Chat now with support
Chat with Support

Change Auditor 7.0.4 - Office 365 and Azure Active Directory User Guide

Auditing in synchronized environments

Microsoft allows you to map identities between on-premises applications and cloud services. This is done by synchronizing your on-premises directories with Azure Active Directory using a Microsoft synchronization tool. When auditing Office 365 or Azure Active Directory in this synchronized environment, Change Auditor provides extra event details by mapping identities.

The following conditions must be met for Change Auditor to perform the mapping:
Synchronization performed with Azure Active Directory Connect (AD Connect).
Azure AD Connect synchronization process is active in your on-premises environment and directory sync is active in your cloud environment.
Office 365 or Azure Active Directory auditing template has been created to audit your online environment that is being synchronized with the on-premises Active Directory.
The agent that is specified in the auditing template must be a member server of the forest being synchronized with the Azure Active Directory.
* 
NOTE: When synchronizing multiple forests into a single tenant, Change Auditor only provides additional information for the identities in the forest where an agent performing the Office 365 auditing is installed.

When Federation with AD FS is used as the single sign-on method, Azure logon events will no longer be generated since the authentication is done by the on-premises AD FS instance.

Upgrading Change Auditor

When you upgrade from Change Auditor version 7.0.3 or earlier:
Microsoft Graph API permissions must be applied on the web application associated with any existing Azure Active Directory and Office 365 auditing templates for auditing to continue. For the list of required permissions see Edit an Azure Active Directory auditing template and Edit an Office 365 auditing template.
To apply the updated permissions, simply edit any existing templates and select the option to create a new web application to associate with it. The new web application will be created with the required permissions and auditing will continue.
* 
NOTE: Alternately, you can update the existing web application associated with the template by adding the required permissions directly on the web application in the Azure portal. See Edit an Azure Active Directory auditing template and Edit an Office 365 auditing template for the list of required permissions. Once the permissions have been updated, auditing will continue.

When you upgrade from Change Auditor version 6.9.0 or earlier:
Previously created Exchange Online auditing templates are deleted and will no longer display in the client.
Agents previously assigned to audit Exchange Online stop auditing the Office 365 Exchange Online tenant.
* 
NOTE: You can still search and report on previously captured events. All legacy events are shown in either the Office 365 Exchange Online Mailbox facility or the Office 365 Exchange Online Administration facility.
The Shared\Built-In\Exchange Online search folder is only available if it contained previously created Exchange Online custom searches.
To capture sign-in risk events, you need to create a new template and select the Sign-ins option. These events are not captured automatically by an existing Azure Active Directory template.
To capture new events with Office 365 and avoid losing any audited activities, after an upgrade:
1
Upgrade existing agents to the latest version.
2
Create an Office 365 auditing template and configure Exchange Online auditing.

 

Configuring Office 365 and Azure Active Directory auditing

Configuring Office 365 and Azure Active Directory auditing
Managing Office 365 templates
Managing Azure Active Directory templates
Troubleshooting

 

 

 

Managing Office 365 templates

Change Auditor audits activity for Exchange Online, SharePoint Online, and OneDrive for Business that corresponds to the events in the Office 365 Security & Compliance Center unified audit log. Change Auditor allows you to easily track, report, and create alerts on activities such as:
When Exchange Online mailboxes are created, deleted, and accessed.
Permission changes to see which users are granted access to a mailbox.
Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
Mailbox activity by owner for sensitive and high value mailboxes.
When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.

For a compete list of events, their description, and default severity see the Change Auditor Office 365 and Azure Active Directory Event Reference Guide.

See also:
Office 365 auditing page
Create an Office 365 auditing template
Disable a template
Delete a template
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating