• Become a portal pro
• Download
• Print
• My Downloads ()

• Support
• Technical Documentation
• Change Auditor 7.3
• Change Auditor 7.3 - Office 365 and Azure Active Directory User Guide

Change Auditor 7.3 - Office 365 and Azure Active Directory User Guide

Table of Contents  

Office 365 and Azure Active Directory Auditing Overview

Introduction System overview Client components and features Deployment requirements

System requirements License requirements Auditing and agent considerations Auditing in synchronized environments Upgrading Change Auditor

Configuring Office 365 and Azure Active Directory auditing

Managing Office 365 templates

Office 365 auditing page Create an Office 365 auditing template Edit an Office 365 auditing template Using an existing web application Disable a template Delete a template

Office 365 Auditing Wizard Managing Azure Active Directory templates

Azure Active Directory auditing page Create an Azure Active Directory auditing template Edit an Azure Active Directory auditing template Disable a template Delete a template

Considerations

Azure Active Directory Auditing Wizard

Reports and Searches

Introduction to Office 365 and Azure Active Directory reporting Office 365 built-in reports Azure Active Directory built-in reports Custom searches

Creating custom Exchange Online searches Creating a custom SharePoint Online and OneDrive for Business search

Displaying additional SharePoint Online and OneDrive for Business information

Creating custom Azure Active Directory searches

Displaying additional Azure Active Directory information

Additional information for synchronized environments Working with generic Office 365 and Azure Active Directory events Additional Office 365 and Azure Active Directory event details Our brand, our vision. Together. Contacting Quest Technical support resources

• Viewing Topics 13 - 16 of 43

×

Office 365 auditing page

The Office 365 auditing page contains a list of auditing templates that define the Office 365 services and Exchange Online mailboxes to audit.

NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

The following information is displayed for each template:

Template

Displays the name assigned to the auditing template when it was created. This name is the same as your tenant initial domain name.

Status

Indicates whether the auditing template is enabled or disabled.

Administrative Events

Indicates whether Office 365 Exchange Online administrative events are monitored.

Non-Owner Events

Indicates whether Office 365 Exchange Online mailboxes are monitored for activities performed by users other than the mailbox owner.

SharePoint

Indicates whether SharePoint Online events are monitored.

OneDrive

Indicates whether OneDrive for Business events are monitored.

Overwrite Tenant Mailbox Auditing

Indicates whether the template auditing settings will overwrite the existing tenant auditing.

Create an Office 365 auditing template

The following section describes the steps to create a template and the required web application so you can begin to audit the Office 365 activity.

NOTE:   • Office 365 Exchange, SharePoint and OneDrive auditing templates created in the Windows client defaults to 7 days (168 hours) of historical event collection. Historical event collection includes only mailbox auditing types previously enabled. • Due to enhanced security measures, basic authentication is no longer supported for Office 365 auditing; certificate authentication is now required. If you choose to create the required web application when you create the template, you can select to generate a self-signed certificate (default) or use a valid certificate from your personal certificate store. This will result in a properly configured web application. For a certificate to be valid, it must contain a private key that is marked as exportable, and must support client and server authentication. If you choose to use an existing web application when you create a template, you will need to specify the application ID, application key, and a valid certificate. For required configuration, see Using an existing web application.

To create a template

1	Open the Administration Tasks page.

2	Click Auditing.

3	Select Office 365 (under Applications).

4	Click Add to open the auditing wizard.

5	Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new Azure web application:

a	Enter the Azure Active Directory Name.

b	Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.

If you select to use an existing Azure web application:

a

Enter the Azure directory, application ID, and application key, and select a previously created certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Azure Active Directory, creating a web application, and adding a certificate to a web application.

6	Select the Office 365 services to audit.

7

Click Select agent to view available agents and whether they are assigned to an Office 365 auditing template. The Office 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.

NOTE:   • The agent must be upgraded to version 7.2 for certificate authentication support. • PowerShell 5.1 or later is required. • You cannot use an agent that is already assigned for Office 365 auditing.

IMPORTANT: See the Change Auditor Release Notes for ports that must be opened on the agent server.

8	If you have selected to audit Exchange Online, you now need to choose the activities to audit. For mailbox activity, you have the option to set mailbox auditing settings or use the settings that have been configured in the Exchange Online tenant.

NOTE: When you add and remove individual mailboxes for auditing or select to enable or disable owner auditing, the changes to the template are saved immediately. They are effective after the agent configuration is updated.

Available auditing events	Description
All administrative events	All changes made by administrators to the Office 365 Exchange Online organization.
Set tenant mailbox auditing settings NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant. When you disable this option: • Mailbox non-owner activity auditing settings for every mailbox in your tenant are disabled as well. • Only the mailboxes specifically added to the template through your selection are audited. This may affect other systems that rely on having auditing enabled. NOTE: If you change the mailbox display name, email address, or UPN for a mailbox currently in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.	By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes. NOTE: Before you can select to audit individual mailboxes or update the configuration to audit owner events, select Finish to create the template. To add and remove individual mailboxes: 1 Click Select mailboxes. 2 To add a mailbox: a Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search. b Select the appropriate entry from the mailbox results and click Add. 3 To remove a mailbox a Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. b Select the appropriate entry from the lower mailbox window and click Remove. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
	To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option. The "Owner Activity" audited on a configured mailbox include folder, message, and login events. IMPORTANT: Quest recommends that you select owner auditing for critical mailboxes only. Owner auditing for many mailboxes produces many events that may affect performance. To add or remove owner auditing on specific mailboxes: 1 Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. 2 Locate the required mailbox to enable or disable to Include Owner Activity as required. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
Use existing tenant mailbox settings	When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

9

Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Office 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor. See Working with generic Office 365 and Azure Active Directory events for more information.

10	Click Finish.

NOTE:   • The template name will be automatically set to your tenant initial domain name. • When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.

11	Login to register Change Auditor in the tenant and ensure the required consent has been granted.

NOTE: The Azure Active Directory sign-in page opens automatically once you have selected all your template settings and clicked Finish. To grant permission for all administrators to create a web application: 1 Select an account with the Global Administrator role. 2 Enter the required password, and select Sign in. 3 Review the required permissions for the Change Auditor Configuration Assistant on the Azure consent page. To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept. To apply the consent for just the current signed-in user simply click Accept.

NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

Edit an Office 365 auditing template

This section describes the steps to add or remove an Office 365 service to audit and update the mailboxes and type of Exchange Online events to monitor.

To select a new agent, you must create a new template or use the Set-CAO365Template command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

NOTE:   • Due to enhanced security measures, basic authentication is no longer supported for Office 365 auditing; certificate authentication is now required. • If you select to use an existing web application, it must be updated or replaced to support certificate authentication. See Using an existing web application for details.

To edit an Office 365 auditing template

1	Open the Administration Tasks page.

2	Click Auditing.

3	Select Office 365 (under Applications).

4	Select the template and click Edit to open the auditing wizard.

5	Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new Azure web application:

a	Enter the Azure Active Directory Name.

b	Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.

If you select to use an existing Azure web application:

Enter the Azure directory, application ID, and application key, and an existing certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Azure Active Directory, creating a web application, and adding a certificate to a web application.

6	Add and remove the services to audit as required. Choose between Exchange Online, SharePoint Online, and OneDrive for Business.

NOTE: When you remove a service, the agent stops auditing its activity. If you later enable auditing, you cannot access events generated when auditing was disabled.

7	If you are auditing Exchange Online, click Next to update the events to audit.

Table 3. Available activities to audit

Available auditing events	Description
All administrative events	All changes made by administrators to the Exchange Online organization.
Set tenant mailbox auditing settings NOTE: When you add and remove individual mailboxes for auditing or select to enable or disable owner auditing, the changes to the template are saved immediately. They are effective after the agent configuration is updated. NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant. When you disable this option: • Mailbox non-owner activity auditing settings for every mailbox in your tenant are disabled as well. • Only the mailboxes specifically added to the template through your selection are audited. This may affect other systems that rely on having auditing enabled. NOTE: If you change the mailbox display name, email address, or UPN for a mailbox currently in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.	By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes. NOTE: Before you can select to audit individual mailboxes or update the configuration to audit owner events, select Finish to create the template. To add and remove individual mailboxes: 1 Click Select mailboxes. 2 To add a mailbox: a Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search. b Select the appropriate entry from the mailbox results and click Add. 3 To remove a mailbox a Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. b Select the appropriate entry from the lower mailbox window and click Remove. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
	To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option. The "Owner Activity" audited on a configured mailbox include folder, message, and login events. IMPORTANT: Quest recommends that you select owner auditing for critical mailboxes only. Owner auditing for many mailboxes produces many events that may affect performance. To add or remove owner auditing on specific mailboxes: 1 Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search. 2 Locate the required mailbox to enable or disable to Include Owner Activity as required. You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)
Use existing tenant mailbox settings	When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

8	Click Close.

9

Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Office 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

10	Click Finish to apply the updates. When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.

11	You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

NOTE: The Azure Active Directory sign-in page opens automatically once you have selected all your template settings and clicked Finish. To grant permission for all administrators to create a web application: 1 Select an account with the Global Administrator role. 2 Enter the required password, and select Sign in. 3 Review the required permissions for the Change Auditor Configuration Assistant on the Azure consent page. To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept. To apply the consent for just the current signed-in user simply click Accept.

NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

Using an existing web application

When you create or edit an Office 365 auditing template and you select to use an existing web application, it must be configured to support certificate authentication.

To ensure that you will be able to audit mailbox activity:

•	Upload the certificate for the web application through the Azure Admin Center web portal using App Registration | All Applications | (web application) | Certificates & secrets | Certificate | Upload certificate. The format for the certificate (public key) must be binary x.509 (.cer).

•	Add the web application to the Exchange Administrator role for the tenant in Azure.

1	In the Azure Admin Center web portal, select Roles and Administrators.

2	Locate and open the Exchange administrator role.

3	Select Add Assignments.

4	Select No members selected under Select Member(s).

5	Select the required Application (client) ID guid.

6	Save the new member with the Select button and then click Next.

7	Change the Assignment Type to Active, ensure the Permanently assigned option is selected and enter a Justification (required).

8	Click Assign to save the changes and verify that the web application name appears in the Members list for the Exchange Administrator role.

•	Ensure the required permissions are applied.

NOTE: When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them. Once the following permissions are assigned to the Azure web application, click Grant admin consent for and confirm with Yes. Microsoft Graph Application Permissions: • AuditLog.Read.All – Application - Read all audit log data • Directory.Read.All – Application - Read directory data • IdentityRiskEvent.Read.All – Application - Read all identity risk information Office 365 Management APIs Application Permissions: • ActivityFeed.Read – Application - Read activity data for your organization • Exchange.ManageApp - Application - Manage Exchange As Application The Office 365 Exchange Online: Exchange.ManageAsApp permission must be added manually by editing the application manifest using the following steps: 1 In the Azure Admin Center web portal, select Manage |Manage App registrations | All applications. Locate your web application in the list and select it. Go back to Manage, and select Manifest. 2 Locate the “requiredResourceAccess” section in the application manifest to add the bold section shown below: "requiredResourceAccess": [ { "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", "resourceAccess": [ { "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", "type": "Role" } ] }, { "resourceAppId": "00000003-0000-0000-c000-000000000000", See Microsoft documentation on assigning API permissions to applications for more details.

 

•  Previous
• Viewing Topics 13 - 16 of 43
• Next 

Search this document Search all documents for this product-version Search all documents for this product Search all documents

×

 Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center