Azure AD

How to Check Admin Activities in Microsoft 365

In the face of evolving cyber threats, administrative accounts are prime targets for attackers seeking to exploit vulnerabilities for unauthorized access and data breaches. Without effective auditing and implementing strong security measures, such breaches can lead to data loss, financial damage, and regulatory penalties. This guide explores how to monitor admin activities in Microsoft 365 to safeguard your organization from these risks.

Using Windows PowerShell Script

Microsoft 365 Permission Required

View-Only Audit Logs role Least Privilege

Global Admin Most Privilege

Download the AdminActivityReport.ps1 script file attached in this section.
Open PowerShell with administrator privilege.
Run the below cmdlet with the User Principal Name (UPN) of the admin you are targeting.

Windows PowerShell

 ./AdminActivityReport.ps1 -AdminId <AdminUPN>

AdminActivityReport.ps1

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required

View-Only Audit Logs role Least Privilege

Global Admin Most Privilege

Login to the Audit page of Microsoft Purview portal.
Choose the desired Date and Time Range, and specify the administrative Users to get their history of activities.
Now, hit the Search button.

Using Microsoft Purview Compliance Portal

Once the search is completed, you can explore all the activities performed by the chosen admins in M365.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Open the AdminDroid Office 365 Reporter.
Navigate to User Activities by Admins dashboard under Dashboards »User Activities»By Admins.

AdminDroid M365 User Activity Tracker

Easily Track Overall Admin Activities in Microsoft 365 with our User-Friendly Reporting Tool!

With AdminDroid's M365 User Activity Tracker offers a comprehensive solution to view admin activities within your organization. You can also generate reports on various admin activities, including admin-forced password resets, admin login failures, recently created admins, and even failed MFA challenges.

Monitor Third-Party Application Consents

Gain comprehensive visibility into all third-party applications installed with admin consent in your Azure Active Directory to ensure security.

Audit OneDrive Links Created by Admins in M365

Regularly monitor admin-created OneDrive links for direct access to users' files and folders to protect privacy and prevent unauthorized access.

Identify Password Resets by Admin

Monitor forced password resets by Microsoft 365 admins to track all the user account password changes.

Admin Login Failures Analysis

Monitor and analyze admin login failures in M365 to detect unauthorized access and ensure account security.

Govern Administrative Units

Take control and monitor all administrative unit activities performed by Microsoft 365 users, ensuring accountability and security in your organization.

Get Alerts on Administrative Privilege Elevation

Receive immediate alerts when a user is assigned to any admin role in your Microsoft 365 organization with AdminDroid’s advanced alerting.

In summary, enhance the security and management of your Microsoft 365 environment by auditing administrator activities. Given their high privilege and access to sensitive data, it's crucial to monitor administrators and their actions to ensure data security. AdminDroid's unique capabilities and advanced features make this process seamless and efficient, allowing for effortless admin activity monitoring.

Explore a full range of reporting options

Download Live Demo

Important Tips

Implement Privileged Access Management in M365 to ensure that the admin privileges are removed after the respective task completion to avoid standing access.

Use protected actions in Entra ID to safeguard administrative tasks and control high-risk operations in Microsoft 365.

Audit admin role changes in your M365 environment to identify any unauthorized modifications to admin privileges.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while tracking office 365 admin activity.

Error Throttling Limit Exceeded.

This error occurs in the Purview Compliance Portal when the number of requests exceeds the allowed rate limits within a short period.

Fix Implement exponential backoff in your requests. Wait for some time before retrying the request.

Error ./AdminActivityReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when trying to run the script. The execution policy is set to strict by default to prevent scripts from running.

Fix To resolve this error, you can set the execution policy to run the script.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Error Search duration is too long. Please select a date range of less than 6 months.

This error will occur in the AuditLog search of Purview Compliance if the selected date and time range exceed the limit.

Fix In Microsoft Purview Audit (Standard), logs can only be retained for a maximum of 180 days. So, you need to give a time range within this period.

Error No Data is returned in the result of the Audit search.

This error will occur in both the PowerShell and Compliance Center AuditLog search if the Audit search is not enabled.

Fix In Microsoft Purview Audit, you should enable Audit Search by clicking Start recording user and admin activity or if you’re using PowerShell then you need to enable it by using this cmdlet.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Azure AD

Frequently Asked Questions

Enhance Security and Compliance in Microsoft 365 by Monitoring Admin Activities

How to audit admin activities in Microsoft Entra ID?

Microsoft Entra ID audit logs track what admin actions happen in Azure Active Directory. This includes managing users and groups, updating policies, assigning applications, and changing directory settings and more. These logs help you ensure compliance, enhance security, and troubleshoot issues within the Microsoft 365 environment.

Follow the below steps to monitor admin activities in Microsoft Entra admin center

Login to the Microsoft Entra admin center.
Navigate to the Audit logs page residing under Monitoring & health section and use the filters below:
- Date range - This filter lets you define a particular timeframe to examine log entries, helping you focus on relevant activities within a defined period. Select the desired date range to filter the audit logs according to when the activities took place.
- Category - Filter based on the type of event, such as authentication, authorization, or provisioning. Choose All to include all admin activities in the audit log.
- Service - The service filter in Microsoft Entra audit logs enables you to narrow down results based on specific Azure AD services like Core Directory, Azure MFA, B2B Auth, B2C, Application, and Agreement. Select All services to include logs from all services or components.
- Activity - Describes the specific action or event recorded within the service, such as file deletion, user creation, password reset, or permission changes. Choose All activities to include logs of all types of activities performed.
Click the date field in the audit log entry to see more details like Modified Properties.
To export the log as a CSV file, click the download button.

How to audit eDiscovery admin activities in Microsoft 365?

eDiscovery admins play a crucial role in managing activities, such as setting up eDiscovery cases, creating holds, and exporting data. Given the sensitive nature of the data involved, it is essential to monitor admin activities closely to ensure compliance, prevent misuse, and protect against unauthorized access. This oversight is critical in maintaining the integrity of the eDiscovery process and safeguarding sensitive information.

To ensure the appropriate use of eDiscovery, track admin activities through the audit log in the Microsoft Purview compliance portal.

In the Microsoft Purview compliance portal, select Audit from the left navigation pane.
Within the Activities-friendly names dropdown list, search for eDiscovery and choose the desired operations from the results.
You can further refine your search by specifying a date and time range to narrow down the eDiscovery events.
Additionally, the Users field allows you to filter results based on specific admins who might have conducted the searches.
Now, click Search to view the results.

AdminDroid provides graphical charts based on various categories, making it easier to audit all eDiscovery cases using a single report.

Tip: To explore any report in AdminDroid, hit Ctrl + Shift + F and type fewer related keywords about the required report. This will show you the relevant reports.

How to Investigate Admins' Login Failures in Microsoft 365?

A high number of failed login attempts, especially from an admin account, can be a sign of several risks, including:

Brute-force attack: Hackers might be using automated tools to try different password combinations to gain access to your admin account.
Compromised credentials: An attacker might have obtained your admin credentials through phishing attacks or malware and be attempting to log in.
Insider threat: A malicious employee or compromised account might be attempting to gain unauthorized access to sensitive data or systems.

Not reviewing admins' failed login attempts can allow such threats which leads to data breach and other security incidents.

Steps to investigate failed login attempts by admins

Login to the Microsoft Entra admin center and navigate to Sign-in logs residing under the Monitoring & health section and use the filters below:
- Date range: Select the desired date range.
- Status: Select Failure.
- User: Select the desired admin user accounts.
Click on the Download button to export the sign-in logs in CSV format.

Pro Tip: For more detailed analytics of users with admin roles, use Excel functions to summarize and review the failure statistics.

You can act instantly on suspicious failed login attempts from admin accounts with the Admin Login Failure report in AdminDroid.

The report also provides a graphical representation of admin login failures, categorized by admin names, admin roles, daily attempts, hourly attempts from location, etc.
These visual summaries help quickly identify patterns and trends, making it easier to pinpoint the admins with the most login failures.

How to set alerts for certain admin activities in Microsoft 365?

There is no built-in way to receive real-time alerts for every admin activity in Microsoft 365. However, you can use Alert Policies in the Microsoft Defender portal and apply the necessary admin UPN filters for specific activities.

Here's how to set up Alert Policies using the Microsoft Defender

In the Microsoft Defender portal, navigate to Alert policy section under Policies & rules.
Click New Policy, provide a descriptive name, and choose the admins whose activities you want to track.
Define the conditions for triggering the alert (e.g.,category, action type).
Configure the alert notification settings (provide email address of recipient).
Review your policy and click Submit.

AdminDroid's built in alert templates make it easy to preview, deploy, and start receiving alerts immediately.

Check out our in-built alert templates tailored to every specific workload where security plays a key role.
Install AdminDroid, navigate to the Policy templates page under Alerts section.
Filter the templates by the keyword admin. Review all the alert templates for admin activities available in AdminDroid alerting tool.
Hit Preview & Deploy button near the desired policy.

Now, sit back and relax while our alerting tool takes care of the rest!