Run an audit log search
Go to
https://protection.office.com.
Tip
Use a private browsing session (not a regular session) to access the Security & Compliance Center because this will prevent the credential that you are currently logged on with from being used. To open an InPrivate Browsing session in Internet Explorer or Microsoft Edge, just press CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press CTRL+SHIFT+N.
Sign in using your work or school account.
In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
The Audit log search page is displayed.
Configure criteria and then click Search to run report
Note
You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.
Configure the following search criteria:
Activities: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting Show results for all activities displays results for all activities performed by the selected user or group of users.
Over 100 user and admin activities are logged in the audit log. Click the Audited activities tab at the topic of this article to see the descriptions of every activity in each of the different services.
Start date and End date: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.
Tip
If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
Users: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
File, folder, or site: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces.
Leave this box blank to return entries for all files and folders in your organization.
Tip
If you're looking for all activities related to a site, add the wildcard symbol (*) after the URL to return all entries for that site; for example, "
https://contoso-my.sharepoint.com/personal*".
If you're looking for all activities related to a file, add the wildcard symbol (*) before the file name to return all entries for that file; for example, "*Customer_Profitability_Sample.csv".
Click Search to run the search using your search criteria.
The search results are loaded, and after a few moments they are displayed under Results. When the search is finished, the number of results found is displayed. A maximum of 5,000 events will be displayed in the Results pane in increments of 150 events. If more than 5,000 events meet the search criteria, the most recent 5,000 events are displayed.
