SimuLand

Lab Environments

  • Helper Docs
    • Add Domain to Microsoft 365 Tenant
    • Add Microsoft 365 E5 License to User
    • Assign Azure AD Role to User
    • Configure Azure AD Connect: ADFS
    • Configure Azure AD Connect: Pass-through Authentication
    • Initialize Microsoft 365 Defenders Security Products Configurations
    • Connect to Azure VM via Azure Bastion
    • Create an Azure Storage Account and Host a Private File in a Private Container
    • Disable Azure Active Directory (AD) Federation
    • Enable Multi-Factor Authentication
    • Enable Office 365 Audit Log Search
    • Create a Certificate Signing Request and Get a Trusted CA Signed SSL Certificate
    • Microsoft 365 Tenant: Get an Azure Subscription
    • Register Azure AD Application and Create App Service Principal
    • Start Microsoft 365 E5 Trial
  • Lab Environments
    • AAD Hybrid Identity: AD FS Environment

Lab Guides

  • All Labs
  • Golden SAML
    • Export AD FS Configuration
      • Export AD FS Configuration via a Local Named Pipe
      • Export AD FS Configuration via Policy Store Transfer Service
      • Export AD FS Configuration via .NET Reflection
    • Export AD FS DKM Master Key
      • Export AD FS DKM Master Key via LDAP Queries
      • Export AD FS DKM Master Key via Directory Replication Services
    • Export AD FS Certificates
      • Export AD FS Certificates via DKM Master Key
    • Forge SAML Tokens
    • Get OAuth Access Token with SAML Assertion
    • Read Mail Messages via MS Graph APIs
Powered by Jupyter Book
  • repository
  • open issue
  • .md
Contents
  • Pre-requirements
  • Main Steps
  • 1. Install Exchange Online PowerShell v2 Module
  • 2. Connect to “Exchange Online”
  • 3. Verify if Audit Log Search is Enabled in Office 365
  • 4. Enable Audit Log Search in Office 365
  • 5. Test Office 365 Audit via the Microsoft 365 Compliance Center
  • References

Enable Office 365 Audit Log Search

Contents

  • Pre-requirements
  • Main Steps
  • 1. Install Exchange Online PowerShell v2 Module
  • 2. Connect to “Exchange Online”
  • 3. Verify if Audit Log Search is Enabled in Office 365
  • 4. Enable Audit Log Search in Office 365
  • 5. Test Office 365 Audit via the Microsoft 365 Compliance Center
  • References

Enable Office 365 Audit Log Search#

Office 365 auditing needs to be enabled before configuring Microsoft Cloud App Security (MCAS) or connecting other solutions such as Azure Sentinel data connectors to it. Remember that the Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. You can follow steps 1-3 to verify if it is enabled in your lab environment.

Pre-requirements#

  • Office 365 E5 subscription

  • Microsoft 365 E5 subscription

  • You must be assigned the Audit Logs role in Exchange Online to turn audit log search on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.

Main Steps#

  • Install Exchange online PowerShell v2 module

  • Connect to Exchange Online

  • Verify if Audit Log Search is enabled in Office 365

  • Enable Audit Log search in Office 365

  • Test Office 365 Audit via the Microsoft 365 compliance center

1. Install Exchange Online PowerShell v2 Module#

  • In a Windows endpoint, open PowerShell as Administrator

  • Install and import the Exchange Online PowerShell V2 module

Install-Module –Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Get-Module ExchangeOnlineManagement

2. Connect to “Exchange Online”#

In the same PowerShell session, run the following command with an account with the Audit Logs role assigned.

Connect-ExchangeOnline –UserPrincipalName <account>@<domain> -ShowProgress $true

3. Verify if Audit Log Search is Enabled in Office 365#

Check the current status of Office 365 auditing by running the following command:

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

4. Enable Audit Log Search in Office 365#

  • Run the following command to turn on audit log search in Office 365

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

  • Verify if audit log search in Office 365 is enabled with the following command:

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

5. Test Office 365 Audit via the Microsoft 365 Compliance Center#

  • Navigate to Microsoft 365 Security Center

  • Go to More Resources > Microsoft 365 compliance center > Open

  • Under the Solutions section, click on Audit. You should now be allowed to use this feature.

Before enabling auditing in Office 365, you would see something like the image below:

Wait at least an hour for this setting to propagate across other services that depend on it. Services that depend on it are Microsoft Cloud App Security (MCAS) and Azure Sentinel Office 365 and MCAS data connectors.

References#

  • Connect Office 365 to Cloud App Security

  • Turn audit log search on or off - Microsoft 365 Compliance

previous

Enable Multi-Factor Authentication

next

Create a Certificate Signing Request and Get a Trusted CA Signed SSL Certificate

By Microsoft Corporation
© Copyright 2022.