Site administrator or owner creates a group for a site, or performs a task that results in a group being created.

The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. Only verified admins can perform this operation.

Access features and services from the Classic Exchange admin center.

The tabs are your second level of navigation.

These tasks are performed an application on behalf of the user who created the group. Not all activities have a value in this column.

When an admin implements compliance features, such as retention policies, eDiscovery holds, and auto-applying sensitivity labels. Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote.

The following table lists the user and admin activities in Yammer that are logged in the audit log. If your environment is configured to support Shifts apps, an additional activity group for these activities is available in the Activities picker list. You can use the JSON transform tool in the Power Query Editor in Excel to split AuditData column into multiple columns so that each property in the JSON object has its own column.

This activity is only logged for users with an Office 365 or Microsoft 365 E5 license.
Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and auto-applying retention or sensitivity labels to site content.

The following table describes the folder activities in SharePoint Online and OneDrive for Business. For more information, see The app@sharepoint user in audit records. Azure Active Directory (Azure AD) is the directory service for Office 365. These tables group related activities or the activities from a specific service. A user was added or removed as a delegate to the calendar of another user's mailbox.

The following table describes the user sharing and access request activities in SharePoint Online and OneDrive for Business.

The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Workplace Analytics. Administrator updated an existing a retention policy. Each of the feature areas contains various tabs, each representing a complete feature. In the Recipients list view, you can also configure page size and export the data to a CSV file. Here are some tips for searching for Exchange admin activities when searching the audit log: To return entries from the Exchange admin audit log, you have to select Show results for all activities in the Activities list. The license assigned to a user what changed. A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell.

This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource. The date and time are presented in Coordinated Universal Time (UTC) format. The following table lists Azure AD role administration activities that are logged when an admin manages admin roles in the Microsoft 365 admin center or in the Azure management portal. View and manage your mailboxes, groups, resource mailboxes, contacts, shared mailboxes, and mailbox migrations. Keyword boxes are displayed under each column header. User successfully downloads any changes to files from a document library.

For more information, see The app@sharepoint user in audit records. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder.

If your organization participated in the private preview program for the one-year retention of audit records, the retention duration for audit records that were generated before the general availability rollout date will not be reset. To return this activity in the audit log search results, you have to search for all activities. A user created a SharePoint list column. This event is logged to indicate that the page content has been served to the user's client. The Me tile allows you to sign out of the Classic Exchange admin center and sign in as a different user. When we do perform these activities, the data in transit is encrypted.

An item was changed so that it no longer inherits sharing permissions from its parent. When you click most tabs, you'll see a toolbar. See the Audited activities section in this article for a list and description of the activities that are audited.

You can also submit a design change request (DCR) to Microsoft Support.

This means you may see duplicate events without a final Security State change. An authentication permission was updated for an application in Azure AD.

To do this, go to https://outlook.office365.com/ecp and sign in using your credentials. You can also use the search box to display the activities that contain the keyword that you type. To display events from the Exchange admin audit log, type a - (dash) in the Activity filter box. For descriptions of the detailed information, see Detailed properties in the audit log.

Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). When the results are displayed, click Filter results.

By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Form owner deletes a form. A folder permission was removed.

The most used services like Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Dynamics 365, Advanced Threat Protection, and Power BI are audited. When you select a tab, in most cases you'll see a list view.

For sharing events, the Detail column under Results identifies the name of the user or group the item was shared with and whether that user or group is a member or guest in your organization. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar. No.

To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the Download all results option. A user moved a SharePoint list item to the Recycle Bin.

Manage remote domains and accepted domains, add connectors, trace messages and manage alert and alert policies. These activities include creating, launching, and publishing an app. A mailbox owner or other user with access to the mailbox modified an inbox rule in the Outlook client. A user created a site content type. After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. A folder permission was changed. If the Start recording user and admin activity link is displayed, click it to turn on auditing. Removed credentials from a service principal.

Here are a few other scenarios where app@sharepoint may be identified in an audit record as the user who performed an activity: Microsoft 365 Groups. For more information, see Using data classification content explorer. To mitigate this behavior, consider using different searches to export the results for activities from a single service. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.

This activity is often logged following a PagePrefetched event for a page.

To get started, see Get started with Office 365 Management APIs. User copies a folder from a site to another location in SharePoint or OneDrive for Business. A list column is a column that's attached to one or more SharePoint lists. The copied file can be saved to another folder on the site.

A site column is also a metadata structure that can be used by any list in a given web. See Exchange admin center in Exchange Server.

User deletes a folder from the second-stage recycle bin on a site. You can specify which user agents to exempt from receiving an entire web page to index. Administrator created a new retention policy. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library. A member is usually an employee, and a guest is usually a collaborator outside of your organization. The list view in the Classic Exchange admin center is designed to remove limitations that existed in Exchange Control Panel.

Are you using Exchange Online Protection? Over 100 user and admin activities are logged in the audit log. Click one of the boxes under a column header and type a word or phrase, depending on the column you're filtering on.

Sign in using your work or school account. For more information about quarantine, see Quarantine email messages in Office 365.
For more detailed information about admin audit logging in Exchange, see Administrator audit logging. If 50,000 entries are downloaded to the CSV file, you can probably assume there are more than 50,000 events that met the search criteria.

A user updated a SharePoint list column by modifying one or more properties. Events from this audit log display a cmdlet name (for example, Set-Mailbox) in the Activity column in the results. For a description of these activities, see the "Actions logged in Stream" section in Audit Logs in Microsoft Stream. Set the property that enables a directory for Azure AD Sync. For descriptions of the Teams activities that are audited, see Search the audit log for events in Microsoft Teams.

This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet. Updates that trigger this event include adding or excluding content locations that the retention policy is applied to. This makes indexing InfoPath forms faster. See Step 3: Filter the search results for more information about filtering the results.