Over the last year, Microsoft have made some huge improvements in the compliance and auditing areas of Office 365. The list of events that are collected across all the workloads is impressive and now covers both administrator and end-user actions. For detailed lists you can refer to the corresponding documentation for Azure AD reporting, or other workloads.
Microsoft’s vision is to have all this information presented in a unified portal, so that individuals which have been assigned the corresponding roles can quickly do a search for user’s actions across all services. So far, this role was performed by the Compliance center. Now, with the refresh of the Admin portal, we are also getting a new and improved version of the Compliance center – the Protection center. The Protection center is available for first release customers via the following URL: https://protection.office.com/. As the new portal is still in its infancy, there are certainly some issues around it and some of the functionality is missing. But overall, it should be very easy to use for anyone that has played with the old Compliance center a bit.
One of the things that caught my attention was the new and improved Audit search page. It is basically a new take on the familiar Office 365 activity reports section we had in the Compliance center, but with improved design and functionality. You can access it directly via https://protection.office.com/pageviewer?p=unifiedauditlog or via the Reports section in the Protection center. Here’s how it looks like:
It has been updated with easier selection for the Activity type, which now also allows you to select multiple types (up to 38 at a time, don’t ask me where this number comes from). In addition, you can quickly (de)select all activity types in particular group by clicking the Group name – for example clicking Sharing activities will result in selecting all four items below:
The results section now auto-expands to accommodate the returned matching events, and offers controls to easily sort and/or filter the data by any of the displayed columns. We also get the Export results button which offers two options: download a CSV for only the displayed results, or CSV for all results:
Unfortunately, the additional details for some of the event types is missing from the GUI report and only available in the CSV as the “More” column. In addition, some relevant data is missing from the “More” column as well, and you might still need to run the individual audit logs from say Exchange Online PowerShell. Another example for missing data – none of the Skype for Business reports/events are present in the current version of the tool. As mentioned above however, this is still a work in progress and the final product might be very different.