How to configure SharePoint Online auditing

As organizations begin to move copious amounts of content to SharePoint Online, they need to ensure that regulations and security policies are closely adhered to. Why? In many ways, violating a policy can determine the fate of court cases, and failing to uphold organization-wide auditing can result in serious penalties.

To begin, let’s imagine that a security policy mandates an organization to record when sensitive documents are accessed and by whom. Though these scenarios occur on a regular basis, organizations should increase their awareness and visibility when an employee leaves or accesses an unusual amount of information.

In this blog, we’ll explain how to configure SharePoint Online auditing to meet the demands of regulations and security policies, including how to activate and view SharePoint Online audit log reports.

Introducing SharePoint Online auditing

SharePoint Online features a robust auditing system with which admins can track user activity on an organizational level and filter searches to specific properties. Once the auditing features have been activated, Office 365 logs every action that users and admins take, such as creating and deleting a document or removing a complete Site Collection.

This allows the Office 365 administrator, or the compliance admin, to search through the logs and apply filters to identify exactly what they are looking for. For example, if an organization harbors suspicion surrounding a user’s activity in distributing confidential data, admins can access the audit logs to determine all of the content that the user has accessed. In this way, admins can ensure compliance by keeping a close eye on sensitive documents and monitoring suspicious user behavior.

So, where do you start?

Step 1: Activate SharePoint Online auditing

To activate SharePoint Online auditing, the first thing you need to do is access the Security and Compliance Center from Office 365 (or the app launcher) and click on Security and Compliance.

SharePoint Online auditing

After navigating to the Office 365 Security and Compliance Center, you will have to go to the Audit Log Search menu in the side navigation menu. If you’re a Office 365 Global admin and it’s your first time viewing this page, it is likely that SharePoint Online auditing has not yet been activated. If this is the case, a message will appear prompting you to Start Recording User and Admin Activities, as seen below.

SharePoint Online auditing

Once this feature is activated, you can begin auditing the content and users within the organization. However, as with most Office 365 admin changes, this process may take up to 24 hours for results to appear when conducting a search. That being said, make sure to bookmark this blog post so you can reference it when beginning your audit search!

Now that we’ve activated SharePoint Online auditing, let’s move onto how you can search through the audit log.

Step 2: View SharePoint Online audit log reports

To search through the audit log on SharePoint Online, you can filter a number of different activities from the Activities dropdown menu. Here, you can search for permissions, mailbox activities, file deletions, and even user activity in Microsoft Teams and Power BI.

SharePoint Online auditing

You can also filter for dates, internal or external users, and folders or sites.

It’s important to note that results may take up to 24 hours after activation to display in the Audit Search results. However, once the results are available, the Office 365 Audit Log Search will continue to display them for 90 days.

Step 3: Develop a custom script

Many organizations, especially those in the Public Sector, require access to audit logs for an indefinite period of time. In the event that your organization will require audit logs beyond the provided 90-day limit, you can develop a custom script that will automatically pull data from the Office 365 audit log and save it into a unified logging system.

If you need to share the results with a third-party user or with someone who lacks access to the Security and Compliance Center, you can also use the Export Results function to save the results into a spreadsheet.


With security becoming a top concern for organizations around the world, configuring SharePoint Online auditing can give admins unrestricted access to user activity and content across the organization. However, given that the Audit Log Search will only display results from when it was first activated, it is highly encouraged for admins to activate SharePoint Online auditing as soon as possible.

Ultimately, the information that SharePoint Online auditing can provide is invaluable, as it yields a history of user activity that can be crucial when adhering to regulations and security policies. Additionally, as organizations begin to move more content into the cloud, configuring SharePoint Online auditing can prove to be a very resourceful tool for years to come.

About the Author

Michael Smith

Michael Smith is the Senior Manager of Pre-Sales Consulting at Quest Software and has been working in the IT industry with a specialized focus in SharePoint and Microsoft 365 for many years. Michael has previously served as a SharePoint architect, administrator and trainer for several major corporations. Currently, Michael oversees a team of pre-sales consultants who assist clients with their day-to-day needs in the world of Microsoft 365 and SharePoint.

Related Articles