Control: 5.1 Ensure Microsoft 365 audit log search is Enabled

Description

When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.

Enabling Microsoft Purview audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes.

Remediation

To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center:

1. Log in as an administrator.
2. Navigate to the Microsoft Purview compliance portal by going to https://compliance.office.com.
3. Under Solutions, select Audit.
4. Click Start recording user and admin activity next to the information warning at the top.
5. Click Yes on the dialog box to confirm.

To enable Microsoft 365 audit log search via Exchange Online PowerShell:

1. Connect to Exchange Online using Connect-ExchangeOnline.
2. Run the following PowerShell command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Default Value: Disabled.