How to Enable Auditing in SharePoint Online
Now that you’ve made the move to SharePoint Online (Office 365), the next challenge is to ensure that you adhere to regulations and security policies. Violating a security policy can potentially have serious consequences to the bottom line and reputation of your organization. In this article, the steps to enable auditing in SharePoint Online natively are explained. However, bear in mind, native auditing does suffer from different several drawbacks that are also included here. A better way to audit SharePoint Online using LepideAuditor is also explained in the end.
Enabling auditing manually
- Launch Office 365 in a Web browser and logon to open the Home page.
- Click on “Security and Compliance” tile to open the “Security and Compliance” center.
- If you have an Office 365 Global admin role and this is the first time you have opened this page, you will see a message prompting you to “Start Recording User and Admin Activities”. Click “Turn on”. Please remember that it may take at least 24 hours to enable the auditing after clicking on the above button.
Note: This message may not appear if the auditing is already enabled.
What is the problem?
As with other Office 365 admin changes, it can take up to 24 hours to enable auditing. If you tried to run the Audit log report before this time, the audit data may either be wrong, or not appear at all. Microsoft recommends configuring the audit log trimming. The default time to store the logs is 0 days. To change this option, you have to configure it manually.
Drawbacks of Native Auditing
- There is no provision for threshold alerts. Let’s suppose you want to see only changes that have been repeated a given number of times within a given time span. You simply can’t do this natively.
- No ability to create a scheduled task to generate and send fresh periodical reports (even when you are not in your office).
- The storage space available in SharePoint Online is somewhat restricted because of the limitations of different types of licenses. If auditing of every aspect of SharePoint Online is enabled, the available storage space may be filled up very quickly. Because of this restriction, the long-term or unlimited storage of audit logs is not available. For a workaround, users are advised to download the audit logs on their computers as files. Again, storing the audit logs only in files has some drawbacks because of security issues.
- Enabling auditing of all user activities increases the load upon SharePoint Online. this may affect performance and cause it to work slowly. To avoid this, Microsoft suggests disabling the auditing of some aspects; like opening or downloading documents, viewing items or seeing their properties.
What’s the solution?
LepideAuditor for SharePoint Online auditing has 36 predefined audit reports that give you the ability to see every change in the SharePoint Online environment and the depth to create a long audit trail. It’s simple to install and configure. Our solution offers long-term storage of audit logs in your SQL Server database, and these logs can be archived to another database automatically or manually. You also have the option to view and import logs from the archived database. You can filter, sort, group by and apply other auditing functions to these reports.
You can create real-time alerts with advanced filtration and threshold limits that LepideAuditor delivers as an email, as an update to the LiveFeed on the console’s Radar tab and as a push notification to Apple and Android devices. You can create a scheduled task to generate and deliver audit reports through email or save them in shared locations.
The below screenshot shows a “Document Created” report.