The audit log can help you investigate specific activities across Office 365 services. For Teams, here are some of the activities that are audited:
· Team creation
· Team deletion
· Added channel
· Changed setting
To see the complete list of activities that are audited in Office 365, read Search the audit log in the Office 365 Security & Compliance Center.
Turn on auditing in Teams
Before you can look at audit data, you have to first turn on auditing in the Security & Compliance Center. For help turning on auditing, read Turn Office 365 audit log search on or off. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:
Audit data is only available from the point at which you turned on Auditing.
Retrieve Teams data from the audit log
1. To retrieve audit logs, go to the Security & Compliance Center. Under Search, select Audit log search.
2. Go to https://protection.office.com.
3. Sign in to Office 365 using your work account.
4. In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
5. Use Search to filter by the activities, dates, and users you want to audit.
6. Export your results to Excel for further analysis.
You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.
If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
Here's the process for searching the audit log in Office 365.