Configure Audit Logging in Microsoft 365 for Umbrella Cloud Malware Scanning

Available Languages

Download Options

  • PDF     (16.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (94.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (82.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 8, 2025
Document ID:225178

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to enable Audit Logging in Microsoft 365 for Umbrella Cloud Malware scanning.

    Overview

    To integrate Cisco Umbrella with Microsoft 365 (formerly Office 365) for Cloud Malware scanning, the auditing of user events must be enabled in Microsoft 365 (which might not be enabled by default). This article explains how to enable audit logging in the Microsoft Purview compliance portal.

    For more information on the Cloud Malware feature, please read the Cisco Umbrella Documentation.

    Enable audit logging

    To enable audit logging in Microsoft 365:

    1. In the Microsoft Purview compliance portal at https://compliance.microsoft.com, go to Solutions > Audit.
    2. If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.
    3. Select the Start recording user and admin activity banner.

    Note that it can take about 24 hours for auditing to begin working. For assistance with audit logging, please read the Microsoft Documentation or contact your MS support partner.

    For the Cloud Malware Report to work in Cisco Umbrella, auditing related to user/file activity must appear on the Audit page in Microsoft 365's Purview compliance portal. 

    For example:

    44042491233484404249123348

    Revision History

    Revision Publish Date Comments
    1.0
    08-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products