In this blog post we see how to audit Microsoft Teams to track what changes happened, when and by whom.
Must Note – The activities in the audit log is stored for 90 days.
How to access audit log
– Office 365 Security & Compliance Admin Center -> Search & investigation -> Audit log search.
Additionally, you can also use Office 365 Management API or PowerShell using Search-UnifiedAuditLog to access audit logs.
How to enable audit log
– By default, audit logs are disabled in office 365. You need to enable it to record activities.
To enable audit log in Office 365. Navigate to Security & Compliance Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On.
Using PowerShell to enable audit log
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Microsoft Teams Activities
– The below listed activities of user and admin in Microsoft Teams are recorded:
- Created team
- Deleted team
- Added channel
- Deleted channel
- Changed organization setting
- Changed team setting
- Changed channel setting
- Changed setting (legacy)
- User signed in to Teams
- Added bot to team
- Removed bot from team
- Added Tab
- Removed tab
- Added connector
- Removed Connector
When activities start showing
– Its take time for activities to written on audit logs. Once the activity performed it takes up to 24 hours for that activity to be written to the audit logs.
Audit log search
– Their are lots of ways to search audit logs such as;
- By Start and End date and Time.
- By Specific use account.
- By Specific file/folder or site.
How Microsoft Teams activity looks
– check the below screenshot of Microsoft Teams activities in audit log.
You can search the details for specific activity.
To check specific user activity, click on User’s email address – > Recent Activity tab. It will show you all the recorded activity of that user in Microsoft Teams.
Set Alert for Specific Activity
– you can set alerts for specific activity in Microsoft Teams in order to investigate incident.
To set alert, Navigate to search console click New Alert Policy.
Name the alert such as; “Microsoft Teams Create Team Activity” or “Microsoft Teams Delete Team Activity”.
After that fill the required fields and then Filter on just the Deleted team.
Alert policy is defined. Now select the Mail Recipients, we need to list the users who should receive the alerts. Save when finished.
– Following above steps you can easily track the activities performed by users and administrator in Microsoft Teams.