Last updated
July 3rd, 2026

Microsoft 365 Audit Log Activation

Microsoft 365 audit logging unlocks a significant portion of the Microsoft 365 signal model. Without it, Teams chat, OneDrive and SharePoint file activity, and login events do not appear in WorkSights. Outlook email, calendar, and Teams calls are available regardless.

This guide covers how to verify whether audit logging is active for your tenant and how to enable it if not.

What Audit Logs Enable

Once audit logging is active, WorkSights can process SharePoint and OneDrive file interactions, Teams chat message events, login events with timestamp and network metadata, and additional Exchange metadata that improves email coverage. Audit logs contain metadata only. Message bodies, file contents, chat text, and attachments are never received.

Prerequisites

Only a Microsoft 365 admin can enable audit log ingestion. You will need an admin account, the Exchange Online PowerShell module installed, and awareness that the Microsoft Purview interface may show audit logging as On while ingestion is still inactive. PowerShell is the authoritative check, and this discrepancy is common.

Verifying and Enabling Audit Logging

Step 1: Connect to Exchange Online PowerShell

Connect-ExchangeOnline -UserPrincipalName <admin@yourdomain.com>

Step 2: Check audit log ingestion status

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

True means ingestion is active and no further action is needed. False means audit logging is not producing events for WorkSights, even if the Purview interface shows otherwise.

Step 3: Enable audit log ingestion if False

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Microsoft may show a warning about a 60-minute delay. In practice, propagation can take several hours.

Step 4: Re-verify after propagation

Run the Step 2 command again. The value must return True before WorkSights can retrieve audit data.

What Happens in WorkSights

Once your tenant begins producing audit content, WorkSights starts retrieving it automatically. No additional configuration is required. System-generated noise is filtered so only user-initiated activity appears on timelines.

During Microsoft’s internal activation period, WorkSights may temporarily show empty audit feeds or missing file and chat activity. These resolve automatically once Microsoft finishes activating ingestion.

Troubleshooting

Purview shows audit logging as On but no data appears

Run the PowerShell check in Step 2. If it returns False, enable ingestion via Step 3 and allow propagation time. The Purview interface is not the authoritative indicator.

No SharePoint or OneDrive file activity

Some tenants begin producing file audit output later than others. Allow additional propagation time after enabling ingestion.

No Teams chat activity

Teams chat requires audit logs. Only message events appear, and chat content is never transmitted.

No login activity

Login events depend on audit ingestion. Allow additional propagation time after enabling.

Related Guides

Microsoft 365 Overview

Connecting Microsoft 365

Teams Chat

OneDrive and SharePoint

Microsoft Logins