Chat now with support
Chat mit Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration Working with On Demand Audit Appendix A: Working with Filters Documentation Roadmap

Using the dashboard

When you open On Demand Audit, the dashboard displays a visual summary of the most important metrics of the Office 365 and Azure Active Directory activity in your organization. The information is updated in real time, allowing you to quickly gain valuable insights into the activity taking place in your organization. You can also refresh the data by selecting the refresh icon in the top right of the dashboard.

The dashboard displays:

Working with Activity Indicators

The indicators at the top of the dashboard allow you to quickly see if there has been a change in risky activity over a specific period of time. A red sidebar indicates an increase in activity; while a green sidebar indicates a reduction.

You can then easily delve further into the details, by clicking the indicator to view an associated search.


NOTE: The indicators are updated each time that you open the dashboard or refresh the view.


The following indicators are available:

  • Cloud-only Azure AD users created in the last 7 days

  • AD account lockouts in the last 24 hours

    If you do not have a configured Change Auditor integration, the Azure AD critical directory role changes in the last 7 days indicator displays instead.

  • Azure AD risk events in the last 7 days

    This indicator displays when you have an Azure Active Directory Premium (P2) license.

    If you do not have the required license to audit risky events and Change Auditor integration is configured, the On-premises and Azure Active Directory failed sign-ins in the last 24 hours indicator displays instead.

    If you do not have the required license to audit risky events and have not configured a Change Auditor integration, the Azure Active Directory failed sign-ins in the last 24 hours indicator displays.

  • Office 365 external user actions in the last 24 hours




Monitoring Audit Health status

The Audit Health tile allows you to easily see the status of your auditing configuration, identify any issues, and make the required updates to ensure you are keeping informed of the vital and critical changes to your organization.

From here, you can grant required consent for the tenant, view subscription information, view the auditing configuration settings, and view results in a search.


NOTE: Specific permissions are required for the following actions:

  • Can Add and Remove Tenants is required to grant consent.
  • Can Run Private Searches and Can Run Shared Searches are required to view associated results.
  • Can Manage Azure AD Tenant Configurations for Audit is required to view issues identified for tenants.
  • Can Manage Change Auditor Installation Configuration is required to view issues identified for Change Auditor.

NOTE: You have the option to hide items from the dashboard if they do not provide you any value, expose previously hidden items, and dismiss notifications as required.


Possible issues that may be identified include:

  • Tenant requires additional configuration
  • Tenant has not been added for auditing
  • Service subscription will expire soon
  • Service is not enabled for event collection on the tenant
  • Event collection has been disabled on the tenant
  • No Office 365 events have been received from the tenant in the last 24 hours

  • No Azure AD events have been received from the tenant in the last 24 hours
  • No Azure AD Sign-in events have been received from the tenant in the last 24 hours
  • No Change Auditor events have been received in the last 24 hours
  • Change Auditor installation has been paused
  • Change Auditor installation was removed
  • Change Auditor installation has not been connected in the last 24 hours
  • Change Auditor upgrade is required
  • Change Auditor upgrade is available


Identifying critical activity

The Critical Activity tile highlights security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization and require further investigation.


NOTE: Critical activity events are gathered and displayed based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.


Audited Service Critical activity

Change Auditor / Logon Activity

  • Possible Golden Ticket Kerberos exploits
  • Unusual increase in AD account lockouts
  • NTLM version 1 logons 


Change Auditor / Active Directory
  • Active Directory critical group membership changes
  • Active Directory schema configuration changes
  • Active Directory forest configuration changes
  • Active Directory security changes
  • Irregular AD replication activity detected

  • Unusual increase in failed AD changes

  • Unusual increase in permission changes to AD objects

Change Auditor / Group Policy
  • Group Policy changes

Azure Active Directory - Audit Logs

  • Azure Active Directory critical directory role changes
  • Azure Active Directory tenant level configuration changes
  • Azure Active Directory cloud-only users created
Azure Active Directory - Sign Ins
  • Unusual increase in tenant sign-in failures

  • Unusual increase in successful tenant sign-ins
Exchange Online - Administrative Activity
  • OneDrive and SharePoint files shared with external users
  • OneDrive and SharePoint anonymous links
  • Office 365 activity from external users
Sharepoint Online or OneDrive For Business
  • Unusual increase in files shared from OneDrive and SharePoint

  • Unusual increase in Office 365 activity by guest users

  • Unusual increase in Office 365 activity by anonymous users

Microsoft Teams
  • Unusual increase in Teams guest participants

You can easily dive deeper into the activity by viewing the associated search. For details on the searches associated with the critical activity see Working with searches, Working with Azure Active Directory Searches and Using built in searches.

To view a full list of critical activity as well as visualizations to help understand the possible threat, see Working with critical activity.


Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen