SharePoint Online Site Collection Audit reports replaced by o365 Unified Audit logs

In SharePoint on premise sites we have used Site Collection audit reports for analysing user actions for auditing and compliance purpose. Site collection administrators used to generate multiple types of audit reports that where available in OOTB.

But in SharePoint Online that legacy Site Collection audit report is not available. You will get this message.

Microsoft instead provides a unified audit log feature through o365 “Audit log search”, which gives more flexible user action logs. It allows to search user activities for most of the o365 services like SharePoint, exchange, Teams, Flow, Sway, Power BI, Power Apps, etc.,

It is available as part of o365 security & compliance center portal. Open Microsoft admin center and in the left navigation under “Admin Centers” click on “Security & Compliance”

What do we need?

By default, Audit log search will not be enabled. With admin access we need to enable them by clicking “Turn on auditing” and it would take normally a day.

User must be assigned “View-Only Audit Logs” or “Audit Logs role” in Exchange Online to search the Office 365 audit log.

Normally it takes up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. So give some time don’t expect to search user activity immediately.

Audit records are retained for 90 days. That means you can search the audit log for activities that were performed within the last 90 days.

How to search logs for my SharePoint site?

Its very simple select what activity you want to search and what duration and which SharePoint site. For now I haven’t changed anything I will go with default “Show results for all activities”, selected a date range and finally my SharePoint site url in the “File, folder or site” field.

Note: Always paste the site URL within Quotes (“”) and end with (/*) else you wont get results.

Like this “*”

The cool feature is the “Alerts” use “New Alert policy” and set your desired alert conditions. You/team will get email notifications immediately when the user activity is available in search logs.

Thanks for reading my blog. #Sharingiscaring.