Back to blog

Are You Keeping An Eye On Your Office 365 Admins?

Oct 27, 2016 by Emma Robinson

User error is a security risk that every organisation is vulnerable to, and when Admins are involved, these user errors – be they accidental, malicious or otherwise – can have far more impact. Whether you have a team of Admins, or just one managing your environment, it is important to know exactly what changes are being made – and who is making them. Having someone who is responsible for keeping your data safe and secure comes at the expense of these users having a level of access and control that creates its own risks. That’s why it’s crucial to have visibility of – and accountability for – the actions that Admins take in your environment.
If you’re an Office 365 Admin, you’ll know just how important it is to monitor the ways that your end users interact with the platform. It’s a crucial way that you can ensure that your security policies and configurations are working, and that no one has permissions to areas that they shouldn’t have. That’s precisely why monitoring Admin activity should not be seen as indicative of a lack of trust or faith in your Admins – but rather, as good, solid security practice.
There are eight Admin roles available in Office 365. For smaller organisations, all areas of Office 365 can be centrally managed by a single Global Administrator, but if your organisation is much larger, then you will probably need to separate out the responsibilities associated with managing your environment. To do this, you can assign some or all of the following roles:

  1. Global Admin
  2. Billing Admin
  3. Password Admin
  4. Service Admin
  5. User Management Admin
  6. Exchange Admin
  7. SharePoint Admin
  8. Skype for Business Admin

We won’t go into each of these roles in detail here, but if you want to find out a bit more about them, our Ultimate Guide to Office 365 Reporting takes a closer look at what each of these Admin roles can and can’t do.
Now of course these roles should be assigned to trusted, experienced users who are well-aware of how they should be managing the area that they’ve been given. They should know the best practices for making any changes to the environment, so that the likelihood of any adverse action – whether it’s with good intentions, inadvertent or malicious – is minimised.
But if you have no ability to see what changes your Admins are making, how do you know who is doing what, and why? Could they be assigning permissions ‘just this once’ for certain users? Perhaps they aren’t keeping as close an eye on security configurations as they should be? If you have a high turnover of IT staff, can you be sure that no one could be left with permissions they should no longer have?
Let’s look at an example
The Scenario: Someone has deleted a number user accounts from Office 365. Although the issues have been resolved and the accounts reinstated, there has been some data loss.
The Task: You’re asked to investigate how this happened, and what steps can be taken to ensure that it won’t happen again.
What are the options?
You can use the Audit Log Search in the Office 365 Security and Compliance Center. This feature enables you to see a unified audit log of all user and admin activities for the primary areas of Office 365, the full list of services can be found here.
The Audit Log Search offers a comprehensive view of almost everything that has happened in your environment, so it would be a good place to start your search.
As you can see above and below, the search functionality is very advanced, with column views, date filtering and the option to search for specific users by name. If you click the drop down, you can choose between a large range of events – which can make it quite overwhelming, so make sure you go in with a clear idea of what you need to find – otherwise it’s easy to get lost.
It’s clear that Audit Log Search is very powerful, and can provide a large-scale overview of Office 365 activity. However, there are a couple of limitations to the functionality which could pose issues – particularly if you are using it to react to a problem (like the scenario above), rather than preempting one.
1. You have to turn it on: Audit Logging is not turned on by default, so if you have not enabled it, and suddenly need to use it, you will not be able to get any audit events for your environment, and you won’t be able to investigate the event. Note: Exchange Administrator Audit Logging is enabled by default, and it logs an audit event when a user makes changes to Exchange Online.
2. You only get 90 days: The Audit Logs only retain events for 90 days, so you only have a relatively limited time range to search for events. Three months may seem like a long time, but what if the problem wasn’t even identified until three or four months after it happened? In which case, you could lose any chance of finding out what took place.
3. There is a lot of information to sift through: There is so much data available within the Audit Log Search, which can provide tremendous insight into what’s happening on your tenant, but equally this volume of data can prove to be somewhat obstructive. There is no way to fully separate out different event areas from the log, so you could struggle to create a dynamic view with just the information you need.
4. Difficult to filter by user type: While there is some inbuilt filtering capability, the Audit Log feature is comprehensive, showing you the logs and details of all users in your environment (admin or not) on numerous services and features – and there isn’t an intelligent way to clearly isolate Admin users when you’re investigating issues. This means that it might take you longer to find the specific event you need, depending on how much information you have at your disposal before you start searching (and how many events are taking place in your environment). If you don’t have much to go on, the limitations in filtering capabilities could increase the amount of time you spend searching for your event.
5. You need permissions to access it: Finally, you have to be assigned either View-Only Audit Logs or Audit Logs role permissions to view or interact with the logs, and there is no option to view them outside of the Security and Compliance Center. This means that if you would like multiple users to be able to see the logs, you will need assign a number of roles to these users, and consider carefully whether they should have full-access or view-only permissions.
Are there any other options? 
Our Discover & Audit module can help you monitor and audit all Office 365 user and Admin activity taking place in your environment. Your Office 365 activities will be captured and stored historically for a year, giving you a complete audit trail that enables you to be both proactive and reactive when it comes to safeguarding your environment. Amongst a wide range of investigative reports, the module includes the ability to isolate and report on all Admin Activities, with advanced filtering capabilities.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.