M365 Unified Audit Log: Why You Should Always Have Audit Logging Turned On For Your Tenant

In 2022, the average cost of a data breach in the US is $9.44 million. IBM says that for 83% of companies, the question is not if a data breach will happen, but when.

‍

Luckily for businesses using Microsoft 365, you have access to built-in auditing and documentation for your entire cloud ecosystem so that you can detect security breaches and hacking attempts long before they happen.

‍

‍

Known as the Unified Audit Log, this feature is turned on by default for all tenants inside Microsoft 365. However, most businesses aren’t even aware this feature exists and have no idea how to make sense of the data it provides!

‍

Let’s go over everything you need to know about the Microsoft 365 Unified Audit Log, so that your business has access to detailed change history and audit trails for your entire cloud-based data ecosystem.

‍

M365 Unified Audit Log: How Does It Work?

Microsoft offers a huge amount of options and settings to fine-tune your tenant configurations across services ranging from SharePoint Online to Microsoft Teams to Azure Active Directory. That translates to thousands of operations across hundreds of different admin portals throughout M365. 

‍

M365 Unified Audit Log provides a centralized source of truth that satisfies information requests across all these different services. Think of it as a one-stop solution for determining who made changes to your tenant configurations and when.

‍

By default, Unified Audit Log is turned on for all your tenant configurations. However, Microsoft says that you should still verify that it’s on for the tenant you’re currently on. Unified Audit Log also provides a massive amount of technical data pertaining to your admin configurations and user accounts that’s difficult to make sense of on its own, even for security engineers. Here’s just a small slice of what you can find in the log:

‍

• incidents of file deletion or file access

• activities concerning the handling of sensitive data

• reports on user sign-in behaviors

• records of administrative changes to tenant configurations

• file downloads or extractions to external devices

‍

Without a proper technique for working your way through and making sense of all this data, you’re most likely to be searching for days, if not months, before you find the source of your security breach.

‍

The Current Solution for Using the M365 Unified Audit Log

After you manually switch on the Unified Audit Log for all your M365 tenants that don’t already have it on, you can take advantage of the built-in advanced search functionality to slowly make your way through the documentation it provides. 

‍

Audit log search lets you filter your audit trails and change history according to various criteria, such as activities, users, and more. You can also set up alert policies to issue notifications each time someone makes a change to a specific configuration, although these notifications can be numerous and quickly get out of hand. Audit retention policies allow you to retain your change history for specific configurations beyond the 90-day retention period imposed by Microsoft. 

‍

Apart from these functions, Microsoft audit log search also lets you export your audit trail as a CSV file or query it using the Office 365 Management Activity API. You can also search the Unified Audit Log using PowerShell through the ExchangeOnlineManagement module. 

‍

Automatically Manage the M365 Unified Audit Log With Simeon

Simeon Cloud is a premium end-to-end configuration management solution for enterprise organizations and managed service providers running Microsoft 365. It uses configuration-as-code technology to automate the setup and maintenance of Microsoft 365 services like Office 365, Intune, and Azure AD. 

‍

With Simeon, you can easily verify the status of the audit log feature for every tenant you currently manage. You can make sure that the Unified Audit Log is working for a particular tenant, and if not, you can switch it on directly through Simeon. 

‍

Moreover, Simeon enhances and improves the cumbersome audit log provided by Microsoft by breaking it down into daily reports that update you on changes made to the default configurations of all your tenants. It offers a single-pane-of-glass view for implementing, reviewing, and managing changes to your multi-tenant ecosystem in Microsoft 365. 

‍

From the Sync tab in the Simeon dashboard, you can access a searchable inventory of all the changes made to your tenant configurations. Here, you can review deviations from your baseline configuration and choose to approve, reject, or roll back configuration changes to your organization’s tenants.

‍

Simeon Cloud improves upon the existing documentation provided by Microsoft by making it more digestible and search-friendly, while also letting you roll back changes with a single click from within the same UI. That way, you can always rest assured knowing that your organization has proper access to detailed documentation on all your tenants in case of a security breach as well as the ability to revert those tenants back to a known good state should a disaster occur.

Interested in learning more about how Simeon Cloud can help you manage and configure multiple tenants across Microsoft 365? Sign up for a free demo to see for yourself!