This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Manage and Analyze Audit Logs and Reports” section:
- Plan for auditing and reporting
- Perform audit log search
- Review and interpret compliance reports and dashboards
- Configure audit alert policy
Plan for Auditing and Reporting
With a service as rich with functionality as Microsoft 365, it’s extremely important that we can audit and report on all actions taken within the environment. To make this easy, Microsoft have made available an extremely powerful auditing and reporting toolset, giving admins visibility into actions taken throughout the environment.
We can use the Audit log search functionality to produce granular logging of these actions as well as create alerts to notify us when particular actions are taken. This allows us to ensure the Microsoft 365 service is being used appropriately, that admin actions are reviewed and also provides insight into how our protection mechanisms are performing.
In this post we will look at how we can use the audit logs, dashboards and alerts to ensure we can stay compliant, protected and informed across the tenancy.
Perform Audit Log Search
The audit log search tool can be found in both the Microsoft 365 Security Center and the Microsoft 365 Compliance Center. In both locations, it can be accessed by opening the “Audit” section.
In the Audit tool, we can specify the activities we want to search for, the users we want to query and specify specific files, folders or sites that we want to include. We can also configure date ranges to narrow the result set size.
For instance, if we needed to find out who accessed a file named “Sensitive Data.docx” in the past month, we could run a query like the below:
Here we can see the list of results for our query and can select any item in the results to see some extremely detailed information about the entry.
The audit search will also allow you to audit admin activities, in the below search we are looking at events where an admin created a service principal in Azure AD.
For Audit logs, when we need to retain data for longer than the retention policies specified here, we can create a retention policy from the “Audit Retention Policies”. From here we can create and target a new retention policy for specific users and record types with custom duration.
Review and Interpret Compliance Reports and Dashboards
Compliance Reports give us insight into the performance of the different tools in the environment. To access the compliance reports, open up the Compliance Portal and select the “Reports” section. Here we can view a list of preconfigured dashboards showing us a lot of information.
For any of these dashboards we can select them to see more in depth details of each of the sections outlined.
Configure Audit Alert Policy
We have already looked at alert policies in a previous post. For more details check that post out here:
Study Guide Series: Exam MS-500 – Configure and Analyze Security Reporting (Part 2) – Sean McAvinue
Summary
In this post we have looked at how we can use the Audit log functionality in Microsoft 365 to run some very powerful searches across multiple apps and tasks. Allowing us to stay compliance and alerting when something out of the ordinary occurs. For more information on the topics in this post, check out the below links:
Advanced Audit in Microsoft 365 – Microsoft 365 Compliance | Microsoft Docs
Study Guide Series: Exam MS-500 – Configure and Analyze Security Reporting (Part 2) – Sean McAvinue
Alert policies in the security and compliance centers – Microsoft 365 Compliance | Microsoft Docs
Sean McAvinue 
Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue