Microsoft Teams provides communication and collaboration tools in one place, which means that users can seamlessly switch between features and applications. Users can store documents, spreadsheets, presentation slides, and many other types of files on their SharePoint and MS Teams sites and they can share any of this content with others inside or outside of the organization in just a few clicks.
This makes working as a team from any location easy and efficient, but it also means that the potential for malicious behavior is increased so it is essential that activity is closely monitored to mitigate any risk. Data access auditing, the systematic tracking and recording of who accessed what data, when, and what actions they performed, is essential for maintaining security visibility. Additionally, compliance regulations such as GDPR, HIPAA, SOX, and PCI-DSS require data access auditing to prove that there is control over sensitive data.
Microsoft Purview Audit (formerly known as the Unified Audit Log) is a centralized auditing service that captures user and administrator activities across Microsoft 365 services and enables reporting on access events. However, its filtering capabilities are limited, often requiring users to spend significant time refining and analyzing audit data. This increases the likelihood that suspicious, unauthorized, or malicious activity may go unnoticed.
A solution to this time-consuming and complex process is to use the Lepide Auditor for Microsoft 365. With the Lepide Auditor, you are able to generate the All Modifications in Microsoft Teams Report showing you all MS Teams and SharePoint activity within a specified date range.
Here are two ways to audit data access in MS Teams and SharePoint online and they are described below.
- Native Method – Using Microsoft Purview portal
- Using Lepide Auditor
Native Auditing vs. Lepide Auditor Comparison
Using Native Method
Prerequisites
- Access to Microsoft Purview Audit with appropriate permissions (for example, Audit Logs permissions or equivalent administrative access).
- Audit logging enabled in the Microsoft 365 tenant (enabled by default for modern tenants).
- A supported Microsoft 365 license that includes audit functionality (such as Microsoft 365 E3, E5, or equivalent).
Steps
- Sign in to the Microsoft Purview portal.
- Navigate to Audit.
- Select Audit Search
- In the Activities filters, choose File and folder activities
- Specify any additional filters you need (date range, users, files, etc.). Click Search
Figure: MS Teams Event Logs - To group the events by the user who was accessing data, download the data into a .csv file and sort the data there.
- To review the path to the specific document, select the event and click on the Details section:

Figure: MS Teams Event Detail
Using Lepide Auditor
The Lepide Auditor overcomes the complexity of the native method by providing a straightforward way to report on data access in MS Teams and SharePoint Online using the All Modifications in Microsoft Teams and SharePoint Online Reports:

Figure: MS Teams All Changes Report – Lepide Auditor
To create this report:
- Click the User & Entity Behavior Analytics
icon and select All Modifications in Microsoft Teams from the Office 365 node. - Select a date range and click Generate Report
- The report can be sorted, filtered, grouped, saved, and exported
Similarly, you can run the report for SharePoint Online modifications

Figure: SharePoint Online All Changes Report – Lepide Auditor
Conclusion
Both methods enable you to track data access in MS Teams and SharePoint Online. Native auditing through the Microsoft 365 Unified Audit Log is available at no additional cost but requires more manual effort to filter, export, and analyze results. Third-party solutions like Lepide Auditor offer pre-built reports with advanced filtering and grouping capabilities, reducing the time needed for analysis but requiring additional licensing. The best choice depends on your organization’s audit frequency, compliance requirements, and available resources.
Frequently Asked Questions
By default, Microsoft 365 audit logs are retained for 90 days. Organizations with E5 licenses or the Advanced Audit add-on can retain logs for up to one year, with options to extend to 10 years.
The audit log captures file and folder activities (access, modify, delete, share), user login events, admin configuration changes, mailbox activities, and SharePoint/Teams-specific actions like site creation and permission changes.
Yes, alert policies can be configured through Microsoft Purview and related Microsoft 365 security tools to notify administrators of specific activities, such as mass file downloads or access from unusual locations.