Enabling Microsoft 365 audit logs allows TeamScore to process advanced activity metadata from SharePoint, OneDrive, Teams Chat, Azure AD logins, and additional Exchange signals.

Outlook email and calendar activity continue working without audit logs, but audit logs, but audit logging unlocks the full activity model.

Audit logs contain metadata only. TeamScore never receives message bodies, file content, attachments, or chat text.

What Audit Logs Enable

Once audit logging is active and ingestion is propagating, TeamScore process:

• SharePoint and OneDrive file interactions
• Teams Chat message-sent events
• Azure AD login events (timestamp, IP, device metadata)
• Additional Exchange metadata that improves classification (e.g., mailbox events)

Audit logs do not include:

• Email content or attachments
• Chat content
• File content
• Screenshots or monitoring data

Prerequisites

Only a Microsoft 365 Global Admin can enable audit log ingestion. You will need:

• A Global Admin account
• Exchange Online PowerShell v2 (EXO V2) module
• Sufficient time for Microsoft to propagate ingestion
• Awareness that Microsoft Purview UI may show On while ingestion is still inactive. Double-check in PowerShell

Verify Whether Audit Logging Is Active

1. Connect to Exchange Online PowerShell 

Connect-ExchangeOnline -UserPrincipalName <admin@yourdomain.com>

2. Check Unified Audit Log Ingestion Status

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

True → Ingestion is active.

False → Tenant is not producing audit logs for TeamScore, even if the Purview UI shows otherwise. This discrepancy is common.

Enable Audit Log Ingestion

1. Enable Unified Audit Log Ingestion

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Microsoft warning about a 60-minute delay is expected. In practice, propagation can take several hours.

2. Re-verify After Propagation

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

The value must return True before TeamScore can establish subscriptions.

Allow Time for Microsoft Processing

Even after ingestion is enabled, Microsoft must internally activate the audit pipeline. During this period TeamScore may temporarily show:

• Empty audit feeds
• Subscription errors
• “Tenant does not exist” responses
• Missing Teams or file activity

These resolve automatically once Microsoft finishes activating ingestion. No action is required in TeamScore.

TeamScore Audit Subscription

When your tenant begins producing audit content, TeamScore automatically creates secure subscription for:

• Audit.AzureActiveDirectory
• Audit.Exchange
• Audit.SharePoint
• Audit.General (Teams chat)

No manual Microsoft configuration is required beyond enabling ingestion.

TeamScore filters out system-generated noise and processes only user-initiated metadata relevant to activity classification.

Confirming Audit Data in TeamScore

Once ingestion and subscriptions are active, TeamScore displays:

• SharePoint/OneDrive file interactions
• Teams chat message-sent event
• Azure ID login events
• Additional Exchange mailbox metadata

Audit data refreshes multiple times per day. Email and calendar continue to update more frequently and do not depend on audit logs.

Troubleshooting

UI shows “Audit logs: On” but TeamScore shows no data

1. Verify via PowerShell:

Get-AdminAuditLogConfig

2.  If False – enable ingestion via PowerShell.

TeamScore shows “Tenant Does Not Exist”

Confirm ingestion is True. Allow additional propagation time.

No SharePoint or OneDrive data

Audit logs not yet producing file interactions. Some tenants begin file audit output later than others.

No Teams Chat data

Teams chat requires audit logs. Only message-sent events appear; no chat content is ever transmitted.

No login activity

Azure ID login events depend on audit ingestion. Allow additional propagation time.

Privacy and Security

Enabling audit logs does not change TeamScore’s privacy model. TeamScore receives only:

• Event type
• Timestamp
• Device/IP metadata
• File names or email/meeting subjects (metadata only)

TeamScore does not receive email bodies, chat messages, file content, attachments, screenshots, keystrokes, or monitoring data. All data is retrieved through Microsoft’s secure audit interfaces and remains under your tenant’s compliance governance.

Microsoft Propagation Notes

Microsoft periodically updates the behavior and timing of Unified Audit Log propagation. As a result:

• Activation times may vary
• Some content types may begin appearing earlier than others
• PowerShell status remains the authoritative indicator

TeamScore automatically adapts to these variations without requiring further configuration.

Summary

Enabling Microsoft 365 audit logs unlocks SharePoint/One Drive activity, Teams Chat events, login events, and additional Exchange metadata.

TeamScore manages all subscriptions automatically once ingestion is active.

Full activity visibility begins as soon as Microsoft starts producing audit content for your tenant.