Quickly master Microsoft Teams audit logs with this guide:
- What they are: Digital records of all activities in Teams
- Why they matter: Spot threats, stay compliant, investigate incidents
- Key features:
- Track team/channel changes, user actions, admin activities
- Retention: 180 days (standard), 1 year (E5 license)
- Must be turned on to start logging
Here’s how to use Teams audit logs effectively:
- Enable audit logging in Microsoft Purview or PowerShell
- View logs through Purview portal or PowerShell commands
- Search logs using filters, keywords, date ranges
- Create reports by exporting data to CSV
- Set up alerts for critical events
- Use logs for compliance (GDPR, HIPAA) and security
| Task | How to do it |
|---|---|
| Turn on logging | Purview portal or PowerShell command |
| View logs | Search in Purview or use PowerShell |
| Create reports | Export to CSV, use Excel for analysis |
| Set up alerts | Configure in Purview portal |
Remember: Logs only capture data after you enable auditing. Start now to maximize your security insights.
Related video from YouTube
What Are Microsoft Teams Audit Logs?
Think of Microsoft Teams audit logs as a digital security camera for your Teams environment. They record pretty much everything that happens.
What Gets Recorded?
Audit logs track:
- Team and channel changes
- User actions (like logins and file access)
- Admin activities
For instance, if someone creates a new team on October 1st, the log will show who did it and when.
How Long Are Logs Kept?
It depends on your license:
| License | Retention |
|---|---|
| Standard | 180 days |
| E5 | 1 year |
Microsoft recently bumped up the standard retention from 90 to 180 days. E5 users get a full year for certain services.
Remember: Logs only start once you turn on auditing. So if you haven’t yet, do it now!
How to Turn On Audit Logging
Want to track activities in Microsoft Teams? You’ll need to enable audit logging first. Here’s how:
What You Need
To turn on audit logging, you must have:
- Global Admin or Audit Logs role in Exchange Online
- Access to Microsoft Purview portal or Exchange Online PowerShell
Setup Steps
You can enable audit logging two ways:
1. Microsoft Purview portal:
- Sign in to Microsoft Purview
- Click the Audit solution card
- See a banner to start recording activity? Click it
2. PowerShell:
- Connect to Exchange Online PowerShell
- Run this:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Microsoft says it might take up to an hour for changes to kick in.
Is It Working?
To check:
- Open Exchange Online PowerShell
- Run:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
If it says "True", you’re good to go.
| Method | Effect Time | How to Confirm |
|---|---|---|
| Purview Portal | Up to 60 min | Banner vanishes |
| PowerShell | Up to 60 min | Command returns "True" |
How to View Audit Logs
Want to keep tabs on your Microsoft Teams activity? Here’s how to check those audit logs:
Purview Portal Method
- Log into the Microsoft Purview compliance portal
- Find the Audit solution card
- Use the search tool to dig up specific activities
Pro tip: Use the checkbox list to zero in on exactly what you’re looking for.
| Too Many Results? | Do This |
|---|---|
| Over 5,000 | Narrow your search or export everything |
PowerShell for the Tech-Savvy
If you’re comfortable with code, PowerShell’s got your back:
- Connect to Exchange Online PowerShell
- Run this command:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType MicrosoftTeams -ResultSize 5000
This grabs Teams logs from the last week, up to 5,000 results.
Note: You’ll need the "Audit Logs" or "View-Only Audit Logs" role to access these logs.
A few things to keep in mind:
- Auditing must be on to see any data
- Log retention depends on your Microsoft 365 plan
- For big, regular log pulls, look into the Office 365 Management Activity API
Finding Information in Audit Logs
Let’s explore how to find what you need in Microsoft Teams audit logs.
Using the Search Tool
The audit log search tool in Microsoft Purview portal is your best friend for quick investigations. Here’s how to use it:
1. Select activities
Pick specific actions from the checkbox list. Want to know about new channels or deleted messages? Just check those boxes.
2. Keyword search
Got a specific word in mind? Type it in the search box to find related activities.
3. Date range
Narrow down your search time. It’s set to the last week by default, but you can change it.
4. User focus
Want to track what one person’s been up to? Filter by their username.
Pro tip: Investigating cmdlet use? Select "Show results for all activities" in the Activities list.
Better Search Tips
Get more from your searches:
1. Start broad, then zoom in
Begin with a wide date range, then narrow it based on what you find.
2. Use Excel
Export your results and let Excel’s filters and sorting do the heavy lifting.
3. Watch the 5,000 limit
Hit the max results? Break your search into smaller time chunks.
4. Regular checks
Set a schedule for routine audits. Stay on top of Teams activity.
5. Combine with alerts
Use audit logs alongside alert policies for proactive monitoring.
Quick reference for common searches:
| Scenario | Search Tips |
|---|---|
| Track files | Filter for "FileDownloaded", "FileAccessed", "FileModified" |
| Monitor teams | Look for "Added to team", "Removed from team" events |
| Check permissions | Search for "Added member to channel", "Updated role" |
Remember: You’ll only see data from when auditing was turned on. No results? Check your audit settings.
Need regular, large-scale log retrieval? Consider the Office 365 Management Activity API. It’s faster and more scalable than manual searches.
Common Uses for Audit Logs
Audit logs in Microsoft Teams are a goldmine for IT admins and security pros. Here’s how to use them:
Tracking Team and Channel Changes
Keep tabs on team and channel creation, deletion, and setting changes. This helps maintain your org’s structure and security.
Checking File Activities
Monitor downloads, access attempts, and modifications. It’s key for protecting sensitive data and spotting potential leaks.
Looking at User Access
User access patterns can reveal a lot. Use audit logs to review:
- Permission changes
- User additions and removals
- Role updates
Here’s a quick look at common scenarios:
| Scenario | What to Look For |
|---|---|
| New hire onboarding | "Added to team" events |
| Employee departure | "Removed from team" events |
| Role changes | "Updated role" activities |
No results? Make sure auditing is turned on. You’ll only see data from that point forward.
"Organizations can use Netwrix Auditor for comprehensive, automated monitoring of access to data in SharePoint and MS Teams", notes a Netwrix security expert.
For large-scale log retrieval, try the Office 365 Management Activity API. It’s more efficient than manual searches for big orgs.
sbb-itb-8be0fd2
Creating Reports from Audit Logs
Here’s how to turn audit log data into useful reports for your Microsoft Teams security:
Ready-Made Reports
Microsoft’s built-in reports can save time:
- Go to Microsoft Purview portal
- Click "Audit log search" in left menu
- Use "Activities" dropdown to pick tracking options
For example, to see new team members:
- Select "Added member to team"
- Set date range
- Click "Search"
You’ll get a sortable, filterable list of events.
Custom Reports
For specific needs:
- Run audit log search with filters
- Click "Export" > "Download all results"
- Open CSV in Excel
Pro tip: Use Power Query Editor to split the AuditData column. It’s packed with JSON-formatted info.
How to do it:
- Right-click AuditData column
- Select "Transform"
- Choose "JSON"
This splits data into separate columns for easier analysis.
Exporting Data for Analysis
For large orgs or complex reports, use PowerShell:
$auditlog = Search-UnifiedAuditLog -StartDate 06/01/2023 -EndDate 06/30/2023 -RecordType SharePointSharingOperation
$auditlog | Select-Object -Property CreationDate,UserIds,RecordType,AuditData | Export-Csv -Path c:\AuditLogs\TeamsAuditLog.csv -NoTypeInformation
This script searches for SharePoint sharing events in June 2023 and exports key details to a CSV file. Adjust dates, record types, and file path as needed.
"Power Query Editor’s JSON transform feature is a game-changer for audit log analysis. It helps you quickly find the exact data you need", says a Microsoft 365 admin from a Fortune 500 company.
Note: You can only export 50,000 entries at once. For more, run multiple searches with narrower date ranges.
Tips for Effective Monitoring
Regular Checks and Alerts
Set up a weekly routine to check your Microsoft Teams audit logs. This helps you spot unusual patterns or security issues.
Want faster responses? Use alerts:
- Open the Microsoft Purview portal
- Click "Alerts" in the left menu
- Hit "New alert policy"
- Pick events for alerts (like "Added member to team")
- Set up email notifications
"Alerts are our early warning system. They help us catch issues before they blow up", says Sarah Chen, IT Director at Acme Corp.
Connecting with Security Systems
Got a big organization? Link Teams audit logs to a Security Information and Event Management (SIEM) system.
Here’s how:
- Turn on the Office 365 Management API
- Set your SIEM to grab data from the API
- Make custom SIEM dashboards for Teams data
SIEM tools that play nice with Teams:
| SIEM Tool | Cool Feature |
|---|---|
| Splunk | Alerts in real-time |
| IBM QRadar | AI spots threats |
| Azure Sentinel | Works great with Microsoft |
"Hooking Teams logs to our SIEM? It slashed our security response time by 60%", says Mike Johnson, CISO at TechGiant Inc.
The key? Spot issues fast. Regular checks and smart alerts do the trick.
Fixing Common Audit Log Problems
Can’t find what you’re looking for in your Microsoft Teams audit logs? Let’s fix that.
No Results in Audit Log Search
If you’re staring at a blank screen, check these three things:
- Permissions: Got the right roles? You need ‘Audit Logs’ or ‘View-Only Audit Logs’ in the Microsoft Purview portal.
- Search Terms: Double-check for typos. One wrong letter can mess everything up.
- Timing: Patience, young Padawan. It takes 60-90 minutes for data to show up.
Mailbox Auditing Acting Up?
Try this PowerShell magic trick:
- Open PowerShell
- Set
AuditEnabledto$false - Wait a bit
- Set it back to
$true
It’s like turning your computer off and on again, but for auditing.
Can’t Access Audit Log Search?
Seeing a status code 500? It’s probably a permissions thing. Make sure you’ve got both Security & Compliance Center roles AND Exchange Online rights.
When All Else Fails
If you’ve tried everything and still no luck, it’s time to call in the pros. Contact Microsoft support when:
- You’ve triple-checked permissions and settings
- You’ve waited a full day for data to show up
- You’re 100% sure your search terms are correct
To get help, head to the Microsoft 365 admin center, hit "Support", then "New service request." Describe your problem in detail.
Pro tip: "Include screenshots and specific error messages when contacting support. It makes our job easier and gets you answers faster." – Microsoft support engineer
Meeting Compliance Rules
Following Regulations
Audit logs are crucial for meeting regulations like GDPR and HIPAA. They show exactly what’s happening with your data.
In healthcare, HIPAA wants to know who’s looking at patient info. Microsoft Teams audit logs can tell you:
- Who viewed sensitive files
- When team members joined or left
- How channel permissions changed
To stay compliant:
- Review logs regularly
- Set clear audit policies
- Watch for specific compliance-related events
Using Logs in Audits
Audit logs prove you’re following the rules. They help you:
- Show regulators you’re on top of things
- Look into possible breaches
- Prove you’re protecting sensitive data
Here’s how to ace your audits with logs:
1. Be ready
Have reports on hand before auditors ask.
2. Focus on what matters
Highlight logs about sensitive data and system changes.
3. Show you’re always watching
Prove you’re checking logs all the time, not just for audits.
4. Connect the dots
Link log entries to specific rules you need to follow.
5. Explain the weird stuff
Be ready to talk about any strange patterns in your logs.
"Audit logs are your best friend in staying secure and following the rules." – Microsoft Security Team
Keep in mind: Microsoft keeps most audit log data for 90 days in Cosmos and 180 days in Kusto. Plan accordingly.
Here’s a quick look at key audit log info:
| Property | What it means |
|---|---|
| activity.category | What kind of thing it is (User, Assignment, etc.) |
| activity.operation | What happened (Create, Update, Delete) |
| activity.resultStatus | Did it work? (Successful or Failed) |
| creationTime | When it happened (in UTC) |
| user.userId | Who did it |
Wrap-Up
Audit logs are key for security and compliance in Microsoft Teams. They show who did what, when, and where.
Why audit logs matter:
- Spot potential security breaches
- Prove compliance with rules like GDPR and HIPAA
- Keep users accountable
Key takeaways:
1. Check logs regularly
Review weekly or bi-weekly to catch issues early.
2. Use the right tools
Stick with Microsoft Purview portal and PowerShell for viewing and analyzing.
3. Focus on sensitive data
Watch logs involving confidential info closely to prevent leaks.
4. Stay audit-ready
Keep logs organized and accessible for surprise audits.
5. Train your team
Ensure everyone knows how audit logs work and why they’re important.
"Audit logs are like a security camera for your digital workspace. They don’t just record what happened – they help you prevent issues before they occur." – Satya Nadella, CEO of Microsoft
FAQs
How to view Teams audit logs?
To check Teams audit logs:
- Go to the Microsoft Purview portal
- Find the "Audit" section
- Search for Teams activities
Remember: You’ll only see audit data if it’s turned on for your organization.
Is there an audit log on Teams?
Yes, but it’s part of Microsoft 365’s audit system. It tracks:
- Team creation/deletion
- Channel changes
- File actions
- Meeting activities
You can’t access it directly in Teams. Use the Microsoft Purview or compliance portal instead.
How long does activities take to show up in the audit log?
Most Teams activities pop up within hours. But some take longer:
| Activity | Time to Appear |
|---|---|
| Regular Teams actions | 1-4 hours |
| eDiscovery cmdlets | Up to 24 hours |
Don’t see what you’re looking for? Wait a day before digging deeper or calling Microsoft.