ASD's Blueprint for Secure Cloud

Audit and Logging

This section describes the design decisions associated with Audit and Logging Microsoft 365 security features for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Microsoft 365 Purview provides the ability to monitor and review user and administrator activities across the Office 365 applications from the past 180 days.

Audit logs are kept by default for 180 days but are configurable up to one year by default for E5 licensing.

When an event occurs for the respective application it will take anywhere from 30 minutes up to 24 hours before it can be viewed in the audit log search.

The Microsoft 365 Management Activity API enables third-party applications to consume audit logs from Office 365. If audit logging is disabled, third-party applications can still consume audit logs from the Microsoft 365 Management Activity API.

A list of Office 365 applications, their auditing capabilities and duration wait time once an event occurs.

ApplicationUser ActivityAdmin ActivityDuration wait time
Exchange Onlinexx30 minutes
OneDrive for Businessx30 minutes
SharePoint Onlinexx30 minutes
Swayxx24 hours
Power Bixx30 minutes
Workplace Analyticsx30 minutes
Dynamics 365xx24 hours
Yammerxx24 hours
Microsoft Power Appsxx24 hours
Microsoft Power Automatexx24 hours
Microsoft Steamxx30 minutes
Microsoft Teamsxx30 minutes
Microsoft Formsxx30 minutes
Entra IDx24 hours
eDiscovery activities in Office 365 Security & Compliance Centerxx30 minutes

Audit logging is not enabled by default and must be turned on first within Microsoft Purview before user or administrator activities can be audited.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra