Be sure to read the following items before you start searching the Office 365 audit log.

  • You (or another admin) must first turn on audit logging before you can start searching the Office 365 audit log. To turn it on, just click Start recording user and admin activity on the Audit log search page in the Security & Compliance Center. (If you don't see this link, auditing has already been turned on for your organization.) After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this once.


    NOTE: We’re in the process of turning on auditing by default. Until then, you can turn it on as previously described.


  • You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Office 365 audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. To give a user the ability to search the Office 365 audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online.


    IMPORTANT: If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Security & Compliance Center, they won't be able to search the Office 365 audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.


  • You can search the Office 365 audit log for activities that were performed within the last 90 days.

  • It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. The following table shows the time it takes for the different services in Office 365.

    Office 365 service
    30 minutes
    24 hours
    SharePoint Online and OneDrive for Business
    Check mark

    Exchange Online
    Check mark

    Azure Active Directory (user login events)
    Check mark

    Azure Active Directory (admin events)

    Check mark
    Sway

    Check mark
    Power BI

    Check mark
    Yammer

    Check mark
    Security & Compliance Center

    Check mark
    Microsoft Teams

    Check mark
  • As previously stated, Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Office 365 admin center or in the in Azure management portal. 

  • If you want to turn off audit log search in Office 365 for your organization, you can run the following command in remote PowerShell connected to your Exchange Online organization:

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false


  • As previously stated, the underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is Search-UnifiedAuditLog. That means you can use this cmdlet to search the Office 365 audit log instead of using the Audit log search page in the Security & Compliance Center. You have to run this cmdlet in remote PowerShell connected to your Exchange Online organization.