How can I store (and Access) All user activity logs for All users in my environment?

Charlie G 81 Reputation points
2023-04-27T03:21:21.6133333+00:00

I currently administer over 200 users within Azure AD. All users have access to the full suite of MS 365 applications. My question is... What is the best way to store ALL user activity information, for 1 year, to be quarried at will?

For example, user Jon Murphy works every day and uses email, SharePoint, OneDrive, and other Microsoft tools.

I would like to know...

  • who he sent emails to?
  • what was accessed SharePoint?
  • was anything uploaded to SharePoint or OneDrive?
  • were files downloaded?
  • was something deleted from OneDrive?
  • sign in logs

I know most of this information comes in the forms of logs. How would I Save all this information?

please be as detailed as possible.

Thank you

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Microsoft 365 and Office | SharePoint | For business | Windows
Exchange | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 119.6K Reputation points MVP Volunteer Moderator
    2023-04-27T04:52:26.78+00:00

    Most of these can be found as part of the Unified audit log: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide

    You can browse or export the Unified Audit log following the instructions above. If you want to automate the export to external system, you can leverage the Management activities API: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference?toc=%2Fmicrosoft-365%2Fcompliance%2Ftoc.json&bc=%2Fmicrosoft-365%2Fbreadcrumb%2Ftoc.json&view=o365-worldwide

    If you are using Sentinel, there's a built-in workbook you can leverage: https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/office-365

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.