This article describes how to turn on auditing in the Microsoft 365 Security & Compliance Center.
Turn On Auditing
For SysKit Point to be able to collect, process, and save audit logs, auditing has to be enabled in your tenant. If the auditing is not properly configured, the following warning messages will be displayed in the Microsoft Azure > App Service > Log Stream and also in the Application Insights > Failures:
Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant 531c845c-5ba4-4957-bfe4-da2a88b95bc6 does not exist at Microsoft.Office.Compliance.Audit.API.AzureManager.
Error: Audit collector job failed. Reason: Unable to check subscription status.
You will be able to use the SysKit Point app, but audit data won't be collected.
To turn on auditing, first, open the following URL in your browser of choice: https://protection.office.com/unifiedauditlog
The Microsoft 365 Security & Compliance Center will open, showing the Audit log search page. At the top, a yellow warning bar is displayed. On the right side of the warning bar, you can find the Turn on auditing button – click it to turn on auditing.
Once the page is refreshed, a different warning message appears telling us the auditing can take a couple of hours to be made available.
When the page is refreshed at a later point in time, another warning message is displayed, with more precise information on how long it might take for the audit logs to be visible.
SysKit Point will not be able to collect audit log data before it becomes available in the Microsoft 365 Security & Compliance Center. As described in this article, it can take up to 24 hours for audit log data to become available.
It is also possible to turn on auditing with PowerShell. You can find detailed instructions in the following article.