• United States



Contributing Writer

How to enable audit logs in Microsoft Office 365

Jan 16, 20193 mins
SecuritySmall and Medium BusinessWindows

Audit logging of Office 365 mail reads makes forensics investigations of attacks much easier. Here's how to make sure it's enabled.

security audit - risk assessment - network analysis
Credit: Thinkstock

Ensuring that audit logs are enabled for Microsoft Office 365 can help you investigate and determine exactly how, why, when and possibly who did what (including, but not limited to, questions from management) when conducting forensic investigations of attacks. Starting February 1, Microsoft will add auditing to track mail reads by default. This has long been a key request from forensic investigators to assist in mail investigations.

Before that, of course, you need to review your current auditing settings. You can do this via PowerShell or go to the Security and Compliance Center, then go to “Search & Investigation,” select “Audit log search” and then review your settings.

bradley auditlog 1 Microsoft

Review your settings for audit logging

Click on “Learn more about search and investigations.” If you find that auditing is not enabled, enable it as soon as possible. Once you have enabled the auditing, it takes a few hours before it’s active.

bradley auditlog 2 Microsoft

Activate audit logging

If you are interested in learning more about auditing, there are several resources, including an online ebook Office 365 for IT pros and various documents on the Microsoft site. Remember, you can set up alerts for activity in this area as well.

You’ll also want to enable mailbox auditing. You’ll need to enable this with PowerShell as noted in the Microsoft documentation. I recommend that once you log in with PowerShell, you enable logging on all mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Logging is too key of a tool to not have enabled from the get-go. Too many times I see admins and consultants asking if they can determine what happened to an email, and unless auditing is enabled ahead of time, you can’t answer that question.

Admins must have rights assigned to review audit logs You can assign permissions to view the audit logs in the Exchange Admin Center. Additional resources regarding Office 365 audit logs can be found both on the Understanding Office 365 logging YouTube video as well as on the SANS whitepaper on logging.

As you can tell, this is just the tip of the iceberg and there is much more time and effort you need to spend to fully implement auditing and understand it. I urge you to take the time to review your settings and enable them now, before an incident, and not regret that you didn’t have them set them up.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author