M365 Auditor
Produce a Microsoft 365 audit specification that covers audit log query design, report templates, alert rules, and retention configuration for financial services compliance requirements. The output must be ready for use by a Microsoft Purview administrator and IT security team.
Audit Log Sources and Enablement
Verify and document audit enablement status for each workload:
| Workload | Audit Source | Enable Command |
|---|---|---|
| Exchange Online | Microsoft Purview Audit | Enabled by default for E3/E5 |
| SharePoint Online | Microsoft Purview Audit | Enabled by default |
| Microsoft Teams | Microsoft Purview Audit | Enabled by default |
| Azure AD / Entra ID | Microsoft Purview Audit | Enabled by default |
| Power Platform | Microsoft Purview Audit | Must be enabled per environment |
| Microsoft Defender for O365 | Defender portal | Separate configuration |
Audit log retention tier:
| License | Retention Period | Coverage |
|---|---|---|
| E3 or Business Premium | 90 days | Standard audit |
| E5 | 1 year | Standard + advanced audit |
| Microsoft Purview Audit (Premium) add-on | 1 year or 10 years | Advanced audit events |
For FINRA-regulated broker-dealers: 10-year retention add-on is required for broker communications (FINRA Rule 17a-4). For state-regulated insurance agencies: confirm state-specific retention requirements (typically 5-7 years). Document the license tier and resulting retention period for this client.
Key Audit Event Categories
User Authentication and Identity
Events to capture and review:
| Operation | Description | Risk Signal |
|---|---|---|
| UserLoggedIn | Successful sign-in | Baseline — look for anomalous locations |
| UserLoginFailed | Failed sign-in | >5 failures = potential brute force |
| MFADenied | MFA challenge denied | User denying legitimate login |
| UserPasswordChanged | Password change | Verify it was user-initiated |
| Set-MsolUserPassword | Admin password reset | Privilege action — must be logged |
| Add member to role | Role assignment | Any admin role grant requires review |
| Remove member from role | Role removal | Ensure it was authorized offboarding |
Document Access and Sharing
| Operation | Description | Risk Signal |
|---|---|---|
| FileAccessed | File opened or downloaded | Baseline — look for bulk access |
| FileDownloaded | File downloaded to device | >50 files in 1 hour = alert |
| SharingInvitationCreated | External share initiated | Any sharing outside approved domains |
| AnonymousLinkCreated | Anyone link created | Should be blocked by policy — if seen, alert |
| FileDeleted | File deleted | Bulk deletion (>20 files) = alert |
| FileModified | File edited | Useful for content audit trails |
Email Activity
| Operation | Description | Risk Signal |
|---|---|---|
| Send | Email sent | High volume from single user |
| SendAs | Email sent as another identity | Any occurrence warrants review |
| HardDelete | Email permanently deleted | During investigation period = alert |
| MessageForwardingRuleEnabled | Auto-forward rule created | External auto-forward = data exfiltration risk |
| New-InboxRule | New inbox rule | Check destination for external address |
Teams Activity
| Operation | Description | Risk Signal |
|---|---|---|
| TeamCreated | New team created | Verify naming policy compliance |
| MemberAddedToTeam | Member added | External guest added = review |
| ChatMessageSent | Chat message | Keyword detection for compliance |
| FileUploadedToChannel | File uploaded | Large file uploads |
| MeetingRecordingCreated | Recording started | Verify recording policy compliance |
Admin Configuration Changes
| Operation | Description | Risk Signal |
|---|---|---|
| Set-TransportRule | Mail flow rule changed | All changes require change ticket |
| Set-AdminAuditLogConfig | Audit config changed | Attempt to disable auditing = critical alert |
| New-RoleGroupMember | Admin role granted | Privileged access change |
| Set-RetentionCompliancePolicy | Retention policy changed | Compliance risk |
Query Design Templates
Provide ready-to-use Search-UnifiedAuditLog PowerShell query templates.
Weekly security summary query:
# Run every Monday for prior week
$StartDate = (Get-Date).AddDays(-7).ToString("MM/dd/yyyy")
$EndDate = (Get-Date).ToString("MM/dd/yyyy")
# Authentication failures
Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate `
-Operations "UserLoginFailed" `
-ResultSize 1000 |
Select-Object -ExpandProperty AuditData |
ConvertFrom-Json |
Select-Object CreationTime, UserId, Operation, ClientIPAddress, UserAgent |
Export-Csv ".\weekly-auth-failures.csv" -NoTypeInformation
# External sharing events
Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate `
-Operations "SharingInvitationCreated","AnonymousLinkCreated" `
-ResultSize 1000 |
Select-Object -ExpandProperty AuditData |
ConvertFrom-Json |
Select-Object CreationTime, UserId, Operation, ObjectId, TargetUserOrGroupName |
Export-Csv ".\weekly-external-sharing.csv" -NoTypeInformation
# Admin role changes
Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate `
-Operations "Add member to role.","Remove member from role." `
-ResultSize 500 |
Select-Object -ExpandProperty AuditData |
ConvertFrom-Json |
Select-Object CreationTime, UserId, Operation, ModifiedProperties |
Export-Csv ".\weekly-role-changes.csv" -NoTypeInformation
On-demand examination evidence query (for regulatory examiner requests):
# Query specific user activity for examination period
param(
[string]$UserEmail,
[string]$StartDate, # MM/dd/yyyy
[string]$EndDate # MM/dd/yyyy
)
$Operations = @(
"Send","FileAccessed","FileDownloaded","FileDeleted",
"UserLoggedIn","UserLoginFailed","SharingInvitationCreated"
)
Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate `
-UserIds $UserEmail `
-Operations $Operations `
-ResultSize 5000 |
Select-Object -ExpandProperty AuditData |
ConvertFrom-Json |
Select-Object CreationTime, UserId, Operation, ObjectId, ClientIPAddress, UserAgent |
Sort-Object CreationTime |
Export-Csv ".\examination-evidence-$UserEmail.csv" -NoTypeInformation
Report Templates
Weekly Security Summary
Delivered every Monday. Sections:
- Authentication overview: Total sign-ins, failed sign-ins by user, MFA events, new IP addresses
- Sharing activity: External shares initiated, anonymous links (should be zero), external guests added to Teams
- Privilege changes: Admin role grants and removals, policy changes
- Anomaly highlights: Any event exceeding alert thresholds from the prior week
- Open items: Alerts from prior week requiring follow-up
Monthly Compliance Report
Delivered first business day of each month. Sections:
- User activity summary: Active users, inactive users (>30 days no sign-in)
- Data loss prevention: DLP policy match counts by policy, false positive rate
- External collaboration: External users with active access, external shares, guest users added/removed
- Retention compliance: Items subject to retention policies, holds applied
- Admin activity log: All admin actions during the month
- Incidents: Any security incidents, escalations, or exceptions granted
Examination Evidence Package
On-demand, per examiner request. Contents:
- Cover memo: Scope of request, date range, custodians included
- Email activity export: All sent/received emails for specified users and period (Exchange audit log)
- Document access log: All file access and sharing events for specified users
- Communication archive: Teams chat export (requires Microsoft Purview eDiscovery)
- Chain of custody statement: How data was extracted, who extracted it, what tools were used
Alert Rules
Configure Microsoft Sentinel or Microsoft Defender for Identity (or equivalent SIEM) to alert on:
| Alert Name | Condition | Severity | Notification |
|---|---|---|---|
| Bulk file download | >50 files downloaded by one user in 60 minutes | High | Security team email + Teams post |
| External auto-forward detected | New-InboxRule with external forward destination | Critical | Immediate page to security lead |
| Anonymous link created | AnonymousLinkCreated operation detected | High | Security team email |
| Admin role granted | Add member to role (any admin role) outside change window | Medium | IT manager email |
| Audit config changed | Set-AdminAuditLogConfig | Critical | Immediate page — auditing may be compromised |
| Login from new country | User authenticates from country not in baseline | Medium | User notification + security team |
| Multiple failed MFA | >3 MFA failures for one user in 30 minutes | High | Security team email |
| Mass email deletion | >100 emails HardDeleted in 24 hours | High | Security team email |
Audit Log Retention Configuration
Document the retention configuration to be applied:
# Set 10-year audit retention for regulated users (FINRA)
Set-MailboxAuditBypassAssociation -Identity "service@firm.com" -AuditBypassEnabled $false
# Enable mailbox auditing for all users (verify it's on)
Get-Mailbox -ResultSize Unlimited |
Where-Object {$_.AuditEnabled -eq $false} |
Set-Mailbox -AuditEnabled $true
# Verify audit log retention tier
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled, AdminAuditLogEnabled
For Microsoft Purview Audit (Premium) 10-year retention: Must be assigned per-user via the Compliance portal > Audit > Audit retention policies. Create a policy with 10-year duration and assign to all licensed users in regulated roles.
Output Format
Deliver as:
- Audit enablement status table (workload, enabled/not, retention period)
- Key event catalog organized by category (authentication, document, email, Teams, admin)
- PowerShell query library (one code block per query template, with usage instructions)
- Alert rule table with all fields
- Report templates (one section per report type with exact contents list)
- Retention configuration steps
- Regulatory mapping (which specific FINRA rules, state insurance regulations, or internal policies each audit control satisfies)