Auditing is increasingly critical across all sectors of a business, including the Microsoft cloud arena.
The IT department’s duties have grown more complex as organizations increasingly integrate cloud solutions. They require substantial support to monitor potential security breaches like unauthorized data access or abnormal login activities. Microsoft Purview Audit serves this need by logging activities within Microsoft cloud services, including Microsoft Entra ID (previously known as Azure Active Directory) and Exchange Online. It helps track user and administrative actions, as well as identifying potential threats, thereby aiding in maintaining security and compliance within Microsoft 365 services.
Every Microsoft 365 subscription includes Microsoft Purview Audit by default. This security tool keeps records of numerous activities within the Microsoft 365 environment, including operations in Exchange Online and Microsoft Teams. These logs are crucial for auditing, forensics, compliance, and legal matters.
Purview Audit provides administrators with the tools necessary to trace the origins of events in their systems. This utility is crucial for identifying whether incidents are due to malicious actions, users veering from their typical responsibilities, breaches of IT user acceptance policies, or other vital situations that IT teams must clarify.
The strength of Microsoft Purview Audit lies in its ability to log a wide array of activities committed by both users and admins. It captures information such as the identity of the user who added someone to a group, the individual who inserted a new tab in a Microsoft Teams channel, responses to a Microsoft Form, assignments in Microsoft Defender, and management actions like the deletion of files or setting of password policies. This tool monitors several services like Microsoft Entra ID, eDiscovery, Exchange Online, SharePoint Online, OneDrive, Defender, Power Platform, and Teams.
Microsoft offers two versions of Purview Audit: Standard and Premium.
Included within Microsoft 365 tenant licenses is the Microsoft Purview Audit Standard, applicable for Microsoft 365 E3 (excluding Microsoft Teams), Office 365 E1 (excluding Microsoft Teams), and Microsoft 365 F1 (excluding Microsoft Teams) plans or superior.
Microsoft Purview Audit Premium is accessible through Microsoft 365 E5 Compliance or Microsoft 365 F5 Compliance or higher.
Both Purview Audit Standard and Purview Audit Premium capture similar data, with Premium offering additional features. These include a one-year audit log retention (not all logs are included by default), customizable audit log retention policies, approximately double the API call allowance compared to Standard, and enhanced “intelligent insights” for improved monitoring of activities in Exchange Online and SharePoint Online, as well as support in investigative processes.
Originally, Purview Audit Standard logs were retained for 90 days. However, following the Storm-0558 hacking event and customer feedback, Microsoft increased this duration to 180 days.
As a continually developing service, the features of Microsoft Purview Audit will evolve over time. There are also visibility limitations depending on the functionality or the specific version of Purview Audit. It is noted that interactions with Microsoft Copilot are recorded, yet the prompts appear in Content Search, a component of Purview eDiscovery.
Purview Audit is automatically activated in Microsoft 365 tenants, yet you can verify its status by executing a specific command in Exchange Online PowerShell.
The result true confirms that Audit is active, whereas false signals that it is not. Changes to the Purview Audit setting, including enabling or disabling, are logged to track who is responsible for the modifications, ensuring accountability.
To understand the functionality of Purview Audit, consider a situation involving an email purportedly sent by one of your users, who denies sending it.
To examine the logs for clues, you should employ the audit log search tool accessible via the Microsoft Purview portal or the compliance portal.
Specify the date and time range (UTC) for your search. Under the Activities – friendly names section, look for Exchange mailbox activities including sent message, sent message using send-as permissions, and sent message using send-on-behalf permissions. Additionally, under Users, select the user associated with the mailbox from which the email was dispatched. Filtering by these activities helps identify instances where emails may have been sent either directly by the user or by a delegate on behalf of the user. Focusing solely on the sent message activity might cause you to overlook relevant instances. If initial searches do not yield results, consider expanding your search criteria.
Press the Search button to initiate a search job. Results take time to appear as the portal updates with the job’s status and progress. In this illustration, it took five minutes and 15 seconds for the search to complete.
Review each result by clicking through them. There is a possibility to export these results, although generating this export takes additional time. Accurate and focused initial search parameters are crucial to avoid delays and receive relevant data.
In this example scenario, identifying the correct email will show whether it was sent by the user, marked by sent message, or by another individual, indicated by send as/send on behalf. The results also include details such as the internet-facing IP address of the device used for sending the email, the UserId (username), the ClientInfoString (type of client used, such as Outlook-Android), among other data.
If the user denies sending the email, further investigation into the login records can be performed by conducting an audit log search for the same user with the User Logged In activities. These results will display the SessionID among other data, which can be matched with the SessionID from the previously analyzed sent message record.
Invest some time to fully explore all functionalities within Microsoft Purview Audit. While user-friendly, understanding the data types, where records are found, and how they can be correlated significantly improves search efficiency. Multiple scenarios might trigger the need to investigate suspicious activities in your Microsoft 365 tenant including routine audits, actions of a dissatisfied employee, compliance with legal evidence requests, or indications of hostile activities in the system.
Utilizing Purview Audit to search logs facilitates a comprehensive understanding of who engaged in specific actions as well as the timing and location of these activities, which are vital in compiling essential information for any investigation.
Adam Fowler is a principal solutions architect at a Microsoft partner with over 20 years of experience in IT including expertise in systems administration, cybersecurity, infrastructure, project management, and operational services. Fowler’s career includes roles as IT director and customer success account manager at Microsoft.