How to Set Up Microsoft 365 Audit Logging and Alert Policies

Audit logging and alerting are foundational to Microsoft 365 security. Without visibility into who accessed what, when administrative changes occurred, and which anomalous activities require investigation, your M365 environment is essentially a black box.

Yet many organizations operate with default or incomplete audit configurations. This guide walks you through setting up comprehensive audit logging and alert policies that deliver real security value.

Why Audit Logging Matters

Audit logs answer critical questions:

• Forensics: Who accessed sensitive data? What was exfiltrated? When did the breach occur?
• Compliance: Can we prove we maintained access controls and data retention per regulations?
• Threat detection: What patterns indicate compromise or malicious insider activity?
• Accountability: Which admin made that risky configuration change?

Without audit logging, you’re flying blind. With it properly configured, you have the visibility needed for effective security monitoring.

Step 1: Enable Unified Audit Logging in Microsoft 365

Navigate in Microsoft 365 Admin Center:

1. Go to Compliance > Audit
2. If prompted, click Turn on audit logging (if not already enabled)
3. Wait 30-60 minutes for the change to propagate

This enables basic audit logging for Exchange, SharePoint, OneDrive, Azure AD, and Dynamics CRM.

Next, optimize retention:

1. Still in Compliance > Audit, click Audit Retention Policies
2. For most organizations, the default 90-day retention is insufficient
3. Create a new retention policy:
   • Name: “90-Day Audit Retention (Default)”
   • Operations: Select all
   • Duration: 90 days
4. For regulatory compliance requirements (financial, healthcare, government):
   • Create additional policy: “7-Year Compliance Retention”
   • Apply to compliance-critical operation types: Admin activities, data access, file operations
   • Duration: 2,555 days (7 years)

Step 2: Configure Mailbox Audit Logging in Exchange Online

Unified audit logging doesn’t capture all mailbox activities. You need mailbox-level audit logging for granular visibility.

Using Exchange Admin Center:

1. Navigate to Mail flow > Mailbox auditing
2. Ensure Enable mailbox auditing for all users is toggled ON
3. Configure default actions to audit:
   • Owner actions: Create, Delete, Update
   • Delegate actions: Send, SendAs, SendOnBehalf
   • Admin actions: Create, Delete, Update, Move, HardDelete

For sensitive accounts (executives, finance, legal), enable additional logging via PowerShell:

# Connect to Exchange Online
Connect-ExchangeOnline

# Enable mailbox audit with extended logging
Set-Mailbox -Identity [email protected] -AuditEnabled $true -AuditLogAgeLimit 2555
Set-Mailbox -Identity [email protected] -AuditAdmin Create,Delete,Update,Move,HardDelete -AuditDelegate Send,SendAs,SendOnBehalf -AuditOwner Create,Delete,Update,Move

# Verify configuration
Get-Mailbox -Identity [email protected] | Select AuditEnabled, AuditLogAgeLimit, Audit*

Step 3: Set Up Alert Policies for Active Monitoring

Alert policies trigger notifications when suspicious activities occur, enabling rapid response.

Navigate in Compliance > Alert policies:

1. Click Create alert policy

Policy 1: Unusual External Sharing Activity

• Name: Unusual External Sharing Detected
• Category: Data Loss
• Activity:
  • SharePoint file shared with external user
  • OneDrive file shared with external user
• Condition: Triggered when 10+ files shared externally in 15 minutes
• Notification: Send alert to SOC team
• Aggregation: Send one alert with all violations

Policy 2: Suspicious Admin Activity

• Name: Suspicious Admin Activity Detected
• Category: Threat Management
• Activity:
  • Added new user to admin role
  • Disabled multi-factor authentication
  • Created mail forwarding rule
  • Added delegates to mailbox
• Condition: Triggered when any of these occur
• Severity: High
• Notification: Immediate alert to IT Security team

Policy 3: Bulk File Deletion Activity

• Name: Unusual File Deletion Detected
• Category: Data Loss
• Activity:
  • Deleted file from SharePoint
  • Deleted file from OneDrive
• Condition: Triggered when 25+ files deleted by single user in 15 minutes
• Notification: Alert to data governance team

Policy 4: Sign-In Anomalies

• Name: Impossible Travel Detected
• Category: Threat Management
• Activity: User sign-in from new location
• Condition: User signs in from two different countries within 6 hours
• Notification: Immediate alert to SOC; recommend MFA challenge

Step 4: Search and Review Audit Logs

Proper audit configuration is only valuable if you regularly review logs.

In Compliance > Audit > Audit search:

1. Define search parameters:

   • Date range: Last 90 days (adjust based on retention policy)
   • Activities: Start with “All activities” for initial review
   • Users: Leave blank to search all users (or specify target accounts)
   • File/Folder/Site: Optional—narrow searches by resource

2. Common searches to run weekly:

   Search 1: Admin Role Changes

   • Activity: “Add member to role”
   • Review each result to verify legitimacy

   Search 2: Mail Forwarding Rules

   • Activity: “New-InboxRule” or “Set-InboxRule”
   • Unauthorized forwarding rules often indicate compromise

   Search 3: External Sharing

   • Activity: “SharingSet”
   • Verify each external share matches business intent

   Search 4: User Mailbox Delegation

   • Activity: “Add-MailboxPermission”
   • Ensures only authorized delegates have access

Step 5: Export Audit Data for Analysis

For compliance reporting and deep investigation, export audit logs to CSV.

In Audit search results:

1. Click Export results > Download all results
2. File exports as CSV containing:
   • Timestamp
   • User who performed action
   • Activity type
   • Resource affected
   • Client IP address
   • User agent

For automated export (PowerShell):

# Search audit logs for past 90 days and export
$startDate = (Get-Date).AddDays(-90)
$endDate = Get-Date

Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -ResultSize 5000 | Export-Csv -Path "C:udit_export.csv" -NoTypeInformation

Step 6: Integration with Security Information and Event Management (SIEM)

For organizations managing multiple security tools, integrate M365 audit logs with SIEM platforms (Splunk, Sentinel, etc.) for centralized monitoring.

Microsoft Sentinel integration (recommended):

1. Deploy Microsoft Sentinel in your Azure subscription
2. Add Office 365 data connector
3. Select workloads: Exchange, SharePoint, Teams, Azure AD
4. Sentinel automatically ingests logs and applies threat detection analytics
5. Create custom detection rules for high-risk activities

This provides correlation with network logs, endpoint telemetry, and identity signals for comprehensive threat visibility.

Best Practices and Common Configuration Errors

Do:

• Enable audit logging on ALL users, not just executives
• Configure extended retention (7 years) for compliance-critical operations
• Review alert policies quarterly to adjust thresholds and reduce noise
• Perform monthly audit log reviews
• Archive old audit logs to separate storage for compliance

Don’t:

• Configure alerting on every possible activity (creates alert fatigue)
• Disable audit logging to “save costs”—the liability exceeds any savings
• Ignore alerts or let them accumulate without review
• Trust that default audit retention meets your compliance requirements
• Forget to audit administrators—they’re high-risk targets

Validation: Confirming Your Audit Configuration

Run this PowerShell script to verify audit logging is properly configured:

# Check unified audit logging status
$auditConfig = Get-AdminAuditLogConfig
Write-Host "Audit Logging Enabled: $($auditConfig.UnifiedAuditLogIngestionEnabled)"
Write-Host "Organization Retention: $($auditConfig.AdminAuditLogAgeLimit) days"

# Check mailbox audit for all users
$auditMailboxes = Get-Mailbox -Filter {AuditEnabled -eq $true}
Write-Host "Mailboxes with Audit Enabled: $($auditMailboxes.Count)"

# List alert policies
Get-AlertPolicy | Select-Object Name, Category, Status

Conclusion: Visibility is Your Security Foundation

Microsoft 365 audit logging and alert policies transform your M365 environment from opaque to transparent. With proper configuration, you’ll detect threats earlier, respond faster, and maintain the compliance posture your organization requires.

The investment in time to configure audit logging and alerts properly pays dividends in threat detection, incident response, and regulatory compliance.

Ready to implement comprehensive audit logging and alerting for your Microsoft 365 environment? Let’s build a monitoring strategy tailored to your security requirements and compliance obligations. Start with a security assessment at 365securityassessment.com—we’ll review your current audit configuration and recommend optimizations.