Microsoft Sentinel is Microsoft's log aggregator. Along with other data, Sentinel can ingest events from the Office 365 audit log. Once ingested, we can visualize the data through workbooks. If you have an Azure subscription, it's surprisingly easy to take advantage of the 31-day trial to see if Sentinel can do a job for your organization. Follow our steps and you'll be visualizing quickly.
The Microsoft 365 ecosystem is a big place and it's hard to keep on top of everything. But to start 2022 off with a bang, here are five areas for tenant administrators to consider when they plan how they'll spend their time in the new year. As always, feel free to disagree and add comments describing what you plan to do in 2022.
Organizations often disable Azure AD accounts when users leave or for other reasons. What you might not know is that Teams then removes the account from membership of individual teams. A background process looks for disabled users and removes these accounts from team memberships. That doesn't sound too bad, but what's horrible is when you unblock an account. Teams takes a long time (at least 24 hours) to restore standard teams, it might not ever restore membership of org-wide teams, and private channel membership is removed too. It's not a good situation.
The audit events generated for license assignments to user accounts available in the Azure AD audit log and Office 365 audit log are inconsistent and incomplete. This is certainly true for licenses assigned to accounts through auto-claim policies and group-based licensing, but known gaps exist in the audit records generated in other areas of Office 365 and Microsoft 365 functionality. We think Microsoft needs to pay attention to ensure that auditing works consistently and predictably across all workloads. Once they improve the fit and finish of audit record generation, they can move into other areas, like charging for access to high-value audit events.