How to Enable SharePoint Online Auditing & View Audit Logs

Steps to Enable SharePoint Online Auditing

Please follow below given steps:

1. In the Microsoft Purview compliance portal at https://compliance.microsoft.com, go to Solutions, Audit.

Note: If auditing isn’t turned on for your organization, a banner is displayed prompting you to start recording user and admin activity:



2. Select the Start recording user and admin activity banner. It may take up to 60 minutes for the change to take effect.

How to View or Check SharePoint Online audit logs

SharePoint Online no longer has a dedicated audit log search. If you want to search for SharePoint related events, you will need to use the unified audit log.

The unified audit log lets you check activities by users and admins in your organization. To limit the search for SharePoint events only, you can select only SharePoint-related actions from the Activities drop-down menu. For example, File and page activities and Site administration activities.

Once auditing is enabled, it takes some time (30 min to 24 hours!) to collect data and prepare reports. You can perform an Office 365 security audit or SharePoint audit log search by doing the following (From the Microsoft Purview compliance portal):

1. Click on Audit from the left navigation
2. In the search panel, you can apply search criteria such as:
• Start date and End date: Select a date and time range to display the events that occurred within that period. The maximum date range that you can specify is 90 days.
• Activities: Click the drop-down list to display the activities that you can choose from. User and admin activities are organized into groups of related activities. You can choose specific activities, or you can click the activity group name to select all activities within the group.
• Users: Select one or more users to display search results or leave this box blank to return entries for all users (and service accounts) in your organization.
• File, folder, or site: Type part or an entire file or folder name to search for related activity. You can also specify the URL of a file or folder. Alternatively, leave this box blank to return entries for all files and folders in your organization.
3. Once you have specified all your search criteria, click Search to search the audit logs.

Activities available in the SharePoint Online Audit Logs

There are many activities you can search for in SharePoint Online. These include:

• File and page activities
• Sharing and access request activities
• Site administration activities
• Directory administration activities
• Power BI activities
• Microsoft Teams Healthcare activities
• Power Automate activities
• Synchronization activities
• SharePoint list activities
• Site permissions activities

Please refer to the official Microsoft documentation for a complete list of audited activities in SharePoint Online.

How to see Usage Reports in SharePoint Online

SharePoint Online allows you to analyze the usage of the SharePoint Online site. SharePoint user usage reports will deliver data similar to Google Analytics but on a higher level of detail.

• From the Microsoft 365 admin center, go to the Reports, Usage
• From the Usage page, click on SharePoint

SharePoint usage analytics contains reports including:

• Unique viewers
• Site visits
• Avg time spent per user
• Popular content in last 7 days
• Site pages
• News posts
• Documents
• Usage insights
• By device
• By time
• Shared with external users

How to see SharePoint Data Shared with External Users

SharePoint usage analytics includes reports that could help you to monitor content on your SharePoint site that is shared with external users. You can check the permissions and access rights using these analytics of or generate additional reports that save this information to a CSV file.

To view SharePoint data shared with external users:

• From the Usage Analytics screen, select the Choose columns option (right hand side of the screen). This displays a list of column options.
• Select the Columns you want to see data for. In this example, choose Files shared externally.

How to see Logs for Deleted Data in SharePoint Online

Administrators need to be able to see where data has been deleted as deleting data in SharePoint Online is quite easy and it could be that the users remove more data than they intended to.

To see logs for deleted data:

• From the Usage Analytics screen, as before, select the Choose columns option (right hand side of the screen):
• From the list of columns, select the Deleted option to see data which has been deleted.



• Click Save. The report will now be displayed showing Files deleted

How Lepide SharePoint Online Auditor Helps

Enabling auditing in Lepide SharePoint Online Auditor is a straightforward process through the SharePoint Online Properties option.

Instructions on how to generate a Client ID and Secret Key are given by clicking the ‘Question Mark’ icon

There are a large number of predefined audit reports available within the Lepide SharePoint Online Auditor that give you the ability to see every change in the SharePoint Online environment and the depth to create a long audit trail. It’s simple to install and configure. The Lepide Solution offers long-term storage of audit logs in your SQL Server database, and these logs can be archived to another database automatically or manually. You also have the option to view and import logs from the archived database. You can filter, sort, group by and apply other auditing functions to these reports

You can create real-time alerts with advanced filtration and threshold limits that the Lepide Solution as an email, as an update to the LiveFeed on the console’s Radar tab and as a push notification to Apple and Android devices. You can create a scheduled task to generate and deliver audit reports through email or save them in shared locations.

Here is an example of the Document Created Report from the Lepide SharePoint Online Auditor