Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue Enabling Audit Log Search in O365 #17

Closed
secureaf opened this issue Aug 15, 2021 · 2 comments
Closed

Issue Enabling Audit Log Search in O365 #17

secureaf opened this issue Aug 15, 2021 · 2 comments
Labels
question Further information is requested

Comments

@secureaf
Copy link

secureaf commented Aug 15, 2021
edited
Loading

Greetings,

Running into an issue when attempting to run the powershell command to enable Audit Log Search in O365:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Error message is:
The command you tried to run isn't currently allowed in your organization. To run this command, you first need to run
the command: Enable-OrganizationCustomization.
+ CategoryInfo : NotSpecified: (AdminAuditLogConfig:String) [Set-AdminAuditLogConfig], InvalidOperatio...
ontextException
+ FullyQualifiedErrorId : [Server=CY4PR16MB1782,RequestId=eaf15b8e-3f95-4ddf-b33f-740a5ea2a87c,TimeStamp=8/15/2021
2:16:58 AM] [FailureCategory=Cmdlet-InvalidOperationInDehydratedContextException] 5B0EC96F,Microsoft.Exchange.Man
agement.SystemConfigurationTasks.SetAdminAuditLogConfig
+ PSComputerName : outlook.office365.com

Ran the suggested Enable-OrganizationCustomization command and it reported the command was not needed because customization already turned on.

Attempted to turn on Auditing in the O365 SCC GUI but receive an error there as well:
Sorry! We couldn't update your organization settings. Please try again.

I do see the following note in the Prereqs for this section:
You must be assigned the Audit Logs role in Exchange Online to turn audit log search on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.

Looking in Exchange Admin Center, the single global admin account that I created when setting up the environment is in the TenantAdmins role group, and that group is assigned the Organization Management role. I did attempt to add the Admin account directly to see if that would have any impact but still the same issue for me.

Any guidance would be appreciated!
@secureaf
Copy link
Author

May have resolved the issue by adding the TenantAdmins role group to the Compliance Management role group. After doing so was able to successfully execute the powershell command. Would still be curious if this makes sense. Thanks!

@Cyb3rWard0g Cyb3rWard0g added the question Further information is requested label Aug 23, 2021
@Cyb3rWard0g
Copy link
Contributor

I do not know why it needed that role group tbh. Thank you for reporting it. We will see if we get the same after a few deployments in other environments. We will open this back up if it is something we see across other environments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cyb3rWard0g @secureaf