allows me to see all recorded activity by that user in Microsoft Teams:

Can I be alerted on specific activity?

In addition, I can create an alert for when specific activity occurs. In the search console click New Alert Policy. I will then title the alert "Microsoft Teams deleted team activity", with a custom alert type and filter on just the Deleted team. I will then ask it to send alerts to my global administrator and click Save when finished.

Conclusion: Activity that a user and administrator performs in Microsoft Teams gets written to a centralized log enabling IT to search the log to provide evidence during either an investigation, routine audits or to be alerted when changes happen within the environment. If you have feedback, input or comments please let me know below. Enjoy!

Comments (3)

  1. Does the Audit log include when a user adds a message, makes a call, schedules a meeting etc…?

  2. edh says:

    What has to be done to get the “New Alert Policy” button? It isn’t showing up in our tenant. The audit log as been on for a few months.

  3. The list of activities recorded for Teams as stated in your list above is useful, but also severely lacking. What about file downloads, calls, scheduling a meeting, and most especially, something like facebook style comment history. Unless I’m overlooking something, someone can post a comment saying one thing, edit it sometime later to say something entirely different and there is no mechanism to audit this or make the change history transparent like it is on fb or other communication tools. I would glad to find that this hasn’t been overlooked and is simply buried somewhere, but if it’s buried, it’s REALLY buried.

Skip to main content