Microsoft Azure and Office 365 offer a set of tools for that purpose alone in the Security & Compliance Admin Center.
When we open the Reports section, we’ll find there an option to view all the reports. There will be 3 auditing reports including Office 365 Audit Log, Azure AD Reports and Exchange Audit Reports.
Office 365 Audit Log:
By clicking on this audit report you will be redirected (on the same admin page) to Search & Investigation –> Audit Log Search.
You will have to enable the search in your organization to be able to see the audit logs by clicking on “Start recording user and admin activities”:
And now, beginning from the time you’ve clicked this link, every activity performed by a user or an admin will be subject to auditing.
Note: In order to search Exchange mailbox activities, you’ll have to enable Mailbox Auditing using PowerShell
This setting is also relevant for the “Exchange audit reports” in the “Reports” section of this admin center.
Azure AD Reports:
These reports focus mainly on Identity anomalous activities. Some of them require Azure AD Premium license.
These reports require you to have registered your Azure account. It is simple and without additional cost (if you have Office 365 subscription).
In order to monitor user activities, you’ll have to agree to the privacy statement.
All the Global Admins will receive email regarding anomalous activities of their users which will look like this:
The last auditing report in the “Reports” section is the “Exchange audit log”:
Here you’ll be able to run the admin audit log report which displays any related Exchange admin behavior by displaying the PowerShell cmdlets with their parameters and argument.
In addition, you will be able to run mailbox activities reports much like in the “Search & Investigation” section of Compliance & Security Admin Center, but in this case you’ll have to enable Mailbox Auditing using PowerShell.