
Table of contents
Microsoft 365 Audit Log Activation
Microsoft 365 audit logging unlocks a significant portion of the Microsoft 365 signal model. Without it, Teams chat, OneDrive and SharePoint file activity, and login events do not appear in WorkSights. Outlook email, calendar, and Teams calls are available regardless.
This guide covers how to verify whether audit logging is active for your tenant and how to enable it if not.
What Audit Logs Enable
Once audit logging is active, WorkSights can process SharePoint and OneDrive file interactions, Teams chat message events, login events with timestamp and network metadata, and additional Exchange metadata that improves email coverage. Audit logs contain metadata only. Message bodies, file contents, chat text, and attachments are never received.
Prerequisites
Only a Microsoft 365 admin can enable audit log ingestion. You will need an admin account, the Exchange Online PowerShell module installed, and awareness that the Microsoft Purview interface may show audit logging as On while ingestion is still inactive. PowerShell is the authoritative check, and this discrepancy is common.
Verifying and Enabling Audit Logging
Step 1: Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName <admin@yourdomain.com>
Step 2: Check audit log ingestion status
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
True means ingestion is active and no further action is needed. False means audit logging is not producing events for WorkSights, even if the Purview interface shows otherwise.
Step 3: Enable audit log ingestion if False
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Microsoft may show a warning about a 60-minute delay. In practice, propagation can take several hours.
Step 4: Re-verify after propagation
Run the Step 2 command again. The value must return True before WorkSights can retrieve audit data.
What Happens in WorkSights
Once your tenant begins producing audit content, WorkSights starts retrieving it automatically. No additional configuration is required. System-generated noise is filtered so only user-initiated activity appears on timelines.
During Microsoft’s internal activation period, WorkSights may temporarily show empty audit feeds or missing file and chat activity. These resolve automatically once Microsoft finishes activating ingestion.
Troubleshooting
Purview shows audit logging as On but no data appears
Run the PowerShell check in Step 2. If it returns False, enable ingestion via Step 3 and allow propagation time. The Purview interface is not the authoritative indicator.
No SharePoint or OneDrive file activity
Some tenants begin producing file audit output later than others. Allow additional propagation time after enabling ingestion.
No Teams chat activity
Teams chat requires audit logs. Only message events appear, and chat content is never transmitted.
No login activity
Login events depend on audit ingestion. Allow additional propagation time after enabling.