Forum Discussion
Solved
Office365 Audit Log Information
Hi all, So, I was pulled into a session with counsel and a foresics persion today to discuss some stuff. I came away windering if there was an easy way to "show me every time that <user> logged in t...
download the log and take a look in the AuditData column, it has all kinds of extra data that does not show in the browser view.
Take a look at https://support.office.com/en-us/article/Detailed-properties-in-the-Office-365-audit-log-ce004100-9e7f-443e-942b-9b04098fcfc3 and https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US#ID0EABAAA=Search_the_audit_log
Hi Vasil,
Yes - I am currently using the Office365 Security & Compliance portal (Search & Investigation --> Audit Log Search).
I am only trying to gain insight at the moment - trying to see when a user logged in and accessed and Office365 services, and from where, on what device... the most interesting information would be to see when the user logged in from a non-company issued device, like a personal tablet or home computer.
I didn't realize that I could look at AAD information form the Classic Azure portal as well... I just logged in there and it looks like I can't view any user activity from before today... right now specifically... which is strange...
I am not looking to impose any restrictions though...
Thanks!
The reports were first available only as part of the Azure protal, they made it to the SCC later on (well some of them). I'm not sure why you are not able to see past events though, perhaps the Azure AD Premium requirements is in play...
Here's the documentation just in case: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports#user-specific-reports