Chat now with support
Chat with Support

Change Auditor 7.0.4 - Office 365 and Azure Active Directory User Guide

Office 365 and Azure Active Directory Auditing Overview
Introduction
System overview
Client components and features
Deployment requirements

 

Introduction

Introduction

Change Auditor provides extensive, customizable auditing of critical activities and detailed alerts about vital changes taking place in Microsoft Office 365 Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory. Continually being in-the-know helps you to prove compliance, drive security, and improve uptime while proactively auditing changes to configurations and permissions.

You can generate intelligent, in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications. By correlating accounts across the on-premises and cloud environment, you can easily search all events regardless of where they occurred.

Change Auditor’s consolidated audit platform, which is not available with native tools, enhances your ability to secure your directory and resources. Specifically, Change Auditor provides:
Detailed information giving you the Who, What, Where, and When for every event.
Single console and event format across all platforms.
Standardized search allowing you to search by any key field.
Consolidated view of on-premises and cloud activity.
Correlated on-premises and cloud identities for synchronized environments.
Ability to create alerts on any event for both on-premises and cloud activity.
Ability to store audit data indefinitely for compliance purposes.
 

System overview

To audit Office 365 and Azure Active Directory, Change Auditor agents require access to the tenant. A web application, which is an Azure Active Directory object, is used to grant this access to external programs, such as Change Auditor.

In addition, to configure and maintain Exchange Online mailbox auditing, Change Auditor agents must be granted access to the Exchange Online organization.

The following describes the integration points and process required for auditing:

1
Users configure an Office 365 or an Azure Active Directory auditing template and select an agent to receive events. The following credentials are required:
An account with the Global Administrator role. This account is used to create the web application and assign the required permissions for Change Auditor to perform auditing. After the web application is created, the credentials are no longer used. The agent retrieves the web application ID and key and securely stores them. The agent uses the ID and key to retrieve events from Office 365 and Azure Active Directory.
For Office 365 Exchange Online auditing, an account with the Exchange Administrator role is also required. This account is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). The agent periodically uses these credentials to validate or update auditing settings, so they are securely stored in Change Auditor.
2
The agent connects to the tenant and creates the web application.
For Office 365 Exchange Online, the agent also connects to your Exchange Online organization and configures mailbox auditing.
3
The agent periodically gathers events.
For Office 365 Exchange Online, the agent also retrieves mailbox auditing settings to validate configuration.
4
The agent processes events and forwards them to the coordinator.
5
The coordinator forwards events to the Change Auditor database.

 

Client components and features

The following table lists the client components and features that require a valid Change Auditor for Exchange, Change Auditor for Active Directory, Change Auditor for SharePoint, and Change Auditor for Logon Activity license. You are not be prevented from using these features; however, associated events are not captured or enforced unless the proper license is applied.

* 
NOTE: To hide unlicensed Change Auditor features from the Administration Tasks tab (including unavailable audit events throughout the client), select Action | Hide Unlicensed Components. This command is only available when the Administration Tasks tab is the active page.

 

 
Table 1. Client components and features
Client Page
Feature

Administration Tasks Tab

Audit Task List:
Azure Active Directory
Office 365

Event Details Pane

What Details:
Mailbox (Exchange Online Mailbox)
Folder (Exchange Online Mailbox)
Cmdlet (Exchange Online Administration)
Operation (SharePoint Online and OneDrive for Business)
Object (Exchange Online Administration, SharePoint Online, and OneDrive for Business)

Events

Facilities:
Office 365 Exchange Online Administration
Office 365 Exchange Online Mailbox
Office 365 SharePoint Online
Office 365 OneDrive for Business
Azure Active Directory — Application
Azure Active Directory — Administrative Units
Azure Active Directory — Device
Azure Active Directory — Directory
Azure Active Directory — Group
Azure Active Directory — Policy
Azure Active Directory — Risk Event
Azure Active Directory — Role
Azure Active Directory — Sign-in
Azure Active Directory — User
Azure Active Directory

Search Properties

What Tab:
Subsystem | Office 365
Subsystem | Azure Active Directory

Searches Page

Built-in Reports:
All reports that include the events in the Office 365 Exchange Online, Office 365 SharePoint Online, Office 365 OneDrive for Business, and Azure Active Directory facilities.

Alert Custom Email Dialog

Exchange Online only.

Add Owner(s) of Non-Owner Events option — to send an alert to the Exchange Mailbox owner when another user accesses their mailbox.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating