Audit Logs in Microsoft Stream
This article talks about how you can use auditing with Microsoft Stream to monitor and investigate actions taken. Knowing who is taking what action on which item in your Microsoft Stream tenant can be critical in helping your organization fulfill its requirements, such as meeting regulatory compliance and records management.
You can filter the audit data by date range, user, dashboard, report, dataset and activity type. You can also download the activities in a csv (comma separated value) file to analyze offline and even use PowerShell to search for audit logs.
You must meet these requirements to access audit logs:
- To access the auditing section of the Office 365 Security & Compliance Center, you must have an Exchange Online license (included with Office 365 Enterprise E3 and E5 subscriptions).
- You must either be a global admin or have an Exchange admin role that provides access to the audit log.
- Exchange admin roles are controlled through the Exchange admin center. For more information, see Permissions in Exchange Online.
- If you have access to the audit log but are not a global admin or Microsoft Stream Service admin, you will not have access to the Microsoft Stream Admin portal. In this case, you must get a direct link to the Office 365 Security & Compliance Center.
To view audit logs for Microsoft Stream in your tenant, you need at least one exchange mailbox license in your tenant.
Accessing audit logs
To audit your Microsoft Stream logs, you must visit the Office 365 Security & Compliance Center
Search only Microsoft Stream activities
You can restrict results to only Microsoft Stream activities by doing the following:
- On the Audit log search page, select the drop down for Activities under Search.
- Select one of the Microsoft Stream activities – video activities, group / channel activities or general activities
- Select anywhere outside of the selection box to close it.
Your searches will now be filtered to only Microsoft Stream activities.
Search the audit logs by date or by users
You can search the logs by date range using the “Start date” and “End date” field. The last seven days are selected by default. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.
You can also search for audit logs for activities performed by specific users. To do this, enter one or more user names in the “Users” field. This would be the username that they sign into Microsoft Stream with.
If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
Viewing search results
Once you hit the search button, the search results are loaded and after a few moments they are displayed under Results. When the search is finished, the number of results found is displayed.
A maximum of 1000 events will be displayed; if more than 1000 events meet the search criteria, the newest 1000 events are displayed.
The results contain the following information about each event returned by the search.
|Date||The date and time (in UTC format) when the event occurred.|
|IP address||The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.|
|User||The user (or service account) who performed the action that triggered the event.|
|Activity||The activity performed by the user. This value corresponds to the activities that you selected in the Activities drop down list.|
|Item||The object that was created or modified because of the corresponding activity. For example, the video that was viewed or modified or the user account that was updated. Not all activities have a value in this column.|
|Detail||Additional detail about an activity. Again, not all activities will have a value.|
Select a column header under Results to sort the results. You can sort the results from A to Z or Z to A. Click the Date header to sort the results from oldest to newest or newest to oldest.
View the details for an event
You can view more details about an event by selecting the event record in the list of search results. A details page is displayed that contains the detailed properties from the event record. To display additional details, select More information.
The following table provides details on that you may see displayed.
|ObjectId||EntityId if applicable
|Resource Title||This is the name of the entity such as Video Title, Group Name etc|
|Resource URL||This is the complete path of the entity (video, group, channel) in Microsoft Stream|
|Operation||For list of operations refer the actions being logged section|
|ClientIp||The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.|
|OrganizationId||This is the tenant id for your tenant provisioned in Microsoft Stream|
Actions logged in Microsoft Stream
This section lists all the actions performed in Microsoft Stream which are being logged.
|Created video||Video entity has been created. No video uploaded yet.|
|Edited video||Video metadata has been edited.|
|Deleted video||Video has been deleted.|
|Uploaded video||Video has been uploaded.|
|Downloaded video||Video download happened.|
|Edited video permission||Video permissions were modified|
|Viewed video||A video has been viewed either in portal or via embed|
|Shared video||Video shared via email.|
|Liked video||A user in the organization liked this video|
|Unliked video||A user disliked a video which he/she previously liked|
|Commented on video||A comment was made on a video|
|Deleted video comment||A comment on a video was deleted|
|Uploaded text track||A subtitle file was uploaded for a video|
|Deleted text track||A subtitle file was deleted for a video|
|Uploaded thumbnail||A custom thumbnail was uploaded for a video|
|Deleted thumbnail||Custom thumbnail was deleted for a video|
|Linked on Video||A video was associated with an Office 365 group|
|Created group||Office 365 group was created from Microsoft Stream|
|Edited group||Metadata was updated for Office 365 group|
|Deleted group||An Office 365 group was deleted from Microsoft Stream|
|Edited group memberships||Office 365 group permissions were edited|
|Created channel||A new channel was created|
|Edited channel||Channel metadata was edited|
|Deleted channel||Channel was deleted|
|Set channel thumbnail||Logged after thumbnails complete upload|
|Logon||User Logged in to Microsoft Stream|
|Edited user settings||User edited her or his user settings such as language|
|Edited tenant settings||Admin updated settings in the Stream admin center|
|Edited global role assignment||Admin made updates to the global role assignments such as adding/removing stream admins, video uploaders or channel creators.|
Export the Microsoft Stream audit log
You can export the Microsoft Stream audit log to a csv file.
- Select Export results.
- Select either Save loaded results or Download all results.
Using PowerShell to search
You can use PowerShell to access the audit logs based on your login. This is done by accessing Exchange Online. Here is an example of a command to pull Microsoft Stream audit log entries.
In order to use the New-PSSession command, your account needs to have an Exchange Online license assigned to it and you need access to the audit log for your tenant.
Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session Search-UnifiedAuditLog -StartDate 4/01/2018 -EndDate 5/03/2018 -RecordType MicrosoftStream -ResultSize 1000 | Format-Table | More
For more information on connecting to Exchange Online, see Connect to Exchange Online PowerShell.
For more information about parameters and usage of the Search-UnifiedAuditLog command, see Search-UnifiedAuditLog.
Other useful links
If you're working with security and compliance, you might find this information useful.
- Minimize the potential of a data breach or a compromised account by following these recommended security best practices for Office 365.
- Learn about which features are available in which subscriptions: Office 365 Security & Compliance Center availability
- Stay up to date on the latest with the official blog of the Office 365 Security team.
- Visit the Office 365 Trust Center, where we share our commitments and information about security, privacy, and compliance.