Once you’ve made the move to SharePoint Online (Office 365), the next step is to ensure that you adhere to regulations and security policies. Violating a security policy can have serious consequences to the bottom line and reputation of your organization.
In this guide, the steps to enable auditing in SharePoint Online natively are explained. However, native auditing does have several drawbacks and a solution to this which provides an easier, more straightforward way to audit changes, is to use the Lepide SharePoint Online Auditor which is explained at the end of this article.
Steps to Enable SharePoint Online Auditing
Please follow below given steps:
- In the Microsoft Purview compliance portal at https://compliance.microsoft.com, go to Solutions, Audit.
- Select the Start recording user and admin activity banner. It may take up to 60 minutes for the change to take effect.
Note: If auditing isn’t turned on for your organization, a banner is displayed prompting you to start recording user and admin activity:
How to View or Check SharePoint Online audit logs
SharePoint Online no longer has a dedicated audit log search. If you want to search for SharePoint related events, you will need to use the unified audit log.
The unified audit log lets you check activities by users and admins in your organization. To limit the search for SharePoint events only, you can select only SharePoint-related actions from the Activities drop-down menu. For example, File and page activities and Site administration activities.
Once auditing is enabled, it takes some time (30 min to 24 hours!) to collect data and prepare reports. You can perform an Office 365 security audit or SharePoint audit log search by doing the following (From the Microsoft Purview compliance portal):
- Click on Audit from the left navigation
- In the search panel, you can apply search criteria such as:
- Start date and End date: Select a date and time range to display the events that occurred within that period. The maximum date range that you can specify is 90 days.
- Activities: Click the drop-down list to display the activities that you can choose from. User and admin activities are organized into groups of related activities. You can choose specific activities, or you can click the activity group name to select all activities within the group.
- Users: Select one or more users to display search results or leave this box blank to return entries for all users (and service accounts) in your organization.
- File, folder, or site: Type part or an entire file or folder name to search for related activity. You can also specify the URL of a file or folder. Alternatively, leave this box blank to return entries for all files and folders in your organization.
- Once you have specified all your search criteria, click Search to search the audit logs.
Activities available in the SharePoint Online Audit Logs
There are many activities you can search for in SharePoint Online. These include:
- File and page activities
- Sharing and access request activities
- Site administration activities
- Directory administration activities
- Power BI activities
- Microsoft Teams Healthcare activities
- Power Automate activities
- Synchronization activities
- SharePoint list activities
- Site permissions activities
Please refer to the official Microsoft documentation for a complete list of audited activities in SharePoint Online.
How to see Usage Reports in SharePoint Online
SharePoint Online allows you to analyze the usage of the SharePoint Online site. SharePoint user usage reports will deliver data similar to Google Analytics but on a higher level of detail.
- From the Microsoft 365 admin center, go to the Reports, Usage
- From the Usage page, click on SharePoint
SharePoint usage analytics contains reports including:
- Unique viewers
- Site visits
- Avg time spent per user
- Popular content in last 7 days
- Site pages
- News posts
- Documents
- Usage insights
- By device
- By time
- Shared with external users
How to see SharePoint Data Shared with External Users
SharePoint usage analytics includes reports that could help you to monitor content on your SharePoint site that is shared with external users. You can check the permissions and access rights using these analytics of or generate additional reports that save this information to a CSV file.
To view SharePoint data shared with external users:
- From the Usage Analytics screen, select the Choose columns option (right hand side of the screen). This displays a list of column options.
- Select the Columns you want to see data for. In this example, choose Files shared externally.
How to see Logs for Deleted Data in SharePoint Online
Administrators need to be able to see where data has been deleted as deleting data in SharePoint Online is quite easy and it could be that the users remove more data than they intended to.
To see logs for deleted data:
- From the Usage Analytics screen, as before, select the Choose columns option (right hand side of the screen):
- From the list of columns, select the Deleted option to see data which has been deleted.
- Click Save. The report will now be displayed showing Files deleted
How Lepide SharePoint Online Auditor Helps
The native method for producing a SharePoint Online sharing report may seem like a simple one, but the time it will take you to create it is significant.
A more straightforward way is to use the Lepide Auditor for SharePoint, here you can run SharePoint Online Reports to give you visibility over what is happening with your SharePoint online.
To Enable SharePoint Online auding using the Lepide Auditor:
Enabling auditing in the Lepide SharePoint Auditor is a straightforward process through the SharePoint Online Properties option:
Instructions on how to generate a Client ID and Secret Key are given by clicking the ‘ ? ‘ icon
There are a large number of predefined audit reports available within the Lepide Auditor that give you the ability to see every change in the SharePoint Online environment and have the depth to create a long audit trail.
You can create real-time alerts with advanced filters and threshold limits that the Lepide Solution will send as an email, as an update to the Live Feed and as a push notification to Apple and Android devices.
Audit reports can be scheduled and delivered by email, or they can be saved in shared locations.
One of the many reports available within the Lepide Data Security Platform for SharePoint Online is the Document Created Report and an example of this report is shown below:
The report is run as follows:
- Select Lepide Auditor, Reports
- From here, expand SharePoint Online
- Select Document Created
- Select Generate Report
The report is generated and can be filtered, sorted and exported to CSV and PDF format.