Overview of Auditing Options for SharePoint Online Activities

  • Article

Our customers often request information on where certain actions, functions, and activities are stored/audited within SharePoint Online as well as how to access this data. This article pulls together the different scenarios and options that are currently available for auditing within SharePoint Online (this article will not include options added or removed after October 2017, unless otherwise noted):

Legacy Site Auditing

The following article goes into what activities are available via the legacy SharePoint auditing feature as well as how to set it up and configure it: Set-up and Configure Auditing for SharePoint Site Collection

Here is a reminder of the events that are audited using the legacy site auditing as well as some examples from the report :

  • Editing items
  • Checking out or checking in items
  • Moving or copying items to another location in the site
  • Deleting or restoring items
  • Editing content types and columns
    • See section Limited/Partial/No Auditing Further details below
  • Editing users and permissions
  • Searching site content

Things to Note:

  • Searching site content and Popularity reports are only available as part of the legacy site auditing.
  • As "Opening or downloading documents, viewing items in lists, or viewing item properties"? is not available for SharePoint Online if you try to view the Content Viewing report:or create a custom report with only "Opening or downloading documents, viewing items in lists, or viewing item properties" selected, you will see this message which is expected behavior:

Audit logs in the Office 365 Compliance Center

The following article provides an overview of the Audit logs in the Office 365 Compliance Center, as well as basic set-up and configuration: Overview of Office 365 Auditing

The scenarios listed below are the most common SharePoint Online events that Administrators and users need information on and can be surfaced via the Audit logs in the Office 365 Compliance Center :

  • Site Creation/deletion
  • Editing items
  • Checking out or checking in items
  • Moving or copying items to another location in the site
  • Deleting or restoring items
  • Opening or downloading documents, viewing items in lists, or viewing item properties
  • Editing content types and columns
    • See section "Limited/Partial/No Auditing Further details" below.
  • Editing users and permissions
  • Auditing AD Security groups membership/changes that are used to give permission to SPO resources
  • Enable/Disable Features or changing sites Setting 
    • See section "Limited/Partial/No Auditing Further details" below.
  • Changing Tenant Settings
    • See section "Limited/Partial/No Auditing Further details" below.

Things to Note:

  • When trying to reduce the number of activities returned by providing a user, make sure that you look for UPN and email (especially if they are different) to ensure a full set of results is retuned.
  • You can search the Office 365 audit log for activities that were performed within the last 90 days.
  • The following article goes into detail of the properties that are currently captured for the different services in Office 365:  Detailed Properties in the Office 365 audit log

Limited/Partial /No Auditing Further details

  • Adding/Editing content types and columns: For adding or editing content types and fields you won't be able to get the exact activity but searching for the page associated with Content types and Site columns in Office 365 Audit Logs will allow you to gather some information on who and when these changes could have been made. Here is an example of editing a Site Columns:
  • User profile properties: Currently there is no auditing of add/delete/updates made to User Profile Properties
  • Enable/Disable Features or changing sites Setting: Currently there isn't any direct auditing of features being enabled and disabled however often times when enabling features, it will result in the creation of certain list and libraries which could be used to determine timeframe etc.
  • Changing Tenant Settings: For changing tenant setting there isn't an exact activity but searching for "admin"in the "File, folder or site"? and find the items that are related to "TenantSettings.aspx".?The other option is to search for the exact link. Example of the link you can use: https://contoso-admin.sharepoint.com/_layouts/15/online/TenantSettings.aspx

If it is critical to determine the following event:

  • Adding/Editing content types and columns
  • Enable/Disable Features or changing sites Setting
  • Changing Tenant Settings

there are instances that support can work to get further information but we have to work within certain boundaries. The current boundaries are  as follows:

  • The activity needs to have occurred in the last 60 days though it is preferable if it is in the last 30 days.
  • The activity needs to be isolated to a few day timeframe

Once you have that information please engage support via a support request.  The more information you provide increases the chances of being able to successfully isolate events.

Other Auditing options

If you have developers and want to monitor sites/list/libraries more closely then custom code is an option. The following article provides a good example of how this could be accomplished: https://msdn.microsoft.com/en-us/pnp_articles/query-sharepoint-change-log-with-changequery-and-changetoken

Here is a simple example CSOM script:

[CmdletBinding(DefaultParameterSetName="UseCustomTermSet")]
Param
(
[Parameter(Mandatory=$true)]
$url
)

$loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
$loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
$cred = get-credential
$clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($url)
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($cred.username, $cred.password)
$clientContext.Credentials = $credentials
$site = $clientContext.Site
$clientContext.Load($site)
$clientContext.ExecuteQuery()

$changeQuery = New-Object Microsoft.SharePoint.Client.ChangeQuery($true, $true)

$changes = $site.GetChanges($changeQuery)

$clientContext.Load($changes)
$clientContext.ExecuteQuery()

foreach ($change in $changes)
{
if ($change)
{
$change
}
}

If you have feedback or areas that you would like to see auditing made available, please submit the feedback/requests to these locations:

Office 365 Auditing: https://office365.uservoice.com/forums/289138-office-365-security-compliance

Legacy Auditing: https://sharepoint.uservoice.com