• Become a portal pro
• Download
• Print
• My Downloads ()

• Support
• Technical Documentation
• Change Auditor 7.6
• Change Auditor 7.6 - Microsoft 365 and Microsoft Entra ID Auditing User Guide

Change Auditor 7.6 - Microsoft 365 and Microsoft Entra ID Auditing User Guide

Table of Contents  

Microsoft 365 and Microsoft Entra ID Auditing Overview

Introduction System overview Client components and features Deployment requirements

System requirements License requirements Auditing and agent considerations Auditing in synchronized environments Upgrading Change Auditor

Configuring Microsoft 365 and Microsoft Entra ID auditing

Managing Microsoft 365 templates

Microsoft 365 auditing page Create an Microsoft 365 auditing template Edit a Microsoft 365 auditing template Using an existing web application Disable a template Delete a template

Microsoft 365 Auditing Wizard Managing Microsoft Entra templates

Microsoft Entra auditing page Create a Microsoft Entra auditing template Edit a Microsoft Entra auditing template Disable a template Delete a template

Considerations

Microsoft Entra Auditing Wizard

Reports and Searches

Introduction to Microsoft 365 and Microsoft Entra ID reporting Microsoft 365 built-in reports Microsoft Entra built-in reports Custom searches

Creating custom Exchange Online searches Creating a custom SharePoint Online and OneDrive for Business search

Displaying additional SharePoint Online and OneDrive for Business information

Creating custom Microsoft Entra searches

Displaying additional Microsoft Entra information

Additional information for synchronized environments Working with generic Microsoft 365 and Microsoft Entra events Additional Microsoft 365 and Microsoft Entra event details Our brand, our vision. Together. Contacting Quest Technical support resources

• Viewing Topics 13 - 16 of 43

×

Microsoft 365 auditing page

The Microsoft 365 auditing page contains a list of auditing templates that define the Microsoft 365 services and Exchange Online mailboxes to audit. Microsoft 365

NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

The following information is displayed for each template:

Template

Displays the name assigned to the auditing template when it was created. This name is the same as your tenant initial domain name.

Tenant Type

Displays whether the tenant is Commercial, GCC, or GCCHigh.

Status

Indicates whether the auditing template is enabled or disabled.

Administrative Events

Indicates whether Microsoft 365 Exchange Online administrative events are monitored.

Non-Owner Events

Indicates whether Microsoft 365 Exchange Online mailboxes are monitored for activities performed by users other than the mailbox owner.

SharePoint

Indicates whether SharePoint Online events are monitored.

OneDrive

Indicates whether OneDrive for Business events are monitored.

Overwrite Tenant Mailbox Auditing

Indicates whether the template auditing settings will overwrite the existing tenant auditing.

Create an Microsoft 365 auditing template

The following section describes the steps to create a template and the required web application so you can begin to audit the Microsoft 365 activity.

NOTE:   • Microsoft 365 Exchange, SharePoint and OneDrive auditing templates created in the Windows client defaults to 7 days (168 hours) of historical event collection. Historical event collection includes only mailbox auditing types previously enabled. • Due to enhanced security measures, basic authentication is no longer supported for Microsoft 365 auditing; certificate authentication is now required. If you choose to create the required web application when you create the template, you can select to generate a self-signed certificate (default) or use a valid certificate from your personal certificate store. This will result in a properly configured web application. For a certificate to be valid, it must contain a private key that is marked as exportable, and must support client and server authentication. If you choose to use an existing web application when you create a template, you will need to specify the application ID, application key, and a valid certificate. For required configuration, see Using an existing web application. • The ability to automatically create a new web application is not supported for GCC High tenants.

To create a template

1	Open the Administration Tasks page.

2	Click Auditing.

3	Select Micosoft 365 (under Applications).

4	Click Add to open the auditing wizard.

5	Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application:

a	Select the tenant type (Commercial or GCC).

b	Enter the Microsoft Entra Directory Name.

c	Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.

If you select to use an existing web application:

a	Select the tenant type (Commercial, GCC, or GCCHigh).

b

Enter the Microsoft Entra Directory Name, Application ID, Application key, and select a previously created Application Certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Microsoft Entra ID, creating a web application, and adding a certificate to a web application.

6	Select the Microsoft 365 services to audit.

7

Click Select agent to view available agents and whether they are assigned to an Microsoft 365 auditing template. The Microsoft 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.

NOTE:   • The agent must be upgraded to version 7.2 for certificate authentication support. • PowerShell 5.1 or later is required. • You cannot use an agent that is already assigned for Microsoft 365 auditing. • GCC and GCCHigh tenants are not supported on agents versions lower than version 7.5.

IMPORTANT: See the Change Auditor Release Notes for ports that must be opened on the agent server.

8	If you have selected to audit Exchange Online, you now need to choose the activities to audit. Click Next. For mailbox activity, you have the option to set mailbox auditing settings or use the settings that have been configured in the Exchange Online tenant.

NOTE: When you add and remove individual mailboxes for auditing or select to enable or disable owner auditing, the changes to the template are saved immediately. They are effective after the agent configuration is updated.

Available auditing events	Description
All administrative events	All changes made by administrators to the Microsoft 365 Exchange Online organization.
Set tenant mailbox auditing settings NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant. When you disable this option: • Mailbox non-owner activity auditing settings for every mailbox in your tenant are disabled as well. • Only the mailboxes specifically added to the template through your selection are audited. This may affect other systems that rely on having auditing enabled. NOTE: If you change the mailbox display name, email address, or UPN for a mailbox currently in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.	By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes. NOTE: Before you can select to audit individual mailboxes or update the configuration to audit owner events, select Finish to create the template. To add and remove individual mailboxes: 1 Click Select mailboxes. 2 To add a mailbox: a Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search. b Select the appropriate entry from the mailbox results and click Add. 3 To remove a mailbox a Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. b Select the appropriate entry from the lower mailbox window and click Remove. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
	To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option. The "Owner Activity" audited on a configured mailbox include folder, message, and login events. IMPORTANT: Quest recommends that you select owner auditing for critical mailboxes only. Owner auditing for many mailboxes produces many events that may affect performance. To add or remove owner auditing on specific mailboxes: 1 Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. 2 Locate the required mailbox to enable or disable to Include Owner Activity as required. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
Use existing tenant mailbox settings	When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

9

Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Microsoft 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor. See Working with generic Microsoft 365 and Microsoft Entra events for more information.

10	Click Finish.

NOTE:   • The template name will be automatically set to your tenant initial domain name. • When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.

11	Login to register Change Auditor in the tenant and ensure the required consent has been granted.

NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish. To grant permission for all administrators to create a web application: 1 Select an account with the Global Administrator role. 2 Enter the required password, and select Sign in. 3 Review the required permissions for the Change Auditor Configuration Assistant on the consent page. To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept. To apply the consent for just the current signed-in user simply click Accept.

NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

Edit a Microsoft 365 auditing template

This section describes the steps to add or remove an Microsoft 365 service to audit and update the mailboxes and type of Exchange Online events to monitor.

To select a new agent, you must create a new template or use the Set-CAO365Template command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

NOTE:   • Due to enhanced security measures, basic authentication is no longer supported for Microsoft 365 auditing; certificate authentication is now required. • If you select to use an existing web application, it must be updated or replaced to support certificate authentication. See Using an existing web application for details. • The ability to automatically create a new web application is not supported for GCC High tenants.

To edit a template

1	Open the Administration Tasks page.

2	Click Auditing.

3	Select Microsoft 365 (under Applications).

4	Select the template and click Edit to open the auditing wizard.

5	Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application, select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.

If you select to use an existing web application, enter the Application ID, Application Key, and select a previously created Application Certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Microsoft Entra ID, creating a web application, and adding a certificate to a web application.

6	Add and remove the services to audit as required. Choose between Exchange Online, SharePoint Online, and OneDrive for Business.

NOTE: When you remove a service, the agent stops auditing its activity. If you later enable auditing, you cannot access events generated when auditing was disabled.

7	If you are auditing Exchange Online, click Next to update the events to audit.

Table 3. Available activities to audit

Available auditing events	Description
All administrative events	All changes made by administrators to the Exchange Online organization.
Set tenant mailbox auditing settings NOTE: When you add and remove individual mailboxes for auditing or select to enable or disable owner auditing, the changes to the template are saved immediately. They are effective after the agent configuration is updated. NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant. When you disable this option: • Mailbox non-owner activity auditing settings for every mailbox in your tenant are disabled as well. • Only the mailboxes specifically added to the template through your selection are audited. This may affect other systems that rely on having auditing enabled. NOTE: If you change the mailbox display name, email address, or UPN for a mailbox currently in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.	By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes. NOTE: Before you can select to audit individual mailboxes or update the configuration to audit owner events, select Finish to create the template. To add and remove individual mailboxes: 1 Click Select mailboxes. 2 To add a mailbox: a Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search. b Select the appropriate entry from the mailbox results and click Add. 3 To remove a mailbox a Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. b Select the appropriate entry from the lower mailbox window and click Remove. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
	To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option. The "Owner Activity" audited on a configured mailbox include folder, message, and login events. IMPORTANT: Quest recommends that you select owner auditing for critical mailboxes only. Owner auditing for many mailboxes produces many events that may affect performance. To add or remove owner auditing on specific mailboxes: 1 Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. 2 Locate the required mailbox to enable or disable to Include Owner Activity as required. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
Use existing tenant mailbox settings	When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

8	Click Close.

9

Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Microsoft 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

10	Click Finish to apply the updates. When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.

11	You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish. To grant permission for all administrators to create a web application: 1 Select an account with the Global Administrator role. 2 Enter the required password, and select Sign in. 3 Review the required permissions for the Change Auditor Configuration Assistant on the consent page. To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept. To apply the consent for just the current signed-in user simply click Accept.

NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

Using an existing web application

When you create or edit an Microsoft 365 auditing template and you select to use an existing web application it must be configured to support certificate authentication.

NOTE:   • The Microsoft Entra web application should be a single-tenant application. • A redirect URI is not required.

To ensure that you will be able to audit mailbox activity:

•	Upload the certificate for the web application through the Microsoft Entra admin center using App Registration | All Applications | (web application) | Certificates & secrets | Certificate | Upload certificate. The format for the certificate must be binary x.509 (.cer).

•	Add the web application to the Exchange Administrator role for the tenant.

1	In the Microsoft Entra admin center, select Roles and Administrators | All roles.

2	Locate and open the Exchange administrator role.

3	Select Add Assignments.

4	Select No members selected under Select Member(s).

5	Select the required Application (client) ID guid.

6	Save the new member with the Select button and then click Next.

7	Change the Assignment Type to Active, ensure the Permanently assigned option is selected and enter a Justification (required).

8	Click Assign to save the changes and verify that the web application name appears in the Members list for the Exchange Administrator role.

NOTE: Must have a Client Secret configured in the web application "Certificates and Secrets" page.

•	Ensure the required permissions are applied.

NOTE: When creating a web application in the Microsoft Entra admin center, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them. Once the following permissions are assigned to the web application, click Grant admin consent for and confirm with Yes. Microsoft Graph Application Permissions: • AuditLog.Read.All – Application - Read all audit log data • Directory.Read.All – Application - Read directory data • IdentityRiskEvent.Read.All – Application - Read all identity risk information Office 365 Management APIs Application Permissions: • ActivityFeed.Read – Application - Read activity data for your organization Office 365 Exchange Online Application Permissions: • Exchange.ManageApp - Application - Manage Exchange As Application See Microsoft documentation on assigning API permissions to applications for more details.

•  Previous
• Viewing Topics 13 - 16 of 43
• Next 

Search this document Search all documents for this product-version Search all documents for this product Search all documents

×

 Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center