Getty Images

Tip

Microsoft Purview Audit helps IT flush out bad behavior

The auditing tool gives enterprises a way to find problems by examining logs from Microsoft 365 cloud services, such as Exchange Online, to see what actions were taken and where.

Auditing has become increasingly necessary for every aspect of the enterprise environment, and the Microsoft cloud is no exception.

The responsibilities of the IT staff continue to expand and get more difficult as enterprises use more cloud services. Admins need all the help they can get to check for harbingers of danger, such as unauthorized access to confidential data and unusual login attempts. Microsoft Purview Audit is a service for audit logging Microsoft cloud services, including Microsoft Entra ID -- formerly Azure Active Directory -- and Exchange Online, to track actions by users and administrators, as well as threat actors. Purview Audit uncovers risks and unusual actions in these Microsoft 365 services to help IT maintain security and regulatory compliance.

What is Microsoft Purview Audit?

Microsoft Purview Audit is included with every Microsoft 365 subscription and enabled by default. This security product retains a record of many operations in the Microsoft 365 ecosystem, such as Exchange Online and Microsoft Teams. Admins can use these logs for auditing, forensic, compliance and legal purposes.

Purview Audit gives admins a way to uncover the origin of events that occurred in the environment. This tool helps determine if an action originated from a malicious party, a user performing actions outside of their normal duties, the IT end user acceptance policy or the many other scenarios that the IT team needs to unravel.

Microsoft Purview Audit records hundreds of different activities executed by users and administrators, which makes it such a strong source of information. Some of the data collected includes which user added someone to a group, who added a tab in a Microsoft Teams channel, who responded to a Microsoft Form, who assigned a user to an incident in Microsoft Defender, who deleted a folder or file, and which administrator set the organization's password policy. Some of the services Microsoft Purview Audit tracks includes Microsoft Entra ID, eDiscovery, Exchange Online, SharePoint Online, OneDrive, Defender, Power Platform and Teams.

There are two tiers of Purview Audit: Standard and Premium.

Microsoft includes Purview Audit Standard in all Microsoft 365 tenants with appropriate licensing: Microsoft 365 E3 (no Microsoft Teams) or better, Office 365 E1 (no Microsoft Teams) or better, Microsoft 365 F1 (no Microsoft Teams) or better.

Microsoft Purview Audit Premium requires Microsoft 365 E5 Compliance or better or Microsoft 365 F5 Compliance or better.

Purview Audit Standard and Purview Audit Premium record the same information with Premium providing extra data. The additional benefits of Premium are one year of audit log retention (not all logs included by default), audit log retention policies to apply automated retention lengths, a higher bandwidth allowance of API calls -- roughly twice as much as Standard -- and "intelligent insights" for better visibility of events in Exchange Online and SharePoint Online, as well as assistance in investigations.

Initially, the Purview Audit Standard retention of logs was 90 days. But, after the Storm-0558 hacking incident and pressure from customers, Microsoft extended the time frame to 180 days.

Microsoft Purview Audit is an evolving service, so its capabilities will change over time. There are also limitations to its visibility due to its functionality or the Purview Audit version. Purview Audit records that a Microsoft Copilot Interaction occurred, but the prompts are shown in Content Search, which is a part of Purview eDiscovery.

How to use Purview Audit for mailbox auditing

Although Purview Audit is enabled by default in Microsoft 365 tenants, you can run the following command in Exchange Online PowerShell to check the state:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If the output is true, then Audit is enabled, while false indicates Audit is disabled. The action to enable or disable Purview Audit is recorded along with who made the change so no one can turn off this feature without a record if it.

To see how Purview Audit works, let's run through a scenario related to email. In this example, you must investigate the origin of an email that appeared to come from one of your users, but they claim they did not send it.

To search through your logs, use the audit log search tool in either the Microsoft Purview portal or the compliance portal.

Purview Audit search dialog
Admins use the search function in Microsoft Purview Audit to check for matches from Microsoft 365 audit logs.

Specify the date and time range (UTC) to search within. From the Activities - friendly names section, search Exchange mailbox activities of sent message, sent message using send-as permissions and sent message using send-on-behalf permissions. You can also select the user in question under Users, which is the user of the mailbox the email was sent from. Filtering on these activities attempts to catch situations where either the user or a delegate to a mailbox might have sent the email on behalf of the user. If you only select the sent message activity, then you could miss potential matches. If you don't find a hit, then try broadening your search parameters.

Click the Search button to create a search job. The results are not instantaneous, but the portal will show the job status and progress percentage. The search for this example scenario took five minutes and 15 seconds to complete.

You can click through each result. There is an option to export the results, but this also takes time to produce. It's important to construct a proper search at the start so it focuses on the right areas and avoids wasting time waiting for results that are incomplete or inaccurate.

In this example scenario, once you find the email, the activity matching will indicate if the user -- denoted by sent message -- sent the email or if it was sent by someone else -- indicated by send as/send on behalf. Additional details the report includes are the internet-facing IP address of the device that performed the action, the UserId (username), the ClientInfoString (the client used, such as Outlook-Android) and other fields.

If the user claims they did not send the email, then you could then look at login records by running another audit log search using the same user but with the User Logged In activities. The results show information such as the SessionID, which can be married up with the same SessionID found in the previous sent message record.

It takes time to learn how to use Purview Audit properly

Take the time to absorb all the features in Microsoft Purview Audit. Although it is easy to use, it helps to know the available data types, what records you can match and where they are for better search results. There are any number of reasons why you might uncover suspicious activity in your Microsoft 365 tenant: It could be an auditor, the actions of a disgruntled employee, activities to provide court-requested evidence or signs of malicious actions in your environment.

By searching the logs with Purview Audit, you can understand who did what, when and where to pull together all the critical pieces of information to help with an investigation.

Adam Fowler is principal solutions architect for a Microsoft partner with more than 20 years of experience in IT. He is well versed in systems administration, cybersecurity, infrastructure and project management, and operational services. Fowler has worked as IT director and customer success account manager at Microsoft.

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Search Enterprise Desktop
Search Virtual Desktop
Close