Chat now with support
Chat with Support

Change Auditor 7.3 - Office 365 and Azure Active Directory User Guide

Office 365 and Azure Active Directory Auditing Overview Configuring Office 365 and Azure Active Directory auditing Reports and Searches

Office 365 auditing page

The Office 365 auditing page contains a list of auditing templates that define the Office 365 services and Exchange Online mailboxes to audit.

The following information is displayed for each template:

Create an Office 365 auditing template

The following section describes the steps to create a template and the required web application so you can begin to audit the Office 365 activity.

NOTE:  
2
Click Auditing.
3
Select Office 365 (under Applications).
4
Click Add to open the auditing wizard.
5
Under Authentication Configuration, select to Create a new web application or Use existing web application.
a
b
Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.
a
Enter the Azure directory, application ID, and application key, and select a previously created certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Azure Active Directory, creating a web application, and adding a certificate to a web application.
7
Click Select agent to view available agents and whether they are assigned to an Office 365 auditing template. The Office 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.
NOTE:  

All administrative events

All changes made by administrators to the Office 365 Exchange Online organization.

Set tenant mailbox auditing settings

When you disable this option:

 

By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes.

1
Click Select mailboxes.

 

 

 

To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option.

The "Owner Activity" audited on a configured mailbox include folder, message, and login events.

2
Locate the required mailbox to enable or disable to Include Owner Activity as required.

Use existing tenant mailbox settings

When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

9
Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Office 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor. See Working with generic Office 365 and Azure Active Directory events for more information.
10
Click Finish.
NOTE:  
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

Edit an Office 365 auditing template

This section describes the steps to add or remove an Office 365 service to audit and update the mailboxes and type of Exchange Online events to monitor.

To select a new agent, you must create a new template or use the Set-CAO365Template command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

NOTE:  
2
Click Auditing.
3
Select Office 365 (under Applications).
4
Select the template and click Edit to open the auditing wizard.
5
Under Authentication Configuration, select to Create a new web application or Use existing web application.
a
b
Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.
Enter the Azure directory, application ID, and application key, and an existing certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Azure Active Directory, creating a web application, and adding a certificate to a web application.
7
If you are auditing Exchange Online, click Next to update the events to audit.

All administrative events

All changes made by administrators to the Exchange Online organization.

Set tenant mailbox auditing settings

When you disable this option:

 

By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes.

1
Click Select mailboxes.

 

 

 

To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option.

The "Owner Activity" audited on a configured mailbox include folder, message, and login events.

2
Locate the required mailbox to enable or disable to Include Owner Activity as required.

Use existing tenant mailbox settings

When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

8
Click Close.
9
Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Office 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.
10
Click Finish to apply the updates. When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

Using an existing web application

When you create or edit an Office 365 auditing template and you select to use an existing web application, it must be configured to support certificate authentication.

To ensure that you will be able to audit mailbox activity:

Upload the certificate for the web application through the Azure Admin Center web portal using App Registration | All Applications | (web application) | Certificates & secrets | Certificate | Upload certificate. The format for the certificate (public key) must be binary x.509 (.cer).
2
Locate and open the Exchange administrator role.
4
Select No members selected under Select Member(s).
6
Save the new member with the Select button and then click Next.
7
Change the Assignment Type to Active, ensure the Permanently assigned option is selected and enter a Justification (required).
8
Click Assign to save the changes and verify that the web application name appears in the Members list for the Exchange Administrator role.

Once the following permissions are assigned to the Azure web application, click Grant admin consent for and confirm with Yes.

Microsoft Graph

Application Permissions:

Office 365 Management APIs

Application Permissions:

1
In the Azure Admin Center web portal, select Manage |Manage App registrations | All applications. Locate your web application in the list and select it. Go back to Manage, and select Manifest.
{

See Microsoft documentation on assigning API permissions to applications for more details.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating