Search the audit log for events in Microsoft Teams

Important

The Microsoft Teams admin center is gradually replacing the Skype for Business admin center, and we're migrating Teams settings to it from the Microsoft 365 admin center. If a setting has been migrated, you'll see a notification and then be directed to the setting's location in the Teams admin center. For more information, see Manage Teams during the transition to the Teams admin center.

The audit log can help you investigate specific activities across Office 365 services. For Teams, here are some of the activities that are audited:

  • Team creation

  • Team deletion

  • Added channel

  • Changed setting

Note

Audit events from private channels are also logged as they are for teams and standard channels.

To see the complete list of activities that are audited in Office 365, read Search the audit log in the Office 365 Security & Compliance Center.

Turn on auditing in Teams

Before you can look at audit data, you have to first turn on auditing in the Security & Compliance Center. For help turning on auditing, read Turn Office 365 audit log search on or off.

Important

Audit data is only available from the point at which you turned on Auditing.

Retrieve Teams data from the audit log

  1. To retrieve audit logs, go to the Security & Compliance Center. Under Search, select Audit log search.
  2. Use Search to filter by the activities, dates, and users you want to audit.
  3. Export your results to Excel for further analysis.

Important

Audit data is only visible in the Audit Log if auditing is turned on.

External user scenario

One scenario you might want to keep an eye on, from a business perspective, is the addition of external users to your Teams environment. If external users are enabled, then monitoring their presence is a good idea.

Screenshot of a list of events triggered by mass deletions

The screenshot of this policy to monitor external user adds allows you to name the policy, set the severity according to your business needs, set it as (in this case) a single activity, and then establish the parameters that will specifically monitor only the addition of non-internal users, and limit this activity to Microsoft Teams.

Then results from this policy will be able to be viewed in the activity log:

Screenshot of a list of events triggered by mass deletions

Here you can review matches to the policy you've set, and make any adjustments as needed, or export the results to use elsewhere.

Mass delete scenario

As mentioned above, you can monitor deletion scenarios. It's possible to create a policy that would monitor mass deletion of Teams sites:

Screenshot of the policy create page showing the setting up of a policy for mass team deletion detection

As the screenshot shows, you can set many different parameters for this policy to monitor Teams deletions, including severity, single or repeated action, and parameters limiting this to Teams and site deletion. This can be done independently of a template, or you may have a template created to base this policy off, depending on your organizational needs.

Once you've established a policy that will work for your business, you can then review the results in the activity log as events are triggered:

Screenshot of a list of events triggered by mass deletions

You can filter down to the policy you've set to see the results of that policy. If the results you're getting in the activity log are not satisfactory (maybe you're seeing a lot of results, or nothing at all), this may help you to fine-tune the query to make it more relevant to what you need it to do.

Video: TechTip: Using Audit Log Search in Teams

Join Ansuman Acharya, a program manager for Teams, as he demonstrates conducting an Audit Log search for Teams in the Office 365 Security & Compliance Center.