Table of contents
Enabling Microsoft 365 audit logs allows WorkSights to process advanced activity metadata from SharePoint, OneDrive, Teams Chat, Azure AD logins, and additional Exchange signals.
Outlook email and calendar activity continue working without audit logs, but audit logs, but audit logging unlocks the full activity model.
Audit logs contain metadata only. WorkSights never receives message bodies, file content, attachments, or chat text.
What Audit Logs Enable
Once audit logging is active and ingestion is propagating, WorkSights process:
- SharePoint and OneDrive file interactions
- Teams Chat message-sent events
- Azure AD login events (timestamp, IP, device metadata)
- Additional Exchange metadata that improves classification (e.g., mailbox events)
Audit logs do not include:
- Email content or attachments
- Chat content
- File content
- Screenshots or monitoring data
Prerequisites
Only a Microsoft 365 Global Admin can enable audit log ingestion. You will need:
- A Global Admin account
- Exchange Online PowerShell v2 (EXO V2) module
- Sufficient time for Microsoft to propagate ingestion
- Awareness that Microsoft Purview UI may show On while ingestion is still inactive. Double-check in PowerShell
Verify Whether Audit Logging Is Active
- Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName <admin@yourdomain.com>
- Check Unified Audit Log Ingestion Status
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
True → Ingestion is active.
False → Tenant is not producing audit logs for WorkSights, even if the Purview UI shows otherwise. This discrepancy is common.
Enable Audit Log Ingestion
- Enable Unified Audit Log Ingestion
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Microsoft warning about a 60-minute delay is expected. In practice, propagation can take several hours.
- Re-verify After Propagation
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
The value must return True before WorkSights can establish subscriptions.
Allow Time for Microsoft Processing
Even after ingestion is enabled, Microsoft must internally activate the audit pipeline. During this period WorkSights may temporarily show:
- Empty audit feeds
- Subscription errors
- “Tenant does not exist” responses
- Missing Teams or file activity
These resolve automatically once Microsoft finishes activating ingestion. No action is required in WorkSights.
WorkSights Audit Subscription
When your tenant begins producing audit content, WorkSights automatically creates secure subscription for:
- Audit.AzureActiveDirectory
- Audit.Exchange
- Audit.SharePoint
- Audit.General (Teams chat)
No manual Microsoft configuration is required beyond enabling ingestion.
WorkSights filters out system-generated noise and processes only user-initiated metadata relevant to activity classification.
Confirming Audit Data in WorkSights
Once ingestion and subscriptions are active, WorkSights displays:
- SharePoint/OneDrive file interactions
- Teams chat message-sent event
- Azure ID login events
- Additional Exchange mailbox metadata
Audit data refreshes multiple times per day. Email and calendar continue to update more frequently and do not depend on audit logs.
Troubleshooting
UI shows “Audit logs: On” but WorkSights shows no data
- Verify via PowerShell:
Get-AdminAuditLogConfig
- If False – enable ingestion via PowerShell.
WorkSights shows “Tenant Does Not Exist”
Confirm ingestion is True. Allow additional propagation time.
No SharePoint or OneDrive data
Audit logs not yet producing file interactions. Some tenants begin file audit output later than others.
No Teams Chat data
Teams chat requires audit logs. Only message-sent events appear; no chat content is ever transmitted.
No login activity
Azure ID login events depend on audit ingestion. Allow additional propagation time.
Privacy and Security
Enabling audit logs does not change WorkSights privacy model. WorkSights receives only:
- Event type
- Timestamp
- Device/IP metadata
- File names or email/meeting subjects (metadata only)
WorkSights does not receive email bodies, chat messages, file content, attachments, screenshots, keystrokes, or monitoring data. All data is retrieved through Microsoft’s secure audit interfaces and remains under your tenant’s compliance governance.
Microsoft Propagation Notes
Microsoft periodically updates the behavior and timing of Unified Audit Log propagation. As a result:
- Activation times may vary
- Some content types may begin appearing earlier than others
- PowerShell status remains the authoritative indicator
WorkSights automatically adapts to these variations without requiring further configuration.
Summary
Enabling Microsoft 365 audit logs unlocks SharePoint/One Drive activity, Teams Chat events, login events, and additional Exchange metadata.
WorkSights manages all subscriptions automatically once ingestion is active.
Full activity visibility begins as soon as Microsoft starts producing audit content for your tenant.