Episode Details
Back to Episodes
How to Audit User Activity with Microsoft Purview: A Practical Guide to Using the Unified Audit Log in Microsoft 365
Season 1
Published 8 months ago
Description
How to Audit User Activity with Microsoft Purview
Most audit logs are treated like a black box—something you only open when there’s a problem. In this episode, I walk through how to use Microsoft Purview’s unified audit logs to proactively understand who is doing what in your tenant, across Exchange, SharePoint, OneDrive, Teams and more, instead of scrambling through exports after an incident.
We start with what the Purview audit log actually captures and how to turn it on correctly. You’ll learn which activities are logged by default, how retention works, and what you need to configure so critical actions—like mailbox access, file sharing, admin changes and label activity—are available when you need them. We also cover the differences between standard and premium audit, so you know when extended retention and more detailed events are worth the extra license cost.
Then we go step by step through building useful audit searches instead of one‑off queries. I show how to filter by user, workload, activity type and time range, how to save and reuse common queries, and how to export results in a way that’s actually workable for investigations and regular reviews. You’ll hear practical examples like “Which files did this user access before leaving the company?” or “Who changed these sharing policies last week?” and how to answer them quickly with Purview.
Finally, we connect auditing to ongoing monitoring and compliance. We talk about handing off saved queries to security or compliance teams, wiring audit exports into tools like Power BI or SIEM for trend analysis, and setting basic expectations around who reviews what and how often. By the end, you’ll be able to move from “we hope the logs are there if something happens” to a predictable way of using Purview audit as part of your regular security and compliance routine.
WHAT YOU’LL LEARN
The core insight of this episode is that audit logs are not just forensic evidence for worst‑case scenarios—they’re a continuous signal of how your environment is actually being used. Once you treat Purview audit as a regular input into security and compliance work, you gain visibility and patterns early, instead of discovering risky behavior only after something goes wrong.
WHO THIS EPISODE IS FOR
Most audit logs are treated like a black box—something you only open when there’s a problem. In this episode, I walk through how to use Microsoft Purview’s unified audit logs to proactively understand who is doing what in your tenant, across Exchange, SharePoint, OneDrive, Teams and more, instead of scrambling through exports after an incident.
We start with what the Purview audit log actually captures and how to turn it on correctly. You’ll learn which activities are logged by default, how retention works, and what you need to configure so critical actions—like mailbox access, file sharing, admin changes and label activity—are available when you need them. We also cover the differences between standard and premium audit, so you know when extended retention and more detailed events are worth the extra license cost.
Then we go step by step through building useful audit searches instead of one‑off queries. I show how to filter by user, workload, activity type and time range, how to save and reuse common queries, and how to export results in a way that’s actually workable for investigations and regular reviews. You’ll hear practical examples like “Which files did this user access before leaving the company?” or “Who changed these sharing policies last week?” and how to answer them quickly with Purview.
Finally, we connect auditing to ongoing monitoring and compliance. We talk about handing off saved queries to security or compliance teams, wiring audit exports into tools like Power BI or SIEM for trend analysis, and setting basic expectations around who reviews what and how often. By the end, you’ll be able to move from “we hope the logs are there if something happens” to a predictable way of using Purview audit as part of your regular security and compliance routine.
WHAT YOU’LL LEARN
- What Microsoft Purview audit logging captures across M365 workloads and how to enable it properly.
- The differences between standard and premium audit (including retention and depth of events).
- How to build and reuse practical audit searches for investigations and regular checks.
- How to plug audit data into ongoing monitoring instead of only using it after incidents.
The core insight of this episode is that audit logs are not just forensic evidence for worst‑case scenarios—they’re a continuous signal of how your environment is actually being used. Once you treat Purview audit as a regular input into security and compliance work, you gain visibility and patterns early, instead of discovering risky behavior only after something goes wrong.
WHO THIS EPISODE IS FOR
Listen Now
Love PodBriefly?
If you like Podbriefly.com, please consider donating to support the ongoing development.
Support Us