Microsoft Teams Audit Log Guide: Monitoring & Reporting

Microsoft Teams Audit Log Guide: Monitoring & Reporting

Quickly master Microsoft Teams audit logs with this guide:

  • What they are: Digital records of all activities in Teams
  • Why they matter: Spot threats, stay compliant, investigate incidents
  • Key features:
    • Track team/channel changes, user actions, admin activities
    • Retention: 180 days (standard), 1 year (E5 license)
    • Must be turned on to start logging

Here’s how to use Teams audit logs effectively:

  1. Enable audit logging in Microsoft Purview or PowerShell
  2. View logs through Purview portal or PowerShell commands
  3. Search logs using filters, keywords, date ranges
  4. Create reports by exporting data to CSV
  5. Set up alerts for critical events
  6. Use logs for compliance (GDPR, HIPAA) and security
Task How to do it
Turn on logging Purview portal or PowerShell command
View logs Search in Purview or use PowerShell
Create reports Export to CSV, use Excel for analysis
Set up alerts Configure in Purview portal

Remember: Logs only capture data after you enable auditing. Start now to maximize your security insights.

What Are Microsoft Teams Audit Logs?

Microsoft Teams

Think of Microsoft Teams audit logs as a digital security camera for your Teams environment. They record pretty much everything that happens.

What Gets Recorded?

Audit logs track:

  • Team and channel changes
  • User actions (like logins and file access)
  • Admin activities

For instance, if someone creates a new team on October 1st, the log will show who did it and when.

How Long Are Logs Kept?

It depends on your license:

License Retention
Standard 180 days
E5 1 year

Microsoft recently bumped up the standard retention from 90 to 180 days. E5 users get a full year for certain services.

Remember: Logs only start once you turn on auditing. So if you haven’t yet, do it now!

How to Turn On Audit Logging

Want to track activities in Microsoft Teams? You’ll need to enable audit logging first. Here’s how:

What You Need

To turn on audit logging, you must have:

  • Global Admin or Audit Logs role in Exchange Online
  • Access to Microsoft Purview portal or Exchange Online PowerShell

Setup Steps

You can enable audit logging two ways:

1. Microsoft Purview portal:

  • Sign in to Microsoft Purview
  • Click the Audit solution card
  • See a banner to start recording activity? Click it

2. PowerShell:

  • Connect to Exchange Online PowerShell
  • Run this:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Microsoft says it might take up to an hour for changes to kick in.

Is It Working?

To check:

  1. Open Exchange Online PowerShell
  2. Run:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If it says "True", you’re good to go.

Method Effect Time How to Confirm
Purview Portal Up to 60 min Banner vanishes
PowerShell Up to 60 min Command returns "True"

How to View Audit Logs

Want to keep tabs on your Microsoft Teams activity? Here’s how to check those audit logs:

Purview Portal Method

  1. Log into the Microsoft Purview compliance portal
  2. Find the Audit solution card
  3. Use the search tool to dig up specific activities

Pro tip: Use the checkbox list to zero in on exactly what you’re looking for.

Too Many Results? Do This
Over 5,000 Narrow your search or export everything

PowerShell for the Tech-Savvy

PowerShell

If you’re comfortable with code, PowerShell’s got your back:

  1. Connect to Exchange Online PowerShell
  2. Run this command:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType MicrosoftTeams -ResultSize 5000

This grabs Teams logs from the last week, up to 5,000 results.

Note: You’ll need the "Audit Logs" or "View-Only Audit Logs" role to access these logs.

A few things to keep in mind:

Finding Information in Audit Logs

Let’s explore how to find what you need in Microsoft Teams audit logs.

Using the Search Tool

The audit log search tool in Microsoft Purview portal is your best friend for quick investigations. Here’s how to use it:

1. Select activities

Pick specific actions from the checkbox list. Want to know about new channels or deleted messages? Just check those boxes.

2. Keyword search

Got a specific word in mind? Type it in the search box to find related activities.

3. Date range

Narrow down your search time. It’s set to the last week by default, but you can change it.

4. User focus

Want to track what one person’s been up to? Filter by their username.

Pro tip: Investigating cmdlet use? Select "Show results for all activities" in the Activities list.

Better Search Tips

Get more from your searches:

1. Start broad, then zoom in

Begin with a wide date range, then narrow it based on what you find.

2. Use Excel

Export your results and let Excel’s filters and sorting do the heavy lifting.

3. Watch the 5,000 limit

Hit the max results? Break your search into smaller time chunks.

4. Regular checks

Set a schedule for routine audits. Stay on top of Teams activity.

5. Combine with alerts

Use audit logs alongside alert policies for proactive monitoring.

Quick reference for common searches:

Scenario Search Tips
Track files Filter for "FileDownloaded", "FileAccessed", "FileModified"
Monitor teams Look for "Added to team", "Removed from team" events
Check permissions Search for "Added member to channel", "Updated role"

Remember: You’ll only see data from when auditing was turned on. No results? Check your audit settings.

Need regular, large-scale log retrieval? Consider the Office 365 Management Activity API. It’s faster and more scalable than manual searches.

Common Uses for Audit Logs

Audit logs in Microsoft Teams are a goldmine for IT admins and security pros. Here’s how to use them:

Tracking Team and Channel Changes

Keep tabs on team and channel creation, deletion, and setting changes. This helps maintain your org’s structure and security.

Checking File Activities

Monitor downloads, access attempts, and modifications. It’s key for protecting sensitive data and spotting potential leaks.

Looking at User Access

User access patterns can reveal a lot. Use audit logs to review:

  • Permission changes
  • User additions and removals
  • Role updates

Here’s a quick look at common scenarios:

Scenario What to Look For
New hire onboarding "Added to team" events
Employee departure "Removed from team" events
Role changes "Updated role" activities

No results? Make sure auditing is turned on. You’ll only see data from that point forward.

"Organizations can use Netwrix Auditor for comprehensive, automated monitoring of access to data in SharePoint and MS Teams", notes a Netwrix security expert.

For large-scale log retrieval, try the Office 365 Management Activity API. It’s more efficient than manual searches for big orgs.

sbb-itb-8be0fd2

Creating Reports from Audit Logs

Here’s how to turn audit log data into useful reports for your Microsoft Teams security:

Ready-Made Reports

Microsoft’s built-in reports can save time:

  1. Go to Microsoft Purview portal
  2. Click "Audit log search" in left menu
  3. Use "Activities" dropdown to pick tracking options

For example, to see new team members:

  1. Select "Added member to team"
  2. Set date range
  3. Click "Search"

You’ll get a sortable, filterable list of events.

Custom Reports

For specific needs:

  1. Run audit log search with filters
  2. Click "Export" > "Download all results"
  3. Open CSV in Excel

Pro tip: Use Power Query Editor to split the AuditData column. It’s packed with JSON-formatted info.

How to do it:

  1. Right-click AuditData column
  2. Select "Transform"
  3. Choose "JSON"

This splits data into separate columns for easier analysis.

Exporting Data for Analysis

For large orgs or complex reports, use PowerShell:

$auditlog = Search-UnifiedAuditLog -StartDate 06/01/2023 -EndDate 06/30/2023 -RecordType SharePointSharingOperation
$auditlog | Select-Object -Property CreationDate,UserIds,RecordType,AuditData | Export-Csv -Path c:\AuditLogs\TeamsAuditLog.csv -NoTypeInformation

This script searches for SharePoint sharing events in June 2023 and exports key details to a CSV file. Adjust dates, record types, and file path as needed.

"Power Query Editor’s JSON transform feature is a game-changer for audit log analysis. It helps you quickly find the exact data you need", says a Microsoft 365 admin from a Fortune 500 company.

Note: You can only export 50,000 entries at once. For more, run multiple searches with narrower date ranges.

Tips for Effective Monitoring

Regular Checks and Alerts

Set up a weekly routine to check your Microsoft Teams audit logs. This helps you spot unusual patterns or security issues.

Want faster responses? Use alerts:

  1. Open the Microsoft Purview portal
  2. Click "Alerts" in the left menu
  3. Hit "New alert policy"
  4. Pick events for alerts (like "Added member to team")
  5. Set up email notifications

"Alerts are our early warning system. They help us catch issues before they blow up", says Sarah Chen, IT Director at Acme Corp.

Connecting with Security Systems

Got a big organization? Link Teams audit logs to a Security Information and Event Management (SIEM) system.

Here’s how:

  1. Turn on the Office 365 Management API
  2. Set your SIEM to grab data from the API
  3. Make custom SIEM dashboards for Teams data

SIEM tools that play nice with Teams:

SIEM Tool Cool Feature
Splunk Alerts in real-time
IBM QRadar AI spots threats
Azure Sentinel Works great with Microsoft

"Hooking Teams logs to our SIEM? It slashed our security response time by 60%", says Mike Johnson, CISO at TechGiant Inc.

The key? Spot issues fast. Regular checks and smart alerts do the trick.

Fixing Common Audit Log Problems

Can’t find what you’re looking for in your Microsoft Teams audit logs? Let’s fix that.

If you’re staring at a blank screen, check these three things:

  1. Permissions: Got the right roles? You need ‘Audit Logs’ or ‘View-Only Audit Logs’ in the Microsoft Purview portal.
  2. Search Terms: Double-check for typos. One wrong letter can mess everything up.
  3. Timing: Patience, young Padawan. It takes 60-90 minutes for data to show up.

Mailbox Auditing Acting Up?

Try this PowerShell magic trick:

  1. Open PowerShell
  2. Set AuditEnabled to $false
  3. Wait a bit
  4. Set it back to $true

It’s like turning your computer off and on again, but for auditing.

Can’t Access Audit Log Search?

Seeing a status code 500? It’s probably a permissions thing. Make sure you’ve got both Security & Compliance Center roles AND Exchange Online rights.

When All Else Fails

If you’ve tried everything and still no luck, it’s time to call in the pros. Contact Microsoft support when:

  • You’ve triple-checked permissions and settings
  • You’ve waited a full day for data to show up
  • You’re 100% sure your search terms are correct

To get help, head to the Microsoft 365 admin center, hit "Support", then "New service request." Describe your problem in detail.

Pro tip: "Include screenshots and specific error messages when contacting support. It makes our job easier and gets you answers faster." – Microsoft support engineer

Meeting Compliance Rules

Following Regulations

Audit logs are crucial for meeting regulations like GDPR and HIPAA. They show exactly what’s happening with your data.

In healthcare, HIPAA wants to know who’s looking at patient info. Microsoft Teams audit logs can tell you:

  • Who viewed sensitive files
  • When team members joined or left
  • How channel permissions changed

To stay compliant:

  1. Review logs regularly
  2. Set clear audit policies
  3. Watch for specific compliance-related events

Using Logs in Audits

Audit logs prove you’re following the rules. They help you:

  • Show regulators you’re on top of things
  • Look into possible breaches
  • Prove you’re protecting sensitive data

Here’s how to ace your audits with logs:

1. Be ready

Have reports on hand before auditors ask.

2. Focus on what matters

Highlight logs about sensitive data and system changes.

3. Show you’re always watching

Prove you’re checking logs all the time, not just for audits.

4. Connect the dots

Link log entries to specific rules you need to follow.

5. Explain the weird stuff

Be ready to talk about any strange patterns in your logs.

"Audit logs are your best friend in staying secure and following the rules." – Microsoft Security Team

Keep in mind: Microsoft keeps most audit log data for 90 days in Cosmos and 180 days in Kusto. Plan accordingly.

Here’s a quick look at key audit log info:

Property What it means
activity.category What kind of thing it is (User, Assignment, etc.)
activity.operation What happened (Create, Update, Delete)
activity.resultStatus Did it work? (Successful or Failed)
creationTime When it happened (in UTC)
user.userId Who did it

Wrap-Up

Audit logs are key for security and compliance in Microsoft Teams. They show who did what, when, and where.

Why audit logs matter:

  • Spot potential security breaches
  • Prove compliance with rules like GDPR and HIPAA
  • Keep users accountable

Key takeaways:

1. Check logs regularly

Review weekly or bi-weekly to catch issues early.

2. Use the right tools

Stick with Microsoft Purview portal and PowerShell for viewing and analyzing.

3. Focus on sensitive data

Watch logs involving confidential info closely to prevent leaks.

4. Stay audit-ready

Keep logs organized and accessible for surprise audits.

5. Train your team

Ensure everyone knows how audit logs work and why they’re important.

"Audit logs are like a security camera for your digital workspace. They don’t just record what happened – they help you prevent issues before they occur." – Satya Nadella, CEO of Microsoft

FAQs

How to view Teams audit logs?

To check Teams audit logs:

  1. Go to the Microsoft Purview portal
  2. Find the "Audit" section
  3. Search for Teams activities

Remember: You’ll only see audit data if it’s turned on for your organization.

Is there an audit log on Teams?

Yes, but it’s part of Microsoft 365’s audit system. It tracks:

  • Team creation/deletion
  • Channel changes
  • File actions
  • Meeting activities

You can’t access it directly in Teams. Use the Microsoft Purview or compliance portal instead.

How long does activities take to show up in the audit log?

Most Teams activities pop up within hours. But some take longer:

Activity Time to Appear
Regular Teams actions 1-4 hours
eDiscovery cmdlets Up to 24 hours

Don’t see what you’re looking for? Wait a day before digging deeper or calling Microsoft.

Related posts

Spend less time managing Teams and more time collaborating
Let us handle the details