When you consider the importance of security, compliance, and best practice configuration in your Microsoft 365 environment, the configuration of your Microsoft 365 services is only as effective as the analytical, auditing, and reporting capabilities that are available to (and diligently used by) Microsoft 365 administrators. When you configure, review, and take any required actions by using these capabilities, you can gain vital intelligence on the activities within your environment.

In this chapter, we will be introduced to the principles and capabilities of analysis and reporting within Microsoft Purview. We will learn how to plan our auditing and reporting strategy as well as how to use audit logs to carry out investigations into compliance-related activities. We will also review the available compliance reports and dashboards and consider how we might configure alert policies and auditing retention policies...

Tracking user and administrator activities is a crucial capability for any organization using Microsoft 365, and there are several auditing and reporting capabilities available that you will need to be aware of. But what sort of things do you need to consider? What activities should you be tracking and have visibility of? Examples may include the following:

• Documents changed by users
• Tenant configuration altered by admins

You can monitor such activities from the various Microsoft 365 admin portals to ensure that you have a robust strategy in place to mitigate any risks and ensure that your organization is fulfilling any regulatory compliance obligations.

Using tools such as the Microsoft Purview compliance portal and the Microsoft 365 Defender portal, you can access the appropriate navigation panes for features, which include the following:

• Alerts
• Permissions
• Data Lifecycle Management
• Threat management
...

The Microsoft Purview compliance portal grants administrators the ability to search the unified audit log to view user and administrator activity in your organization. This is a Purview feature that provides further and deeper insight into Microsoft 365 activities. So, as an example, if you need to find out whether a user deleted an email or accessed a specific document, the unified audit log should be your first port of call.

It is often asked why this is known as the unified audit log. This is simply due to the fact that you can use it to search for activities across different Microsoft 365 services and features. A few examples of these features include the following:

• Azure Active Directory
• Data Loss Prevention (DLP)
• eDiscovery
• Exchange Online
• Microsoft 365 Defender
• Microsoft Teams
• Sensitivity labels
• Threat Intelligence
• Yammer

Note

These are only a few of the locations available...

As an administrator with responsibility for Microsoft Purview settings, policies, and activities, it is important for you to be aware of the compliance reports that are available. Reports can be accessed from within the Microsoft Purview compliance portal by navigating to Reports:

Figure 14.10: Reports section within Microsoft Purview

The Reports section is shown in the following screenshot:

Figure 14.11: Microsoft Purview Reports

The reports are divided into two distinct categories: Labels and Organizational Data.

Note

The options that you see in the Reports section will depend on the level of licensing within your Microsoft 365 tenant. In this example, the tenant used has Microsoft 365 E5 licensing.

With Microsoft 365 E5, under the Labels section, you can see the following report tiles:

• Label auto apply
• Label records tagging
• Labels trend...

Microsoft Purview alert policies are used to generate and categorize alerts when users perform activities matching the alert policies you configure. Alert policies can be created by users with the Manage Alerts role or the Organization Configuration role. It can take up to 24 hours after you create an alert policy for alerts to start triggering from the policy.

Note

The more advanced features available with alert policies will require an E5 subscription, an E1 / E3 subscription with E5 compliance, or the E5 eDiscovery add-on. More information can be found in the links included at the end of the chapter.

Alert policies are made up of rules and conditions comprising the activity that will generate the alert.

To create an alert policy, complete the following steps:

1. Log in to the Microsoft Purview compliance portal at https://compliance.microsoft.com and navigate to Policies | Alert policies:

Figure 14.13: Alert...

With audit retention policies in Microsoft Purview, you can specify how long to retain your audit logs within your organization. This is a Premium feature and requires the E5 license. If your organization does not have access to a Premium subscription, then audit logs will be retained for 90 days. With the advanced features of audit log retention policies, however, you can retain your audit logs for a period of up to 10 years. You can audit log policies based on the following:

• All activities within Microsoft 365 services
• Specified activities within Microsoft 365 services
• A priority level that specifies the policy that takes precedence; this is applicable only if you have multiple policies in your organization

To create an audit log retention policy, you need the Organization Configuration role in the Microsoft Purview compliance portal. You can create up to 50 such policies in your organization.

To create an audit log...

This chapter covered the principles of planning for auditing and reporting in Microsoft 365 using the Microsoft Purview compliance portal. We learned about the available reports, tools, and dashboards, as well as how to investigate compliance activities by running audit log searches. We also learned how to configure alert policies that can be set up to email chosen users when an activity matching the policy is triggered, and how audit retention policies enable you to retain audit log activity based on users and/or specified record types within Microsoft Purview.

The next chapter will introduce content search and eDiscovery in Microsoft Purview.

1. Which of the following is NOT one of the available reports in Microsoft Purview?
   1. Label auto apply
   2. Retention label changes
   3. SharePoint files
   4. DLP policy matches
2. True or false? In an audit log search, the keyword search field is mandatory:
   1. True
   2. False
3. Which of the following URLs grants you access to the audit log?
   1. https://admin.microsoft.com
   2. https://compliance.microsoft.com
   3. https://portal.office365.com
   4. https://portal.azure.com
4. Which of the following PowerShell commands is used to enable audit logging in your tenant?
   1. Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled

$yes

2. Set-AdminAuditLogConfig -UnifiedAuditLogIngestion

$enabled

3. Set-AdminAuditLog -UnifiedAuditLogIngestionEnabled

$true

4. Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled

$true

5. True or false? It can take up to 24 hours after you create an alert policy for alerts to start triggering from the policy:
   1. True
   2. False
6. Where in the Microsoft...

Please refer to the following links for more information:

• Auditing and reporting in Microsoft cloud services: https://learn.microsoft.com/en-us/compliance/assurance/assurance-auditing-and-reporting-overview?WT.mc_id=M365-MVP-4039827&view=o365-worldwide
• Search the audit log in the compliance portal: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search?WT.mc_id=M365-MVP-4039827&view=o365-worldwide
• Microsoft 365 reports in the admin center: https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?WT.mc_id=M365-MVP-4039827&view=o365-worldwide
• Alert policies in Microsoft 365: https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?WT.mc_id=EM-MVP-4039827&view=o365-worldwide
• Manage audit log retention policies: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-policies?WT.mc_id=ES-MVP-4039827&view=o365-worldwide
• Turn auditing...