Change Auditor 7.1.1 - Office 365 and Azure Active Directory User Guide


	NOTE: When you delete a template, the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal.

To delete a template

On the Office 365 Auditing page, select the template to delete and choose Delete | Delete Template.

Click Yes to confirm.Office 365 Auditing Wizard

To audit Office 365 Exchange Online, SharePoint Online, and OneDrive for Business you must first create an auditing template and select an agent. For Exchange Online, you need to also define the type of events to audit.

For details on the integration points and process required to audit an organization, as well as auditing and agent considerations, see Deployment requirements.

The following table provides details on how to create a template and the required web application so you can begin to audit the Office 365 activity. Also included are the details on how to edit an existing template.


	NOTE: Office 365 Exchange, SharePoint and OneDrive auditing templates created in the Windows client defaults to 7 days (168 hours) of historical event collection. Historical event collection includes only mailbox auditing types previously enabled.

Table 4. Office 365 Exchange Online Auditing wizard

Page

Description

Credentials, service, and agent selection page

During template creation, use this page to provide the credentials for the accounts that register Change Auditor in the tenant, select the Office 365 service to audit, and specify the agent.

During editing, use this page to:

•

Add or remove an Office 365 service to audit.

•

Update the Auditing Configuration account used by the agent to configure Exchange Online mailbox auditing and events to audit.

NOTE: To select a new agent, you must create a new template or use the Set-CAO365ExchangeTemplate command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

To create a template:

To create an Azure web application:

•

Enter the credentials of an Office 365 account in UPN format (for example, <UserName>@<OrganizationName>.<onmicrosoft.com>) with the Global Administrator role. This account is used to create the web application and register Change Auditor in the tenant.

To use an existing Azure web application:

•

Enter the Azure directory, application ID, and application key.

If you are using an existing web application, consult the Microsoft documentation for details on integrating applications with Azure Active Directory and creating a web application. Note: In the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant for each of them.

Ensure the following permissions are assigned to the Azure web application:

Microsoft Graph application permissions:

AuditLog.Read.All – Application - Read all audit log data

Directory.Read.All – Application - Read directory data

IdentityRiskEvent.Read.All – Application - Read all identity risk information

Office 365 Management APIs application permissions:

•

ActivityFeed.Read – Application - Read activity data for your organization

Select the Office 365 services to audit.

Click Select agent to view available agents and whether they are assigned to a template. You cannot use an agent that is already assigned for Office 365 auditing. The Office 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. See the Change Auditor Release Notes for ports that need to be opened on the agent server.

If you have selected to audit only SharePoint Online and/or OneDrive for Business activities, click Finish.

If you have selected to audit Exchange Online, you need to enter the credentials required to configure mailbox auditing settings. Click Next.

Under Exchange Online Auditing Configuration, enter the credentials of an Office 365 account in UPN format, (for example, <UserName>@<OrganizationName>.<onmicrosoft.com>) with the Exchange Administrator role. You can also select to use the Global Administrator account used to register Change Auditor in the tenant.

Click Next to select the activities to audit within the Exchange Online organization.

To edit a template:

To create an Azure web application:

•

To use an existing Azure web application:

•

Enter the Azure directory, application ID, and application key.

Ensure the following permissions are assigned to the Azure web application:

Microsoft Graph application permissions:

AuditLog.Read.All – Application - Read all audit log data

Directory.Read.All – Application - Read directory data

IdentityRiskEvent.Read.All – Application - Read all identity risk information

Office 365 Management APIs application permissions:

•

ActivityFeed.Read – Application - Read activity data for your organization

Add and remove the services to audit as required. Choose between Exchange Online, SharePoint Online, and OneDrive for Business.

NOTE: When you remove a service, the agent will no longer audit its activity. If you later enable auditing, you will not be able access events generated when auditing was disabled.

If you have selected Exchange Online, click Next to update the auditing configuration account password or enter a new auditing configuration account. The account must be a user with the Exchange Administrator role.

Update the credentials and click Next.

Auditing activity selection page

Define or edit the types of activity to audit.

For a new template, before you can select to audit individual mailboxes or update the configuration to audit owner events, you need to select Finish to create the template.

NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant.

When you disable this option:

•

Mailbox non-owner activity auditing settings for every mailbox in your tenant will be disabled as well.

•

Only the mailboxes specifically added to the template through your selection will be audited. This may affect other systems that rely on having auditing enabled.

NOTE: When you add/remove individual mailboxes for auditing or select to enable/disable owner auditing, the changes are saved immediately. They are effective after the agent configuration is updated.

NOTE: If you change the mailbox display name, e-mail address, or UPN for a mailbox that is in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.

IMPORTANT: It is recommended that you select owner auditing for critical mailboxes only. Owner auditing for a large number of mailboxes produces many events that may affect performance.

You can choose from the following:

Administrative Activity

•

All administrative events: This includes remote PowerShell connections to the mailbox, or any action in the web administration portal for the Office 365 Exchange Online organization.

Mailbox Activity

For mailbox activity, you have the option to set mailbox auditing settings or use the settings that have been configured in the Exchange Online tenant.

Set tenant mailbox auditing settings

•

Select All mailboxes for non-owner events

By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes.

-OR-

•

Click Select mailboxes.

To add a mailbox:

Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search.

Select the appropriate entry from the mailbox results and click Add.

To remove a mailbox:

Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search.

Select the appropriate entry from the lower mailbox window and click Remove.

You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)

•

To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option.

The "Owner Activity" audited on a configured mailbox include folder, message and login events.

To add or remove owner auditing on specific mailboxes enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. Locate the required mailbox to enable or disable to Include Owner Activity as required.You can refine your mailbox search by selecting Non-Owner Only, Owner, or All.

Use existing tenant mailbox settings

When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

Excluded Generic Events

To optionally specify the generic events to exclude from auditing based on their operations.

The operations are visible in the "Activity Name/Operation" column of the Office 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

Managing Azure Active Directory templates

Change Auditor for Active Directory simplifies the audit process by tracking, auditing, reporting, and alerting on activity in Microsoft Azure Active Directory that impact your environment. Change Auditor correlates activity across the on-premises and cloud directories, providing you a single pane-of-glass view of your hybrid Active Directory environment and making it easy to search all events regardless of where they occurred.

You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

Change Auditor audits activity that corresponds to the events in the Azure Active Directory audit logs, sign-in activity report, and risky sign-ins report.

For a list of events, their description, and default severity see the Change Auditor Office 365 and Azure Active Directory Event Reference Guide.

Azure Active Directory auditing page

The Azure Active Directory auditing page contains a list of auditing templates that define the directory to audit.


	NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

The following information is displayed for each template:

Template

Displays the name assigned to the auditing template when it was created. This name is the same as your tenant initial domain name.

Status

Indicates whether the auditing template is enabled or disabled.

Enabled templates that are lacking the required permissions for auditing are identified with a warning icon and a status of “Requires update”.

Audit Logs

Indicates whether the Azure Active Directory audit logs are monitored.

Sign-ins

Indicates whether Azure Active Directory sign-in and sign-in risk events are monitored.

Create an Azure Active Directory auditing template

The following section describes how to create a template and the required web application so you can begin to audit the Azure Active Directory activity. After the template is created, Change Auditor starts collecting events that are available on your tenant.


	NOTE: You can only create one Azure Active Directory template per tenant.

To create an auditing template

Open the Administration Tasks page.

Click Auditing.

Select Azure Active Directory (under Applications).

Click Add to open the auditing wizard.

To create an Azure web application:

•

To use an existing Azure web application:

•

Enter the Azure directory, application ID, and application key.

NOTE: If you are using an existing web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

Ensure the following permissions are assigned to the Azure web application:

Microsoft Graph application permissions:

•

AuditLog.Read.All – Application - Read all audit log data

•

Directory.Read.All – Application - Read directory data

•

IdentityRiskEvent.Read.All – Application - Read all identity risk information

Office 365 Management APIs application permissions:

•

ActivityFeed.Read – Application - Read activity data for your organization

Select the activity to audit:

Audit Logs: Audits Azure Active Directory user, group, application, and directory activity. A Change Auditor for Active Directory license is required.

Sign-ins: Audits Azure Active Directory user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.

Click Select agent to view available agents and whether they are assigned to an auditing template. The Azure Active Directory cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.


	NOTE: You cannot use an agent that is already assigned for Azure Active Directory auditing.


	IMPORTANT: See the Change Auditor Release Notes for ports that must be opened on the agent server.

Click Finish to create the template.

Seleziona il prodotto:

Per una maggiore efficacia, compilare l'Obiettivo della chat:

Soluzioni consigliate per il problema

Change Auditor 7.1.1 - Office 365 and Azure Active Directory User Guide

Delete a template

Managing Azure Active Directory templates

Azure Active Directory auditing page

Create an Azure Active Directory auditing template