Skip to content
Find out how we support MDR.

Microsoft 365 audit logs



This feature might not be available to all users yet.

You can add Microsoft 365 audit log data to the Data Lake.


You must be a Microsoft 365 administrator.

You must have auditing turned on in Microsoft 365. If you don't, you're prompted to turn it on during setup.


To add Microsoft 365 data to the Data Lake, do as follows:

  1. Click Third-party integrations.
  2. Click Microsoft 365 user activity logs.
  3. On the Microsoft 365 Connection - Domains settings/status page, click + Add Microsoft 365 Connection.
  4. Optional: If auditing is not turned on, you can click the link on the Turn on Microsoft 365 auditing page.

    This takes you to Microsoft 365. You can turn on auditing, then return to Sophos Central. See Turn auditing on or off. You may be asked to authenticate by Microsoft to turn on auditing.


    It can take up to 12 hours for Microsoft 365 audit log data to appear after you have turned on auditing.

  5. Click Next.

    You are directed to Microsoft 365 for authentication.

  6. Follow the instructions from Microsoft to grant permission to create an application in Microsoft 365.

    You're asked to authorize at least once, depending on your Microsoft 365 environment.

    The connection should take about a minute.

The new domain appears in Microsoft 365 Connection - Domains settings/status.

In Live Discover > Query, a new category Microsoft 365 audit data appears. You can run the queries in this category on your Microsoft 365 data.