Chat now with support
Chat with Support

Change Auditor 7.0.3 - Office 365 and Azure Active Directory User Guide

Delete a template

2
Click Yes to confirm.Office 365 Auditing Wizard

To audit Office 365 Exchange Online, SharePoint Online, and OneDrive for Business you must first create an auditing template and select an agent. For Exchange Online, you need to also define the type of events to audit.

For details on the integration points and process required to audit an organization, as well as auditing and agent considerations, see Deployment requirements.

The following table provides details on how to create a template and the required web application so you can begin to audit the Office 365 activity. Also included are the details on how to edit an existing template.

 

Credentials, service, and agent selection page

During template creation, use this page to provide the credentials for the accounts that register Change Auditor in the tenant, select the Office 365 service to audit, and specify the agent.

 

During editing, use this page to:

Windows Azure Active Directory

Office 365 Management APIs

3
Click Select agent to view available agents and whether they are assigned to a template. You cannot use an agent that is already assigned for Office 365 auditing. The Office 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. See the Change Auditor Release Notes for ports that need to be opened on the agent server.

 

Click Next to select the activities to audit within the Exchange Online organization.

 

3
If you have selected Exchange Online, click Next to update the auditing configuration account password or enter a new auditing configuration account. The account must be a user with the Exchange Administrator role.

Auditing activity selection page

Define or edit the types of activity to audit. For a new template, before you can select to audit individual mailboxes or update the configuration to audit owner events, you need to select Finish to create the template.

Select the activities to audit within your organization. You can choose from the following:

All administrative events: This includes remote PowerShell connections to the mailbox, or any action in the web administration portal for the Office 365 Exchange Online organization.
All mailboxes for non-owner events: By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes.

When you disable this option:

1
Click Select mailboxes.
Owner events: To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option.
2
Locate the required mailbox to enable or disable to Include Owner Activity as required.You can refine your mailbox search by selecting Non-Owner Only, Owner, or All.

Excluded Generic Events

To optionally specify the generic events to exclude from auditing based on their operations.

The operations are visible in the "Activity Name/Operation" column of the Office 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

Managing Azure Active Directory templates

Change Auditor for Active Directory simplifies the audit process by tracking, auditing, reporting, and alerting on activity in Microsoft Azure Active Directory that impact your environment. Change Auditor correlates activity across the on-premises and cloud directories, providing you a single pane-of-glass view of your hybrid Active Directory environment and making it easy to search all events regardless of where they occurred.

You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

Change Auditor audits activity that corresponds to the events in the Azure Active Directory audit logs, sign-in activity report, and risky sign-ins report.

For a list of events, their description, and default severity see the Change Auditor Office 365 and Azure Active Directory Event Reference Guide.

Azure Active Directory auditing page

The Azure Active Directory auditing page contains a list of auditing templates that define the directory to audit.

The following information is displayed for each template:

Create a template

The following section describes how to create a template and the required web application so you can begin to audit the Azure Active Directory activity. After the template is created, Change Auditor starts collecting events that are available on your tenant.

2
Click Auditing.
3
Select Azure Active Directory (under Applications).
4
Click Add to open the auditing wizard.

When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

Ensure the following permissions are assigned to the Azure web application:

Windows Azure Active Directory

Application Permissions:

Delegated Permissions:

Azure Active Directory Identity Protection API

Application Permissions:

Audit Logs: Audits Azure Active Directory user, group, application, and directory activity. A Change Auditor for Active Directory license is required.
Sign-ins: Audits Azure Active Directory user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.
7
Click Select agent to view available agents and whether they are assigned to an auditing template. The Azure Active Directory cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.
8
Click Finish to create the template.
Related Documents