How can I store (and Access) All user activity logs for All users in my environment?

Question

I currently administer over 200 users within Azure AD. All users have access to the full suite of MS 365 applications. My question is... What is the best way to store ALL user activity information, for 1 year, to be quarried at will?

For example, user Jon Murphy works every day and uses email, SharePoint, OneDrive, and other Microsoft tools.

I would like to know...

• who he sent emails to?
• what was accessed SharePoint?
• was anything uploaded to SharePoint or OneDrive?
• were files downloaded?
• was something deleted from OneDrive?
• sign in logs

I know most of this information comes in the forms of logs. How would I Save all this information?

please be as detailed as possible.

Thank you

Answer 1

Most of these can be found as part of the Unified audit log: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?view=o365-worldwide

You can browse or export the Unified Audit log following the instructions above. If you want to automate the export to external system, you can leverage the Management activities API: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference?toc=%2Fmicrosoft-365%2Fcompliance%2Ftoc.json&bc=%2Fmicrosoft-365%2Fbreadcrumb%2Ftoc.json&view=o365-worldwide

If you are using Sentinel, there's a built-in workbook you can leverage: https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/office-365