![]() You may also have to enable specific audit actions. This one surprised me a bit when I first learned it: it isn’t sufficient to just add the correct license to a user to audit all actions on that account. Just because you run a search of the audit log using Graph and don’t find any results, you may not be able to assume that the activity you’re looking for didn’t occur. However, if you run the same search using all of those methods, you may find that you see different results-it appears that there are still some bugs or limitations in the Graph endpoints used for searching the log (see this example from Office 365 MVP Glen Scales). There are multiple ways to search the audit log: you can use Purview, you can use the Exchange PowerShell cmdlet Search-UnifiedAuditLog, or you can use Microsoft Graph. Absence of Evidence is not Evidence of Absence For other services, audit record availability may be longer.” It’s better to think of the unified audit log as a way to reconstruct what did happen instead of a way to monitor what is now happening. Instead, they say that “For core services (such as Exchange, SharePoint, OneDrive, and Teams), audit record availability is typically 60 to 90 minutes after an event occurs. Microsoft explicitly doesn’t guarantee any particular timeframe for audit data arrival. In reality, audit data entries are mostly generated by individual servers that take action, and then they are collected and aggregated by a number of back-end services running inside Microsoft 365. It’s tempting to think of audit data as being available in real-time, but that’s not how it works. ![]() The only way to ensure that you have complete audit coverage is to pay for E5 licenses for your users: a Microsoft 365 E5 license, an Office 365 E5 license, the Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit add-on licenses. For example, the Send, MailItemsAccessed, and SearchQueryInitiated audit events for Exchange Online are only generated for users who have this license. In general, the sad truth is that the things you are most likely to want to audit all require this premium license. For example, you’ll only see Planner audit data for users who have the Microsoft Purview audit (premium) license. Another way they’ve changed is by changing the underlying licenses required before you can see certain types of auditing data. One way they’ve changed is by adding more depth and texture to the audit data, including support for auditing actions (including file open and data changes) in Visio documents and Planner plans. Microsoft has changed the way they manage auditing over time. Absence of Evidence is not Evidence of Absence.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |