🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Track User Activities in Microsoft 365

It's essential to keep track of how employees use Microsoft 365 services like Exchange Online, SharePoint Online, and Teams in larger organizations. Juggling the task of monitoring user activities across multiple portals, from emails to file sharing and beyond, while managing access permissions, is undeniably challenging and time-consuming. Don't worry! This guide will show you effective ways to check user activities in Microsoft 365 and spot any unusual actions.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
Global administrator, Global reader or Reports reader.
  • Login to the Microsoft Purview portal.
  • Navigate to Audit under Solutions.
  • Select the desired Date and Time Range for which you wish to get the history of user activities.
  • If you wish to track specific activities, you can filter the actions in the Activities field. To explore all user activities in M365, simply run Search after choosing the desired time range.
Using Microsoft Purview Compliance Portal

Once the search is completed, we can see all the activities performed by your organizational users.

microsoft-purview-result

Using Windows PowerShell

Microsoft 365 Permission Required
Global administrator, Global reader or Reports reader.
  • Before you begin, make sure you have installed and connected to Exchange Online PowerShell.
  • Windows PowerShell Windows PowerShell 
     Install-Module -Name ExchangeOnlineManagement 

Connect- ExchangeOnline
  • Run the following cmdlet to retrieve all activities of a specific user in your organization.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -User <UserPrincipalName> -StartDate "MM/DD/YYYY" -EndDate "MM/DD/YYYY"
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Global administrator, Global reader or Reports reader.
  • As the previous cmdlet could only generate up to 5000 entries per instance, we have created a PowerShell script to generate a comprehensive usage statistics report for users in your Microsoft 365 environment.
  • Download and run the following script to export office 365 user activity report for your organization.
Using PowerShell Script
Office 365 User Activity Report.ps1
AdminDroid M365 User Activity Tracker

Microsoft 365 User Activity Tracking Made Easy with AdminDroid!

Using AdminDroid's Microsoft 365 auditing tool, you can unleash the full potential of your Office 365 tenant. It allows you to gain deep insights into user behavior, optimize access controls, boost security, and empower your team's productivity.

Analyze Failed Activities to Prevent Security Breaches

Consistently monitoring failed user activity is pivotal for promptly identifying failed activities across your tenant, thereby bolstering security protocols to preempt potential breaches.

Optimize User Activity Auditing with Delegation

Divide Microsoft 365 user activity auditing tasks among specific admins with granular access delegation, ensuring more accurate monitoring and reducing unwanted accesses.

Detailed Microsoft 365 User Activity Analytics

Easily gain insights into user activities with an intuitive dashboard. Identify and analyze user actions, roles, and access details efficiently, all-in-one comprehensive interface.

In-depth Monitoring of External User Activities in Microsoft 365

Ensure frequent and rigorous monitoring of all the Microsoft 365 external user activities, as they pose significant security risks through sharing sensitive data or involvement in data breaches.

Generate Alerts for Specific User Activity

Set up real-time alerts for a specific user activity in Microsoft 365 to ensure admins can act promptly in any situation.

Anomalous User Activity Detection

Identify and flag risky users exhibiting anomalous behavior by leveraging built-in Azure AD reports.

With AdminDroid’s Microsoft 365 user audit reports admins can keep an eye on all the users in the organization by tracking user activities like user creations, user deletion, user license changes, user password changes, and more. This comprehensive tracking helps ensure security and compliance within the organization.

Explore a full range of reporting options
Download Live Demo

Important Tips

Monitor external user activities to prevent any unnecessary security conflicts that happen inside your Microsoft 365 environment.

Analyze Microsoft 365 resource usage and easily identify inactive accounts to enhance productivity.

Adopt a least-privilege approach by granting users only the necessary access for their roles. Regularly review and update permissions for accuracy.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while dealing with tracking office 365 user activity.

Error 'Cannot bind argument to <UserPrincipalName> because it is an empty string'

You will encounter this error when executing the PowerShell script without entering the UserPrincipalName of the user whose user activity is required.

Fix Make sure to provide the UserPrincipalName while executing the script in the below format. 
./UserActivityReport.ps1 -UserID <UserPrincipalName> -Default

Error Unable to execute the script with MFA enabled account.

You will encounter this error when executing the PowerShell script using the non-MFA account method for an MFA enabled account.

Fix To execute the script using an MFA enabled global admin account, make sure to add the '–MFA' cmdlet postfix to the user ID in the format shown below: 
./UserActivityReport.ps1 -UserID <UserPrincipalName> -MFA –Default

Error Reports might not reflect the most recent activity due to data processing delays.

An admin might encounter this problem in Microsoft 365 services, if the audit involves investigating a specific user activity that happened very recently (within the last few hours or even a day), there's a chance the data might not be reflected in the report.

Fix Be aware of the reporting latency (usually 24-48 hours) and schedule reports accordingly.

Error Limited functionality in user activity reports due to your Microsoft 365 subscription tier.

This message is displayed in Microsoft 365 services when users encounter limitations in accessing or generating activity reports due to the features available in their subscription tier.

Fix Consider upgrading your subscription to access advanced reporting features or utilize free tools with limited capabilities.

Error Cannot process argument transformation on parameter ResultSize. Cannot convert value 'Unlimited' to type 'System.Int32'.

This error occurs when you give value greater than 5000 for the Search-UnifiedAuditLog cmdlet.

Fix The maximum limit of the Search-UnifiedAuditLog cmdlet is <=5000. Try giving the result size as exactly 5000 or less than that.
Azure AD
Frequently Asked Questions

Identify Suspicious Activity & Strengthen M365 Security with User Activity Monitoring

What are the user activity audit logs available in Microsoft Purview Compliance Portal?
Why is it necessary to monitor user behaviour in Microsoft 365?
How to track the user activity in Microsoft 365 admin center?
How does monitoring email and file-sharing activities in Microsoft 365 improve security?
What is the retention period for user activity reports in Microsoft 365?

1. What are the user activity audit logs available in Microsoft Purview Compliance Portal?

In Microsoft 365, various types of user activities can be tracked through audit logs. Those key activities are listed below:

  • User’s Sign-in Activities: Keeps track of when Microsoft users login and log out, including successful and failed log-in attempts.
  • EXO Mailbox Activities: Monitoring actions such as sending, receiving, forwarding deleting, or moving emails within Exchange Online.
  • SPO File and Folder Activities: Tracks user interactions on files & folders in SharePoint Online and OneDrive for Business that includes views, edits, uploads, downloads, and deletions.
  • External Sharing and Collaboration Activities: Monitors user activities related to sharing files, folders, & sites that include invitations sent, and granting & revoking permissions during external collaboration.
  • MS Teams Collaboration Activities: Tracks user interactions within Microsoft Teams, such as channel creations, posting messages, file sharing, and meeting attendance.
  • Security and Compliance: Recording security-related events, such as policy changes, malware detection, data loss prevention (DLP) violations, and suspicious sign-in attempts.

AdminDroid allows you to simply monitor user activities based on geography, department, job title, and other parameters.

  • With the Microsoft 365 Usage and Adoption dashboard, you gain insights into user engagement by reviewing the number of activities, active users, and licensed users across different categories. This dashboard can be accessed from Dashboards»Usage & Adoption.
  • View activities by specific departments, job titles, cities, or states using the filters available for Event Time, Workload, and Operation.
faq-1

2. Why is it necessary to monitor user behaviour in Microsoft 365?

Monitoring Microsoft 365 user behaviour is essential for understanding how users interact with the M365 services, helping organizations to optimize productivity, enhance security, and improve the user experience. Some key aspects include:

  • Proactively tracking employee activities can provide valuable insights into their Microsoft 365 service usage, licensing optimization, and other essential information.
  • It helps in identifying and responding to unusual or unauthorized activities to prevent security breaches and insider threats.
  • One of the main reasons for tracking user behavior is to maintain adherence to compliane regulations and internal policies by generating audit trails and compliance reports.

These logs serve as a crucial tool for ensuring accountability and safeguarding organizational assets.

Optimizing Analysis: Effective Techniques for Microsoft 365 User Activity Logs

  • Filtering Logs: Narrow down the audit logs by specifying the time frame, usernames, activities, and other relevant criteria to focus on specific events of interest.
  • Identifying Anomalies: Look for any unusual or suspicious activities that may indicate potential security threats or policy violations within the organization.
  • Correlating Events: Associate audit events to identify unusual patterns or trends in user behavior, such as unauthorized access attempts, privilege escalation, or data exfiltration.
  • Investigating Incidents: Investigate any identified incidents or security breaches by analyzing the details provided in the audit logs, including performed users, the affected resources, and the actions performed.
  • Documenting Findings: For future reference and reporting needs, record the results of the audit log analysis, including any suspicious activity, security events, or compliance violations.

By following these steps, admins can effectively analyze office 365 audit logs to gain insights into user activities, detect security threats, and ensure compliance with regulatory requirements.

Note: By default, Microsoft 365 retains audit logs for 180 days. However, if you have an Audit Premium license, you can retain audit logs for up to one year (365 days) or longer, depending on your organization's compliance needs.

Admindroid offers detailed insights into user interactions in Microsoft 365, featuring a dashboard with visualizations like maps, pie charts, bar charts, and heat maps for thorough analysis of user activities.

  • Make use of the user activity reports available in AdminDroid under Analytics»Audit Analytics»Audit Events with User Details .
  • Choose Detailed chart view in the Graphical charts tab of any chosen report from the given directory.
  • These visualizations help in identifying user trends, peak activity times, and potential areas of concern, facilitating better management and optimization of the organization's Microsoft 365 resources.
user-analytics-chart-view

3. How to track the user activity in Microsoft 365 admin center?

Before we begin, here’s the main difference between audit Purview user activities and admin center user activity reports:

  • Audit Logs in Microsoft Purview Portal This portal provides comprehensive monitoring of user activities, including administrative actions, security-related events, changes made by users, etc. It tracks activities such as file access attempts, mailbox changes, and permission modifications, helping to identify potential risks and ensure compliance.
  • User Activity Reports in Microsoft 365 Admin Center It provides a broader view of general user engagement with Microsoft 365 services. It shows how many users are using specific features like email, OneDrive storage, Teams chat, Teams meeting, and so on. This helps with license management and productivity enhancement.

Access user activity reports in the Microsoft 365 admin center:

Usage reports in the Microsoft 365 admin center provide insightful visualizations of user activity and resource utilization, allowing admins to identify active & inactive users to optimize productivity across all M365 services.

  • Sign in to Microsoft 365 admin center and navigate to Usage Reports.
  • Choose Time Frame: On the Active Users dashboard, pick the time frame - like past 7, 30, 90, or 180 days.
  • Review Comprehensive Report: After selecting the time frame, the dashboard will show a detailed report of user activity for the period.
faq-3-ac

4. How does monitoring email and file-sharing activities in Microsoft 365 improve security?

Keeping an eye on user activities in Exchange Online and SharePoint Online is crucial for robust security. Here's how monitoring email and file sharing activities can significantly improve your Microsoft 365 security:

  • Detect Anomalies in EXO: Use email security reports in Exchange Online to track unusual logins, suspicious file downloads, and excessive email forwarding to identify potential breaches and insider threats.
  • Enforce Data Loss Prevention (DLP) in SPO: Monitor sensitive data, such as credit card numbers and social security numbers, being shared externally to prevent accidental leaks. Implement DLP policies in SharePoint Online to safeguard this data.
  • Gain User Behavior Insights in O365: Understand typical email and file sharing patterns within your office 365 environment to identify anomalies that might signal account compromise.
  • Respond Faster to Threats: Early detection of suspicious activity within your M365 tenant allows for quicker response, minimizing damage from cyberattacks.
  • Maintain Compliance: Monitor activities to ensure adherence to compliance regulations and internal policies regarding data handling.

5. What is the retention period for user activity reports in Microsoft 365?

The data retention period for audit logs can differ based on your Microsoft 365 license tier. Here's a breakdown:

  • Microsoft 365 E5 or Microsoft 365 E5 Compliance Add-on Licenses For users with these licenses, audit log records are retained for one year by default.
  • Other Microsoft 365 or Microsoft 365 Licenses For users with all other license types (except E5), audit log records are retained for 180 days by default. (This is an improvement from the previous 90-day standard retention period implemented in October 2023.)
  • Microsoft 365 Audit Premium Add-on License The Microsoft 365 Audit Premium add-on license enhances activity monitoring with advanced auditing capabilities, including up to one-year log retention, detailed event logs, and intelligent insights.

Key factors to manage audit log retention in Microsoft Purview portal:

  • Audit log retention policies can be created and managed in the Microsoft Purview portal.
  • Licensing requirements determine how long audit logs are retained, with extended durations available for users with specific licenses.
  • Policies allow organizations to specify how long to retain audit logs, with options ranging up to 10 years.
  • Policies can be based on criteria such as Microsoft 365 services, specific activities, and user priorities.
  • The default audit log retention policy retains records for Exchange Online, SharePoint Online, OneDrive, and Microsoft Entra for one year.
  • Audit log retention policies can also be managed using PowerShell commands, providing flexibility and control.
  • Custom audit log retention policies take priority over default policies.

Forget data retention limits! Admindroid lets you keep historical data for as long as you need.

With Admindroid, override the default limit of native audit log retention and preserve the audit data indefinitely.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Track User Activities in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo