Setting up a O365 Dev Tenant – Part 5 – Turning on O365 Auditing


Introduction

In this series of posts, I will explain how you can set up a Development O365 Tenant quickly. Using PowerShell scripts, at the end of this process, you will have:

  • A O365 Development Tenant with 25 “DEVELOPERPACK” Licenses.
  • 25 Users assigned with license
  • A total of 274 Users added to the Tenant
    • Set up for multiple offices
    • Organisational structured
  • All users will be MFA enabled
  • All users will have photos added to their accounts
  • Enabling Office 365 Auditing
  • Setting up the SharePoint Tenant Settings and enabling Public CDN for SPFX

Unfortunately, I have found it impossible to do the following via PowerShell scripts, and these would need to be done manually. I haven’t included this information within these blog post.

  • Create a Tenant App Catalog
  • Set Organisation Details
  • Set Login Branding
  • Set Tenant Branding

Obtaining the code

I have stored my code on GitHub at the following URL for cloning. https://github.com/pmatthews05/SetupDevTenant.git

Turning on and setting permissions for Office 365 Auditing

At the URL https://protection.office.com you have access to the Security & Compliance Center. There is lots you can do in this area of O365, but I am just going to talk about Auditing in this post.

In the left hand navigation of Office 365 Security & Compliance, expand Search and select Audit Log Search. Yours should be like the screen shot above and has a yellow banner that states you need to turn auditing on. There is a button at the end, and this allows you to turn it on.

My script, Set-Office365Auditing.ps1 not only turns on the Auditing, but it assigns a group of users to have view-only access to the Audit logs.

Enable-OrganizationCustomization

Before you can run my script, the above command needs to be run first, and you need to wait a while before you can run my script below. Due to the time I was working on this blog, I ended up waiting 24 hours before I ran my next script. I’m not sure how long you have to wait.

You need to use the Microsoft Exchange Online PowerShell Module. If you haven’t already downloaded this from part 3 of this series, please follow my previous blog about how to do this correctly. https://cann0nf0dder.wordpress.com/2019/04/14/unable-to-download-the-exchange-online-powershell-module-deployment-and-application-do-not-have-matching-security-zones/

Open Microsoft Exchange Online PowerShell Module. You will need to connect first, before running the script. It allows you to control the signing in.

Connect-EXOPSSession -userPrincipalName [user.name]@[tenant].onmicrosoft.com

Now you can run

Enable-OrganizationCustomization 

Running Set-UserAccountsOnline.ps1

This script uses the Microsoft Exchange Online Powershell Module, and ViewAuditUsers.csv file. It will:

  • Create a new RoleGroup called “View Audits Only
  • Add Users from the CSV file to the RoleGroup
  • Lastly it will turn on Auditing for O365.

Before you run any code, you will need to replace [User.Name] on line 2 of the ViewAuditUsers.csv to your User Name.

Open Microsoft Exchange Online PowerShell Module. You will need to connect first, before running the script. It allows you to control the signing in.

Connect-EXOPSSession -userPrincipalName [user.name]@[tenant].onmicrosoft.com

Now you are connected, you can call the Set-Office365Auditing.ps1 file.

.\Set-Office365Auditing.ps1 -Path:'.\data\ViewAuditUsers.csv' -TenantDomain:'[mytenant].onmicrosoft.com' 

Replace [mytenant] with your tenant name.

If you now head to the Exchange admin center.

Viewing Audit Logs

At the URL https://protection.office.com you have access to the Security & Compliance Center. In the left hand navigation of Office 365 Security & Compliance, expand Search and select Audit Log Search. As you have just turned on Auditing, you might see the yellow/orange message that I have on my screen shot below.

Because you started recording user and admin activities within the last 24 hours, some activities might not show up in search results yet.

After a little while, (at least an hour) you will start receiving results when you click Search.

For a user that doesn’t have access, as you haven’t given them View Audits permission, they will get an error message when going directly to the URL.

In this blog post we have turned on the Office 365 Auditing and assigned a few users to have access. In my next and last blog post in this series, I will be setting up my SharePoint tenant admin properties and ensuring public CDN is turned on for SPFX.

Advertisements