Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.5 - Microsoft 365 and Microsoft Entra ID Auditing User Guide

Microsoft 365 and Microsoft Entra ID Auditing Overview Configuring Microsoft 365 and Microsoft Entra ID auditing Reports and Searches

Disable a template

Disabling a template temporarily stops auditing activities without having to remove the template.

Place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.
The entry in the Status column for the template changes to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

Delete a template

2
Click Yes to confirm.

Microsoft 365 Auditing Wizard

To audit Microsoft 365 Exchange Online, SharePoint Online, and OneDrive for Business you must first create an auditing template and select an agent. For Exchange Online, you need to also define the type of events to audit.

For details on the integration points and process required to audit an organization, as well as auditing and agent considerations, see Deployment requirements.

The following table provides details on how to create a template and the required web application so you can begin to audit Microsoft 365 activity. Also included are the details on how to edit an existing template.

 

Service and agent selection page

During template creation, use this page to provide the credentials for the accounts that register Change Auditor in the tenant, select the service to audit, and specify the agent.

 

During editing, use this page to:

1
Under Authentication Configuration, select to Create a new web application or Use existing web application.
d
Enter the Microsoft Entra Directory Name.
e
Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.
b
Enter the Microsoft Entra Directory Name, Application ID, Application key, and select a previously created Application Certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Microsoft Entra ID, creating a web application, and adding a certificate to a web application.

 

4
Click Select agent to view available agents and whether they are assigned to a template. The Microsoft 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template.
NOTE:  
d
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

 

1
Under Authentication Configuration, select to Create a new web application or Use existing web application.
If you select to create a new web application, select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.
If you select to use an existing web application, enter the Application ID, Application Key, and an existing certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Microsoft Entra ID, creating a web application, and adding a certificate to a web application.

Auditing activity selection page

Define or edit the types of activity to audit.

For a new template, before you can select to audit individual mailboxes or update the configuration to audit owner events, you need to select Finish to create the template.

When you disable this option:

You can choose from the following:

Administrative Activity

All administrative events: This includes remote PowerShell connections to the mailbox, or any action in the web administration portal for the Microsoft 365 Exchange Online organization.

Mailbox Activity

For mailbox activity, you have the option to set mailbox auditing settings or use the settings that have been configured in the Exchange Online tenant.

Select All mailboxes for non-owner events
Click Select mailboxes.

 

3
Click Close.
4
Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Microsoft 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.
5
Click Finish to apply the updates. When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.
d
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

Managing Microsoft Entra templates

Change Auditor for Active Directory simplifies the audit process by tracking, auditing, reporting, and alerting on activity in Microsoft Entra ID that impact your environment. Change Auditor correlates activity across the on-premises and cloud directories, providing you a single pane-of-glass view of your hybrid Active Directory environment and making it easy to search all events regardless of where they occurred.

You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

Change Auditor audits activity that corresponds to the events in the Microsoft Entra audit logs, sign-in activity report, and risky sign-ins report.

For a list of events, their description, and default severity see the Change Auditor Microsoft 365 and Microsoft Entra ID Event Reference Guide.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación