How to enable Audit Logging in Office 365 using the Security & Compliance Centre

One of the first things I do after creating a new Office 365 tenant is configuring and turning on Auditing. Ensuring that you have Audit Logging turned on in Office 365 can help you investigate and determine a multitude of activities that’s occurring in your Office 365 Tenant such as but not limited to the below scenarios;

  • who’s accessing what files in SharePoint, from what IP address and when
  • finding the IP address of the computers used to access a compromised account
  • determine who setup email forwarding for a mailbox
  • determine is a user is deleting documents or email items
  • determine if a user created an inbox rule

We will go further in depth in future articles, but let’s begin with the basics of turning the feature on.

Now, this is usually a pretty straight forward process and all you typically need to do is login to the Microsoft 365 Admin Center via https://portal.office.com , Click on Admin Centers and then Security & Compliance. This will navigate you to https://protection.office.com which is the new Security & Compliance Home Page.

security and compliance center

From the Security & Compliance navigation menu on the right, click on Search & Investigation and then click on Audit log search. You are then greeted with a warning on the top of the page

To use this feature, turn on auditing so we can start recording user and admin activity in your organization. When you turn this on, activity will be recorded to the Office 365 audit log and available to view in a report.”

Here is where you will click on Turn on Auditing and that should be it. However in this particular tenant (and a few other tenants I have come across)  I was instead receiving the following Client Error (see screen shot below);

Request: /api/adminauditlogconfig/EnableUnifiedAuditLogIngestion Status code: 500 Exception message: {“Message”:”The command you tried to run isn\u0027t currently allowed in your organization. To run this command, you first need to run the command: Enable-OrganizationCustomization.”,”DiagnosticContext”:”{Version:16.00.2900.004,Environment:SEAPROD,DeploymentId:757b444cc3f54ab8b1ff93b3b9aa9728,

InstanceId:WebRole_IN_1,SID:46731303-15a8-4b6e-be8c-5a4565f9fc60,CID:88268d0f-d696-438a-b757-795b203282af}”,”Time”:”2019-02-26T21:26:42.7378474Z”,”ExceptionType”:”Microsoft.Exchange.Configuration.Tasks.InvalidOperationInDehydratedContextException”,”

ExceptionData”:{“Source”:”AdminAuditLogConfig”}} Diagnostic information: **{Version:16.00.2900.004,Environment:SEAPROD,DeploymentId:757b444cc3f54ab8b1ff93b3b9aa9728,

InstanceId:WebRole_IN_1,SID:46731303-15a8-4b6e-be8c-5a4565f9fc60,CID:8f860413-26f8-4264-9cd5-9e452483853b} Time: 2019-02-26T21:26:41.790Z “

enable audit logging in Office 365

 

Amongst all that jibberish, I was pretty much told to run the following command to enable Organization Customization at the tenant level;

Enable-OrganizationCustomization

I then attempted to turn on Auditing via PowerShell. First you need to Connect to Exchange Online PowerShell;

So I ran the following PowerShell command to attempt to Turn On Auditing;

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

I was then thrown with a similar error to that when I attempted to Turn On Auditing via the web interface;

On that note, I only had one choice and to follow instructions and ran the following PowerShell Command to Enable Organization Customization;

Enable-OrganizationCustomization (more on the command here; https://docs.microsoft.com/en-us/powershell/module/exchange/organization/enable-organizationcustomization?view=exchange-ps)

I then re-ran the PowerShell Command to Turn on Auditing as Follows; (Note I ended up waiting approximately 30 mins before I was able to run the below command successfully)

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

enable audit logging in Office 365

Low and behold, when I navigate back to the Security & Compliance Center > Audit Log Search, the warning for turning it on had now disappeared.

enable audit logging in Office 365

You should now be able to run your search results (but give it some time if you have just activated it)!