SharePoint Online Audit Logs

Introduction

 
Auditing in SharePoint online enables the Site collection owners and admins to see the user activity such as document view, document delete, modifying permissions, documents check-in checkout, site visit, etc. This is used by some organization for regulatory and compliance use.
 
Beginning in 2020 MSFT stopped audit reports at the site collection level. This classic auditing enables the Site owners and admins to track the usage at the site collection level which is no longer supported. if you have gone to ‘Site Collection Audit’ settings, you should have got the following message which says ‘Given this audit experience is powered by ‘Unified Audit Pipeline we no longer support Trimming as a feature’.
 
SharePoint Online Audit Logs
 
SharePoint Online Audit Logs
 
To view the audit activity, then it needs to be exported from the compliance center. This feature is called Unified Audit Log Feature. This Unified Audit Log Feature is the modern way of auditing all the activities in M365 tenant which not only audits only SPO, but also all the M365 services enabled for tenant such as Teams. Yammer, Delve, Exchange etc.
 

Who can view the Audit logs?

 
Since the all the audit log activities for SharePoint online are moved to ‘Unified Audit Logs’, it requires Global Administrators and users assigned ‘View Audit log’ role in Exchange Online admin center. Below is the screen capture for reference. As a Global Admin or Exchange admin they can see the roles by logging to admin portal and clicking on ‘Exchange Online Admin center - Roles - Admin Roles
 
SharePoint Online Audit Logs
 

How to view the Audit Logs?

 
To view the audit logs, follow the below steps. As mentioned only Global admins and Users assigned ‘View Audit logs’ role can do these steps.
 
Step 1
 
Go to here with global admin account or ‘Audit log reader’ permissions.
 
Step 2
 
Under the solutions click on Audit.
 
SharePoint Online Audit Logs
 
Step 3
 
In the next screen, you will be provided with the following options.
  • Date range
    Start date and end date

  • Activities
    You will have lot of options such as, accessed file, site visits, deleted file, checked in file, updating the sensitivity labels in file, and much more. For complete list kindly refer to reference MSFT documentation.

  • Users
    You can target the audit to specific users.

  • File, Folder or Site
    You can confine the results to particular file, folder or site.
SharePoint Online Audit Logs
 
Step 4
 
You will have the list of all the activities that have happened in the site. Now we can export the results and track the audit log for site collection.
 
SharePoint Online Audit Logs 
SharePoint Online Audit Logs
 
Also, important note that audit logs activities are only retained for 90 days.
 

Conclusion

 
Thus, in this article we have seen how the SharePoint online site collection audit logs can be viewed, and what is Unified Audit Log feature, and who can view this log information. Hope you find this article helpful.
 
References
  • https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
  • https://support-desktop.sharegate.com/hc/en-us/articles/360030419071-Microsoft-365-no-longer-supports-auditing-