Table of contents
Microsoft 365 Audit Log Activation
Microsoft 365 audit logging unlocks a significant portion of WorkSights's Microsoft 365 signal model. Without it, Teams chat, OneDrive and SharePoint file activity, and login events do not appear in WorkSights. Outlook email and calendar activity are available regardless.
This guide covers how to verify whether audit logging is active for your tenant and how to enable it if it is not.
What Audit Logs Enable
Once audit logging is active, WorkSights can process:
- SharePoint and OneDrive file interactions
- Teams chat message-sent events
- Azure AD login events including timestamp, IP address, and device metadata
- Additional Exchange metadata that improves email classification
Audit logs contain metadata only. Message bodies, file content, chat text, and attachments are never received.
Prerequisites
Only a Microsoft 365 Global Admin can enable audit log ingestion. You will need:
- A Global Admin account
- Exchange Online PowerShell v2 (EXO V2) module installed
- Awareness that the Microsoft Purview UI may show audit logging as On while ingestion is still inactive. PowerShell is the authoritative check.
Verifying and Enabling Audit Logging
Step 1: Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName <admin@yourdomain.com>
Step 2: Check audit log ingestion status
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
True: Ingestion is active. No further action needed.
False: Audit logging is not producing events for WorkSights, even if the Purview UI shows otherwise. This discrepancy is common.
Step 3: Enable audit log ingestion (if False)
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Microsoft may show a warning about a 60-minute delay. In practice, propagation can take several hours.
Step 4: Re-verify after propagation
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
The value must return True before WorkSights can establish audit subscriptions.
WorkSights Audit Subscriptions
Once your tenant begins producing audit content, WorkSights automatically creates secure subscriptions for:
- Audit.AzureActiveDirectory
- Audit.Exchange
- Audit.SharePoint
- Audit.General (Teams chat)
No additional configuration is required in WorkSights. System-generated noise is filtered automatically so only user-initiated activity appears on timelines.
Microsoft Propagation Notes
Even after ingestion is enabled, Microsoft must internally activate the audit pipeline. During this period WorkSights may temporarily show empty audit feeds, subscription errors, or missing Teams and file activity. These resolve automatically once Microsoft finishes activating ingestion. No action is required in WorkSights.
Microsoft periodically updates the timing and behavior of Unified Audit Log propagation. Activation times may vary and some content types may begin appearing earlier than others. PowerShell status remains the authoritative indicator throughout.
Troubleshooting
Purview UI shows audit logging as On but no data appears in WorkSights: Run the PowerShell check in Step 2. If the value returns False, enable ingestion via Step 3 and allow propagation time.
WorkSights shows a "Tenant Does Not Exist" error: Confirm ingestion is True via PowerShell. Allow additional propagation time before retrying.
No SharePoint or OneDrive file activity: Some tenants begin producing file audit output later than others. Allow additional propagation time after enabling ingestion.
No Teams chat activity: Teams chat requires audit logs. Only message-sent events appear. No chat content is ever transmitted.
No login activity: Azure AD login events depend on audit ingestion. Allow additional propagation time after enabling.