🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Track User Activities in Microsoft 365

It's essential to keep track of how employees use Microsoft 365 services like Exchange Online, SharePoint Online, and Teams in larger organizations. Juggling the task of monitoring user activities across multiple portals, from emails to file sharing and beyond, while managing access permissions, is undeniably challenging and time-consuming. Don't worry! This guide will show you effective ways to check user activities in Microsoft 365 and spot any unusual actions.

Native Solution

Microsoft 365 Permission Required

High

Global administrator, Global reader or Reports reader.

Option 1 Using Microsoft Purview Compliance Portal

  • Login to the Microsoft Purview portal.
  • Navigate to Audit under Solutions.
  • Select the desired Date and Time Range for which you wish to get the history of user activities.
  • If you wish to track specific activities, you can filter the actions in the Activities field. To explore all user activities in M365, simply run Search after choosing the desired time range.
Using Microsoft Purview Compliance Portal

Once the search is completed, we can see all the activities performed by your organizational users.

microsoft-purview-result

Option 2 Using Windows PowerShell

  • Before you begin, make sure you have installed and connected to Exchange Online PowerShell.
  • Windows PowerShell Windows PowerShell 
     Install-Module -Name ExchangeOnlineManagement 

Connect- ExchangeOnline
  • Run the following cmdlet to retrieve all activities of a specific user in your organization.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -User <UserPrincipalName> -StartDate "MM/DD/YYYY" -EndDate "MM/DD/YYYY"
Using Windows PowerShell

Option 3 Using PowerShell Script

  • As the previous cmdlet could only generate up to 5000 entries per instance, we have created a PowerShell script to generate a comprehensive usage statistics report for users in your Microsoft 365 environment.
  • Download and run the following script to export office 365 user activity report for your organization.
Office 365 User Activity Report.ps1
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Login to the AdminDroid Office 365 portal.
  • Navigate to User Activities Trend dashboard through Dashboards »User Activities»All Users.
Using AdminDroid

Gain instant visibility into Microsoft 365 user activity with our insightful dashboard, designed to meet all your user activity auditing requirements across Azure AD, Exchange Online, SharePoint, OneDrive, Teams, and more.

ad-report

Unlock in-depth M365 user analytics that native tools lack!

Download O365 user activity reports in few clicks. No complex PowerShell scripts needed!

  • Hit Ctrl + Shift + F and search for All Activities report.
  • Select the report and download user activity log using the Export button at the top right corner.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Master Microsoft 365 User Auditing like a Pro!

Unleash the full potential of Microsoft 365 with AdminDroid, providing precise details on all audit activities across M365 services. Gain powerful insights from user activity tracking to manage your tenant effectively!

Witness the report in action using the

Live Demo

Azure ADIdentify Suspicious Activity & Strengthen M365 Security with User Activity Monitoring

Showing 1 of 5
What are the user activity audit logs available in Microsoft Purview Compliance Portal? Why is it necessary to monitor user behaviour in Microsoft 365? How to track the user activity in Microsoft 365 admin center? How does monitoring email and file-sharing activities in Microsoft 365 improve security? What is the retention period for user activity reports in Microsoft 365?

What are the user activity audit logs available in Microsoft Purview Compliance Portal?

In Microsoft 365, various types of user activities can be tracked through audit logs. Those key activities are listed below:

  • User’s Sign-in Activities: Keeps track of when Microsoft users login and log out, including successful and failed log-in attempts.
  • EXO Mailbox Activities: Monitoring actions such as sending, receiving, forwarding deleting, or moving emails within Exchange Online.
  • SPO File and Folder Activities: Tracks user interactions on files & folders in SharePoint Online and OneDrive for Business that includes views, edits, uploads, downloads, and deletions.
  • External Sharing and Collaboration Activities: Monitors user activities related to sharing files, folders, & sites that include invitations sent, and granting & revoking permissions during external collaboration.
  • MS Teams Collaboration Activities: Tracks user interactions within Microsoft Teams, such as channel creations, posting messages, file sharing, and meeting attendance.
  • Security and Compliance: Recording security-related events, such as policy changes, malware detection, data loss prevention (DLP) violations, and suspicious sign-in attempts.

AdminDroid allows you to simply monitor user activities based on geography, department, job title, and other parameters.

  • With the Microsoft 365 Usage and Adoption dashboard, you gain insights into user engagement by reviewing the number of activities, active users, and licensed users across different categories. This dashboard can be accessed from Dashboards»Usage & Adoption.
  • View activities by specific departments, job titles, cities, or states using the filters available for Event Time, Workload, and Operation.
faq-1

Why is it necessary to monitor user behaviour in Microsoft 365?

Monitoring Microsoft 365 user behaviour is essential for understanding how users interact with the M365 services, helping organizations to optimize productivity, enhance security, and improve the user experience. Some key aspects include:

  • Proactively tracking employee activities can provide valuable insights into their Microsoft 365 service usage, licensing optimization, and other essential information.
  • It helps in identifying and responding to unusual or unauthorized activities to prevent security breaches and insider threats.
  • One of the main reasons for tracking user behavior is to maintain adherence to compliane regulations and internal policies by generating audit trails and compliance reports.

These logs serve as a crucial tool for ensuring accountability and safeguarding organizational assets.

Optimizing Analysis: Effective Techniques for Microsoft 365 User Activity Logs

  • Filtering Logs: Narrow down the audit logs by specifying the time frame, usernames, activities, and other relevant criteria to focus on specific events of interest.
  • Identifying Anomalies: Look for any unusual or suspicious activities that may indicate potential security threats or policy violations within the organization.
  • Correlating Events: Associate audit events to identify unusual patterns or trends in user behavior, such as unauthorized access attempts, privilege escalation, or data exfiltration.
  • Investigating Incidents: Investigate any identified incidents or security breaches by analyzing the details provided in the audit logs, including performed users, the affected resources, and the actions performed.
  • Documenting Findings: For future reference and reporting needs, record the results of the audit log analysis, including any suspicious activity, security events, or compliance violations.

By following these steps, admins can effectively analyze office 365 audit logs to gain insights into user activities, detect security threats, and ensure compliance with regulatory requirements.

Note: By default, Microsoft 365 retains audit logs for 180 days. However, if you have an Audit Premium license, you can retain audit logs for up to one year (365 days) or longer, depending on your organization's compliance needs.

Admindroid offers detailed insights into user interactions in Microsoft 365, featuring a dashboard with visualizations like maps, pie charts, bar charts, and heat maps for thorough analysis of user activities.

  • Make use of the user activity reports available in AdminDroid under Analytics»Audit Analytics»Audit Events with User Details .
  • Choose Detailed chart view in the Graphical charts tab of any chosen report from the given directory.
  • These visualizations help in identifying user trends, peak activity times, and potential areas of concern, facilitating better management and optimization of the organization's Microsoft 365 resources.
user-analytics-chart-view

How to track the user activity in Microsoft 365 admin center?

Before we begin, here’s the main difference between audit Purview user activities and admin center user activity reports:

  • Audit Logs in Microsoft Purview Portal This portal provides comprehensive monitoring of user activities, including administrative actions, security-related events, changes made by users, etc. It tracks activities such as file access attempts, mailbox changes, and permission modifications, helping to identify potential risks and ensure compliance.
  • User Activity Reports in Microsoft 365 Admin Center It provides a broader view of general user engagement with Microsoft 365 services. It shows how many users are using specific features like email, OneDrive storage, Teams chat, Teams meeting, and so on. This helps with license management and productivity enhancement.

Access user activity reports in the Microsoft 365 admin center:

Usage reports in the Microsoft 365 admin center provide insightful visualizations of user activity and resource utilization, allowing admins to identify active & inactive users to optimize productivity across all M365 services.

  • Sign in to Microsoft 365 admin center and navigate to Usage Reports.
  • Choose Time Frame: On the Active Users dashboard, pick the time frame - like past 7, 30, 90, or 180 days.
  • Review Comprehensive Report: After selecting the time frame, the dashboard will show a detailed report of user activity for the period.
faq-3-ac

How does monitoring email and file-sharing activities in Microsoft 365 improve security?

Keeping an eye on user activities in Exchange Online and SharePoint Online is crucial for robust security. Here's how monitoring email and file sharing activities can significantly improve your Microsoft 365 security:

  • Detect Anomalies in EXO: Use email security reports in Exchange Online to track unusual logins, suspicious file downloads, and excessive email forwarding to identify potential breaches and insider threats.
  • Enforce Data Loss Prevention (DLP) in SPO: Monitor sensitive data, such as credit card numbers and social security numbers, being shared externally to prevent accidental leaks. Implement DLP policies in SharePoint Online to safeguard this data.
  • Gain User Behavior Insights in O365: Understand typical email and file sharing patterns within your office 365 environment to identify anomalies that might signal account compromise.
  • Respond Faster to Threats: Early detection of suspicious activity within your M365 tenant allows for quicker response, minimizing damage from cyberattacks.
  • Maintain Compliance: Monitor activities to ensure adherence to compliance regulations and internal policies regarding data handling.

What is the retention period for user activity reports in Microsoft 365?

The data retention period for audit logs can differ based on your Microsoft 365 license tier. Here's a breakdown:

  • Microsoft 365 E5 or Microsoft 365 E5 Compliance Add-on Licenses For users with these licenses, audit log records are retained for one year by default.
  • Other Microsoft 365 or Microsoft 365 Licenses For users with all other license types (except E5), audit log records are retained for 180 days by default. (This is an improvement from the previous 90-day standard retention period implemented in October 2023.)
  • Microsoft 365 Audit Premium Add-on License The Microsoft 365 Audit Premium add-on license enhances activity monitoring with advanced auditing capabilities, including up to one-year log retention, detailed event logs, and intelligent insights.

Key factors to manage audit log retention in Microsoft Purview portal:

  • Audit log retention policies can be created and managed in the Microsoft Purview portal.
  • Licensing requirements determine how long audit logs are retained, with extended durations available for users with specific licenses.
  • Policies allow organizations to specify how long to retain audit logs, with options ranging up to 10 years.
  • Policies can be based on criteria such as Microsoft 365 services, specific activities, and user priorities.
  • The default audit log retention policy retains records for Exchange Online, SharePoint Online, OneDrive, and Microsoft Entra for one year.
  • Audit log retention policies can also be managed using PowerShell commands, providing flexibility and control.
  • Custom audit log retention policies take priority over default policies.

Forget data retention limits! Admindroid lets you keep historical data for as long as you need.

With Admindroid, override the default limit of native audit log retention and preserve the audit data indefinitely.

AdminDroid M365 User Activity TrackerMicrosoft 365 User Activity Tracking Made Easy with AdminDroid!

Using AdminDroid's Microsoft 365 auditing tool, you can unleash the full potential of your Office 365 tenant. It allows you to gain deep insights into user behavior, optimize access controls, boost security, and empower your team's productivity.

Experience the efficient method to track user activities in Microsoft 365 with AdminDroid!

The All Activities audit report provides detailed insights into user actions across all Microsoft 365 services, including Exchange Online, SharePoint Online, and Microsoft Teams. The report serves as a valuable resource for admins to manage Office 365 user activities effectively.

A Quick Summary

Analyze Failed Activities to Prevent Security Breaches

Consistently monitoring failed user activity is pivotal for promptly identifying failed activities across your tenant, thereby bolstering security protocols to preempt potential breaches.

Optimize User Activity Auditing with Delegation

Divide Microsoft 365 user activity auditing tasks among specific admins with granular access delegation, ensuring more accurate monitoring and reducing unwanted accesses.

Detailed Microsoft 365 User Activity Analytics

Easily gain insights into user activities with an intuitive dashboard. Identify and analyze user actions, roles, and access details efficiently, all-in-one comprehensive interface.

In-depth Monitoring of External User Activities in Microsoft 365

Ensure frequent and rigorous monitoring of all the Microsoft 365 external user activities, as they pose significant security risks through sharing sensitive data or involvement in data breaches.

Generate Alerts for Specific User Activity

Set up real-time alerts for a specific user activity in Microsoft 365 to ensure admins can act promptly in any situation.

Anomalous User Activity Detection

Identify and flag risky users exhibiting anomalous behavior by leveraging built-in Azure AD reports.

With AdminDroid’s Microsoft 365 user audit reports admins can keep an eye on all the users in the organization by tracking user activities like user creations, user deletion, user license changes, user password changes, and more. This comprehensive tracking helps ensure security and compliance within the organization.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps for tracking overall user activities in Microsoft 365

The following are possible errors and troubleshooting hints while dealing with tracking office 365 user activity.

Error: 'Cannot bind argument to <UserPrincipalName> because it is an empty string'

You will encounter this error when executing the PowerShell script without entering the UserPrincipalName of the user whose user activity is required.

Troubleshooting hint :Make sure to provide the UserPrincipalName while executing the script in the below format. 

./UserActivityReport.ps1 -UserID <UserPrincipalName> -Default

Error: Unable to execute the script with MFA enabled account.

You will encounter this error when executing the PowerShell script using the non-MFA account method for an MFA enabled account.

Troubleshooting hint :To execute the script using an MFA enabled global admin account, make sure to add the '–MFA' cmdlet postfix to the user ID in the format shown below: 

./UserActivityReport.ps1 -UserID <UserPrincipalName> -MFA –Default

Error: Reports might not reflect the most recent activity due to data processing delays.

An admin might encounter this problem in Microsoft 365 services, if the audit involves investigating a specific user activity that happened very recently (within the last few hours or even a day), there's a chance the data might not be reflected in the report.

Troubleshooting hint :Be aware of the reporting latency (usually 24-48 hours) and schedule reports accordingly.

Error: Limited functionality in user activity reports due to your Microsoft 365 subscription tier.

This message is displayed in Microsoft 365 services when users encounter limitations in accessing or generating activity reports due to the features available in their subscription tier.

Troubleshooting hint :Consider upgrading your subscription to access advanced reporting features or utilize free tools with limited capabilities.

Error: Cannot process argument transformation on parameter ResultSize. Cannot convert value 'Unlimited' to type 'System.Int32'.

This error occurs when you give value greater than 5000 for the Search-UnifiedAuditLog cmdlet.

Troubleshooting hint :The maximum limit of the Search-UnifiedAuditLog cmdlet is <=5000. Try giving the result size as exactly 5000 or less than that.