Monitoring suspicious activity in Microsoft 365 means combining identity, email, device, and audit data to spot account compromise before it spreads.
The challenge is not a lack of signals, but knowing which events matter and how to connect them fast enough.
What Counts as Suspicious Activity in Microsoft 365?
Suspicious activity in Microsoft 365 includes behaviors that deviate from normal user, admin, or tenant patterns and may indicate compromise, insider risk, or abuse.
Microsoft 365 environments generate rich telemetry across Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft Defender, giving security teams multiple ways to detect anomalies.
Common examples include unusual sign-in locations, repeated failed logins, impossible travel patterns, mailbox forwarding rule creation, mass file downloads, privilege changes, consent to risky OAuth apps, and unexpected sharing activity.
A single event may not prove malicious intent, but several correlated events often reveal a real incident.
Core Microsoft 365 Data Sources to Watch
Effective monitoring depends on collecting the right signals from the Microsoft 365 ecosystem.
Focus on the sources below because they provide the best visibility into account, data, and admin activity.
Microsoft Entra ID sign-in logs
Entra ID sign-in logs show authentication attempts, device details, IP addresses, authentication methods, conditional access outcomes, and risk indicators.
They are essential for spotting brute force attempts, token abuse, unfamiliar locations, and new device sign-ins.
Microsoft 365 Unified Audit Log
The Unified Audit Log records actions across Exchange, SharePoint, OneDrive, Teams, and other services.
It helps identify mailbox access, file sharing changes, administrator actions, and suspicious configuration changes.
Microsoft Defender for Office 365
Defender for Office 365 provides email and collaboration protection signals such as phishing detections, malicious URL clicks, and compromised mailbox indicators.
These alerts often surface the first signs of an account takeover.
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps can detect impossible travel, suspicious OAuth app behavior, risky file sharing, and abnormal cloud app usage.
It is especially valuable for identifying activity that looks legitimate at the identity layer but abnormal at the application layer.
Microsoft Defender XDR
Microsoft Defender XDR correlates signals across endpoints, identities, email, and cloud apps.
Correlation reduces false positives and helps analysts understand whether one suspicious sign-in is part of a broader intrusion.
How to Monitor Suspicious Activity in Microsoft 365?
To monitor suspicious activity in Microsoft 365, build a repeatable process around detection, correlation, alerting, and response.
The goal is to move from raw telemetry to practical decisions about whether an account, device, or workload is safe.
1. Baseline normal user and admin behavior
Start by defining what normal looks like for each user group, department, and privileged role.
Baselines should include typical login locations, access times, device types, file-sharing patterns, mailbox behavior, and admin actions.
Without a baseline, even legitimate behavior may look suspicious, while subtle attacker activity may blend in.
For example, a finance user who normally accesses SharePoint from one region should trigger a review if logins suddenly appear from multiple countries in a short period.
2. Watch for identity anomalies
Identity is often the first control plane attackers target.
Monitor for failed login spikes, MFA fatigue attempts, password resets followed by new sign-ins, unfamiliar device registrations, legacy authentication usage, and sign-ins from risky countries or anonymized networks.
Also review Azure AD or Entra ID risk events such as leaked credentials, atypical travel, and unfamiliar sign-in properties.
These indicators help detect credential theft before the attacker escalates.
3. Track mailbox and email changes
Email compromise frequently leads to stealthy persistence.
Review mailbox rule creation, inbox forwarding, delegate access additions, suspicious sent-mail behavior, and changes to spam or filtering settings.
Attackers often create rules that move messages from security vendors, payroll, or leadership into hidden folders.
This allows them to suppress alerts and continue fraud or business email compromise activity unnoticed.
4. Monitor file access and sharing behavior
Large file exports, mass downloads, unusual sync activity, and external sharing changes can indicate data theft.
In SharePoint and OneDrive, watch for a user downloading far more files than usual or accessing sensitive libraries from a new endpoint.
Review sharing links created for external recipients, especially when links are set to anonymous access or broad permissions.
Sudden increases in document access outside normal work hours should also be investigated.
5. Review privileged role activity
Administrative accounts deserve special attention because a single compromise can affect the entire tenant.
Monitor role assignments, privilege elevation, group membership changes, application consent, conditional access modifications, and updates to transport or security rules.
Any administrative action should be validated against an approved change record where possible.
Unexpected changes to security policies or mail flow rules can create hidden persistence paths.
6. Correlate signals across services
One event may be benign, but multiple related events can expose an attack chain.
For example, a suspicious sign-in followed by mailbox rule creation and large OneDrive downloads is much stronger evidence than any event alone.
Correlation is where tools like Microsoft Defender XDR and Microsoft Sentinel add the most value.
They help security teams connect sign-in telemetry, email alerts, and audit events into one incident timeline.
High-Value Alert Types to Configure
Alert tuning is critical because Microsoft 365 environments can generate large event volumes.
Focus on detections that align with common attacker behavior and business risk.
- Unfamiliar sign-in properties or impossible travel
- Multiple failed authentication attempts followed by success
- Legacy authentication usage
- New mailbox forwarding or inbox rules
- Suspicious OAuth app consent
- Role assignment or privilege escalation
- Mass file downloads or external sharing spikes
- Malicious email link clicks and phishing detonation events
- Conditional Access policy changes
For each alert, define the expected severity, owner, escalation path, and response time.
A well-tuned medium-severity alert that is triaged consistently is more useful than a noisy high-severity alert that analysts ignore.
How to Investigate a Suspicious Event
When an alert fires, investigate in a structured order so you can quickly determine whether the activity is benign, risky, or confirmed malicious.
Begin with who performed the action, what changed, when it happened, and whether other signals support the event.
- Confirm the identity and device involved.
- Check IP address reputation, geography, and device compliance.
- Review recent sign-ins, MFA prompts, and risk events.
- Inspect audit logs for linked actions in mail, files, or admin portals.
- Look for lateral movement, persistence, or data access patterns.
- Determine whether the activity aligns with an approved change.
Use investigation notes to build a timeline.
Timelines make it easier to spot chains such as phishing, login, mailbox rule creation, privilege abuse, and data exfiltration.
Automation and Response Workflows
Automation reduces response time and limits the impact of compromised accounts.
Microsoft 365 environments benefit from playbooks that can disable a user, revoke sessions, reset passwords, isolate endpoints, and remove malicious forwarding rules based on confidence thresholds.
Use automation carefully to avoid disrupting legitimate users.
A common approach is to quarantine high-confidence incidents automatically while routing medium-confidence cases to analysts for review.
Microsoft Sentinel, Defender XDR, and Entra ID all support response workflows that can be integrated into a broader security operations process.
Best Practices for Ongoing Monitoring
Continuous monitoring works best when controls, processes, and ownership are clearly defined.
Keep these practices in place to improve detection quality over time:
- Enable and retain audit logging long enough to support investigations.
- Restrict legacy authentication wherever possible.
- Require MFA for all users, especially admins and remote workers.
- Use least privilege for admin and service accounts.
- Review OAuth app consent and application permissions regularly.
- Set alerts for risky sharing and unusual mailbox behavior.
- Test incident response playbooks with tabletop exercises.
- Document approved maintenance windows and change events.
Monitoring also improves when your team periodically reviews false positives.
If a rule consistently fires for expected business activity, refine thresholds or add context instead of disabling the detection entirely.
Why Microsoft Sentinel Can Strengthen Visibility
Microsoft Sentinel is often the best place to centralize Microsoft 365 monitoring because it can ingest logs from Entra ID, Defender, Exchange, SharePoint, and third-party tools.
It supports analytics rules, incident grouping, hunting queries, workbooks, and automation, which makes it easier to detect attacker behavior across multiple services.
Security teams that use Sentinel can build detections around uncommon sign-ins, high-risk mailbox activity, file exfiltration, and admin changes while keeping a unified view of incidents.
That centralization is especially useful in hybrid environments where Microsoft 365 activity must be correlated with endpoint and network telemetry.
Metrics That Show Whether Monitoring Is Working
Measuring program effectiveness helps security teams know whether they are reducing risk or simply generating more alerts.
Track how quickly incidents are detected, how often alerts are true positives, how many compromised accounts are contained before data access occurs, and how many risky events are auto-remediated.
Useful metrics include mean time to detect, mean time to contain, alert-to-incident conversion rate, percentage of monitored accounts with MFA enabled, and number of privileged actions reviewed within policy.
These metrics show whether your Microsoft 365 monitoring strategy is creating real defensive value.