If I notice a suspicious login to a user's M365 account in the Azure sign-in logs, can I determine what actions were taken during that session? Specifically, I'm curious if I can see if emails were accessed or sent, or if SharePoint files were opened. I'm using standard M365 Business licenses without any extra audit or tracking features. Thanks for your help!
5 Answers
Yes, you can check the user login details for specifics like time, date, device, OS, and geolocation, as well as the services accessed. You can also use the email trace function to track sent and received emails, and see if the hacker set up email forwarding. There's even a way to check if any emails were deleted from the inbox. I'm not sure if the standard business license gives access to SharePoint file activities, though.
Activity logs in the Defender/Security center will outline everything that happened, like which files were accessed or deleted, and even email activities.
Using timeline features in Defender xDR and Sentinel is very useful. If you have the highest level of monitoring, you can track almost everything through Microsoft systems, including searches and previewed files. But since you're limited to standard licenses, it sounds like Defender features won't be available to you.
If you had audit logging set up in Purview, you'd be able to get a complete history of what actions were taken. If not, you should definitely set it up now to catch things in the future. Honestly, it's puzzling why it's not automatically enabled.
Absolutely, that's the way to go!
It usually is on by default, at least in the old compliance center. It will log everything touched, changed, or deleted.