Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Supported regions

A Microsoft Azure region is a set of datacenters deployed within a geographic area. Selecting the correct region for your On Demand organization enables you to achieve higher performance and supports your requirements and preferences regarding data location. Specifying the region for your organization determines the geographical region where your data is stored.

During sign up, you can choose the region where your On Demand data will be hosted. The following regions are currently supported for On Demand Audit:

  • Australia
  • Canada
  • Europe
  • United Kingdom
  • United States

Configuring On Demand Audit

Working with tenants

You must have a tenant in the organization to audit the Microsoft 365 and Microsoft Entra activity.

NOTE:

  • For details on adding your first tenant, refer to the On Demand Global Settings User Guide.

  • GCC tenants are only supported by Audit in On Demand organizations located the US region.

  • When you remove a tenant, event collection stops. If you add the tenant back, you will need to select the services to audit again.

To add a tenant:

  1. Log in to On Demand.
  2. To add another tenant, navigate to the Audit module. From the Configuration tab, click Add Microsoft Entra tenant.

  3. Sign in as a Global administrator account for the tenant on the Azure sign in page.

  4. Read through the required permissions and select Accept.
Before you can audit the tenant, you need to grant On Demand Audit consent to audit its Microsoft 365 and Microsoft Entra activity. See Granting required consent
 
 

Granting required consent

Before you can audit Microsoft 365 and Microsoft Entra activity and generate searches, On Demand must be granted consent to audit the organization and its tenants.

NOTE: The Audit configuration page displays the status of the consent for the tenant:

  • Need to grant admin consent - when consent is not granted.
  • Admin consent granted - when consent is granted.

To grant the required consent:

  1. Log in to On Demand, and select Auditing.
  2. Click Go on the Audit module.
  3. Click the Need to grant admin consent link. The Azure sign in page opens. If you are signed in as the Global administrator for the tenant, you can grant consent to the On Demand Audit application.
  4. Read through the required permissions and select Accept. Once this is complete, you are redirected to On Demand Audit page.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating