Tag Archive: auditing

Office 365 Auditing

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. The following table shows the time it takes for the different services in Office 365.

Office 365 service 30 minutes 24 hours
Azure Active Directory (admin events) yes
Azure Active Directory (user login events) yes
Exchange Online yes
Microsoft Teams yes
Power BI yes
Security & Compliance Center yes
SharePoint Online and OneDrive for Business yes
Sway yes
Yammer yes


  • Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Office 365 admin center or in the in Azure management portal. For a complete list of Azure AD events, see Azure Active Directory Audit Report Events.
  • Exchange Online audit logs consist of two types of events: Exchange admin events (actions taken by administrators) and mailbox events (actions taken by users on mailboxes). Note that mailbox auditing isn’t enabled by default. It must be enable for each user mailbox before mailbox events can be searched for in the Office 365 audit log. For more information about mailbox auditing and the mailbox auditing actions that are logged, see Enable mailbox auditing in Office 365.
  • Audit logging for Power BI isn’t enabled by default. To search for Power BI activities in the Office 365 audit log, you have to enable auditing in the Power BI admin portal. For instructions, see Auditing Power BI.

Note: We’re in the process of turning on auditing by default. Until then, you can turn it on manually.

If you face more than expected delays as described on the temple kindly let me know.

Turn off an activity alert for Auditing

You can turn off an activity alert so that an email notification isn’t sent. After you turn off the activity alert, it’s still displayed in the list of activity alerts for your organization, and you can still view its properties.

  • Go to https://protection.office.com.
  • Sign in to Office 365 using your work or school account.
  • In the left pane, click Alerts, and then click Manage activity alerts.
  • In the list of alerts for your organization, click the alert that you want to turn off.
  • On the Edit alert page, click the On toggle switch to change the status to Off, and then click Save.

The status of the alert on the Activity alerts pages is set to Off.

To turn an activity alert back on, just repeat these steps and click the Off-toggle switch to change the status to On.

Create activity alerts in the Office 365 Security & Compliance Center


Some interesting sites:

Windows 10 security hardening:


Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.



Reference articles to secure a Windows domain:


Microsoft audit Policy settings and recommendations:


Sysinternals sysmon:


On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:


List of items
Setting Up Jump server
Domain joining of all windows boxes
Proper account Management Based on privileges
Usage of service accounts to run application instead of local system accounts
Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
HoneyToken Account Creation in Local boxes as well domain
GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
GPO for Jump server implementation based on PAW GPO settings
Rename existing builtin Administrator account and lockdown
Sysmon deployment and WEF setup (WEC for symon events)
Ping castle review to assess the AD security
FGPP implementation
LAPS Implementation
Process for proper cleanup of unused AD accounts
Reset of krbtgt account,domain admins account,It administrators account