Audit Log Search
Search and analyze the unified audit log for Microsoft 365. Track user and admin activities across Exchange, SharePoint, Azure AD, Teams, and other services for security investigations and compliance reporting.
Note: Default retention is 90 days. With E5 or Compliance Add-on, extend to 1 year. Advanced Audit (E5) provides 10-year retention and high-value audit events.
Search Interface
Date Range
Select start and end date/time. Can search up to retention limit. For compliance investigations, narrow the timeframe to reduce results.
Activities
Filter by specific activity types. Browse by workload (Exchange, SharePoint, Azure AD) or search for specific events.
Users
Filter to specific users who performed actions. Useful for investigating individual user behavior or compromised accounts.
File, Folder, or Site
For SharePoint/OneDrive, filter by specific file path or site URL.
Common Activity Types
Azure AD / Entra ID
- User sign-in (success, failure, blocked by CA)
- Password changes and resets
- MFA registration and removal
- Group membership changes
- Admin role assignments
- Application consent grants
- Conditional Access policy changes
Exchange Online
- Mailbox login (OWA, Outlook, mobile)
- Email sent and received
- Inbox rules created/modified
- Delegate permissions changed
- Message deleted (hard/soft delete)
- Mail forwarding configured
- Mailbox folder permissions
SharePoint / OneDrive
- File accessed, downloaded, uploaded
- File shared (internal/external)
- File deleted or restored
- Sharing link created
- Site permissions changed
- Sensitivity label applied
Microsoft Teams
- Team created/deleted
- Channel created/deleted
- Member added/removed
- Meeting started/ended
- Guest access granted
- App installed in team
Security and Compliance
- DLP policy matched
- eDiscovery search run
- Retention policy applied
- Sensitivity label created/modified
- Alert triggered
Search Results
| Column | Description |
|---|---|
| Date | When the activity occurred (UTC) |
| User | Who performed the action |
| Activity | Type of action (e.g., FileAccessed) |
| Item | Object affected (file, mailbox, user) |
| Workload | Service (Exchange, SharePoint, AzureAD) |
| IP Address | Client IP address |
Investigation Scenarios
Compromised Account Investigation
Search for suspicious activity:
- Unusual sign-in locations or times
- Inbox rules creating forwards to external addresses
- Mass file downloads or sharing
- MFA method changes
- Password resets followed by sign-ins from new location
Data Exfiltration
Look for data leaving the organization:
- FileDownloaded events with large volumes
- Anonymous sharing links created
- External user invitations
- Email forwarding rules
- DLP policy matches
Admin Activity Review
Audit privileged actions:
- Role assignments and removals
- Policy changes (CA, DLP, retention)
- User deletions or modifications
- Application consent grants
Departing Employee
Review activity before departure:
- Files accessed in final weeks
- Large downloads or external shares
- USB device connections (if tracked)
- Email to personal accounts
Export and Analysis
- Export to CSV — Download results for Excel analysis
- Export to JSON — For programmatic processing
- Stream to SIEM — Send to Sentinel, Splunk, etc. via API
- PowerShell — Use Search-UnifiedAuditLog for scripted searches
API Reference
GET /api/compliance/audit-logs/search— Search audit logs with filtersGET /api/compliance/audit-logs/:id— Get detailed audit recordPOST /api/compliance/audit-logs/export— Export search resultsGET /api/compliance/audit-logs/activities— List available activity types
Office 365 Management API
POST /api/v1.0/{tenant}/activity/feed/subscriptions/startGET /api/v1.0/{tenant}/activity/feed/subscriptions/content
The Management Activity API provides real-time streaming of audit events for SIEM integration. Requires separate subscription setup.