Chat now with support
Chat mit Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration Working with On Demand Audit Appendix A: Working with Filters Documentation Roadmap

Identifying the top active users

The Top Active Users tile displays the top five active users in the last 24 hours with each service represented by a different color bar. By default, data for all available services is displayed.

To view the exact number of events per service for a particular user, hover over a section of the bar. To dive deeper into the activity details, click the section of the bar that represents the service of interest.


NOTE Other than On Demand Audit activity, which will always be included, the activity that is gathered and displayed is based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.


Audited Service Activity

Change Auditor

  • Active Directory
  • Active Directory Federation Services (Change Auditor version 7.1.2 or later)
  • Group Policy

  • Logon Activity

OneDrive for Business

  • OneDrive

SharePoint Online

  • SharePoint
Micorosft Teams
  • Teams

Azure Active Directory - Audit Logs

Azure Active Directory - Sign-ins

  • Azure Active Directory


Exchange Online - Administrative Activity

Exchange Online - Mailbox Activity

  • Exchange

To view the top active users for a specific service

  1. Choose the required service from the dropdown list, and click Select.
  2. To exclude users from being included in the calculations and display, select the Edit Excluded Users and add and remove users as required.
  3. Click Close to save your selection.


Working with My Favorite Searches

The My Favorite Searches section of the dashboard allows you to pin the top five searches that you have defined as having a high value in your organization. From here you can see the number of events, select to view the search details, and manage which searches to displayed in this view.

By default, the following searches are listed:

  • Important changes for critical Azure AD directory roles in the past 7 days
  • Azure AD role member changes in the past 7 days
  • Cloud-only Azure AD users created in the past 180 days
  • Azure AD tenant level configuration changes in the last 180 days
  • Office 365 events from EXT Users in the past 7 days

To manage the searches displayed on the dashboard:

  1. From My Favorite Searches, click Edit Searches.
  2. Add and remove searches as required by selecting the category and associated search. You can also drag and drop to specify the search order on the dashboard based on priority.
  3. Once you have made all your selections, click OK.

Monitoring sign-in trends

The Sign-ins tile allows you to quickly see the successful and failed sign-ins over the last 7 days. You can select monitor trends for all sign-ins or select only those that you are interested in.

To add and remove the types of sign-in trends displayed:

  1. Expand the drop-down list and choose the type of sign-ins to display.
  2. Select to show all or successful or failed Azure Active Directory sign-ins, Active Directory authentications, and Windows interactive logons.

If you have selected to show "All" sign-in types, any services added at a later date will automatically be selected and displayed in the dashboard.


NOTE: Sign-in activity is gathered and displayed based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.


Audited Service Sign in events

Change Auditor / Logon Activity

  • Active Directory authentications - Successful events
  • Active Directory authentications - Failed events
  • Windows interactive logons - Successful events
  • Windows interactive logons - Failed events

Azure Active Directory - Sign-in

  • Azure Active Directory sign-ins - Successful events
  • Azure Active Directory sign-ins - Failed events

Searching for specific event data (Quick Search)

Performing a quick search allows you to search through all events based on a specific value, term, or keyword.

NOTE: The results returned will only include activity from the last 365 days.

To search for data within an event

  1. Enter the search term in the Quick Search box and click the magnifying glass icon.

The resulting lists display all events that have a value matching the search term or value, sorted by the time detected. The search terms are highlighted in the search results and event details to allows you to quickly scan for matches.

NOTE: You can also export the search results to a .csv or zip file by selecting the Export button. The location for the file is determined by your browser settings.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen