Microsoft Teams audit logs provide digital records of all activities in Teams. The audit logs track team and channel changes, user actions, for example logins and files which have been accessed, and admin activities.
Why Check MS Teams Audit Logs?
- To ensure you are getting the best use out of the platform: Monitoring audit logs can help to identify any Teams that may have become unused or redundant, allowing you to remove or consolidate these Teams as required. This can help you enhance your use of the platform and ensure that you are getting the most value out of your investment in Microsoft Teams.
- Collaboration and communication improvements: Areas where collaboration and communication may be improved can be identified by regularly reviewing and monitoring the names, owners, members, channels, and content of your Microsoft Teams.
- Meet compliance and security requirements: Teams or content that may be in violation of your organization’s policies or regulations can be identified by monitoring audit logs. By pinpointing and addressing these issues, you can ensure that your use of Microsoft Teams is compliant and secure and it will also help to mitigate any future security risks.
- To plan for future growth: Checking auditing logs in Microsoft Teams can provide valuable insights into how your organization is using the Platform. This can help you plan for future growth and expansion of Teams.
How to Enable Auditing for MS Teams?
Pre-requisites:
To turn on audit logging, you need to have:
- A Global Admin or Audit Logs Role in Exchange Online
- Access to Microsoft Purview portal or Exchange Online PowerShell
Setup Steps:
Audit logging can be enabled in two ways:
- Using the Microsoft Purview Portal:
- Sign in to Microsoft Purview
- Click the Audit solution card
- Click the banner to start recording activity
- Using PowerShell:
- Connect to Exchange Online PowerShell
- Run the following command
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $trueThis could take up to an hour for changes to be applied.
To check if it’s working:
- Open Exchange Online PowerShell
- Run the following command:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled - If it shows “True”, then auditing is enabled.
How to Search or View Audit MS Teams Logs?
How to View Audit Logs
The native ways to check Audit Logs are by using Microsoft Purview or PowerShell and the steps to do this are as follows:
- Purview Portal Method:
- Log into the Microsoft Purview compliance portal
- Find the Audit solution card
- Use the search tool to find specific activities
- You can use the checkbox list to zero in on exactly what you’re looking for
- If there are too many results in your search, you could either narrow your search criteria or export everything and use an alternative tool to filter the logs. For example, Microsoft Excel.
- PowerShell Method:
- Connect to Exchange Online PowerShell
- Run the following command:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType MicrosoftTeams -ResultSize 5000 - This retrieves Teams logs from the last week, and will return up to 5,000 results.
- Note: You will need to have the “Audit Logs” or “View-Only Audit Logs” role to access these logs.
- It is important to note that auditing must be enabled on to see any log data
- Note that log retention depends on your Microsoft 365 plan
How to Use the Search Tool to Find what you Need in Microsoft Teams Audit Logs
Using the audit log search tool in Microsoft Purview portal is the best option for quick investigations. The following explains some examples of how to use it.
- Specific activities: Select specific actions from the checkbox list. So, for example, to find out about new channels or deleted messages, check those boxes.
- Keyword search: To search for a specific keyword, type it in the search box to find related activities.
- Date range: Narrow down your search time to return fewer results making it easier to analyze. The default date range is set to the last week, but you can change it if required.
- Track User Activity: If, for example, you want to track the activity for one particular person, you can filter by their username.
Quick Reference for Common Searches:
Remember: You’ll only see data from the point at which auditing was switched on. If there are no results, check your audit settings.
How Long are Audit Logs Kept?
The length of time that audit logs are kept depends on your license:
- For a standard license, retention is 180 days
- For an E5 license, retention is 1 year
Microsoft recently increased the standard retention time from 90 to 180 days. E5 users get a full year for specific services.
However, it is important to note that logs only start once you turn auditing on.
Note: In most Microsoft 365 tenants, audit logging is enabled by default (the default since 2019 is that it is switched on for most tenants). Only use PowerShell to verify or re-enable it in older tenants or when auditing has been disabled.
How does Lepide Auditor Help in MS Teams Auditing?
Lepide Auditor for MS Teams overcomes the complexity of native methods by providing a straightforward way to report on data access in MS Teams. This is achieved by running the ‘All Microsoft Teams Changes’ report, which is one of the many pre-defined reports included in Lepide Auditor. An example of the report is shown below.
Lepide All Microsoft Teams Changes Report:
To create this report:
- From Lepide Auditor, Reports, expand MS Teams in the tree structure on the left hand side of the screen
- Select All Microsoft Teams Changes
- Edit the date range if required
- Select Generate Report
- To see further details about a specific object, click on the object and the row will expand to show the details:
The report can be sorted, filtered, saved, and exported.
