Microsoft has quietly rolled out enhanced audit logging capabilities for Teams meetings in a bid to strengthen IT teams’ auditability and observability.
The update captures comprehensive data about who initiates screen shares, when control is requested or granted, and which participants access shared content during meetings.
This represents another step for Microsoft Teams to meetings more secure by offering granular visibility over sharing and recording meeting content.
Understanding the New Audit Logging Capabilities
Teams has a system of audit logs that help IT teams keep an overview of user and admin actions like messages sent, files shared, user logins, team creation, and changes to settings.
The new enhanced audit logging system now adds to this log by capturing a comprehensive range of meeting activities that were previously invisible to administrators.
For instance, when participants share screens during Teams meetings, the system now records detailed metadata including participant identities, timestamps for share initiation and termination, and specific details about control transfer actions.
Equally, this granular tracking extends to the use of “Take Control,” “Give Control,” and “Request Control” actions, providing a complete audit trail of who accessed what content, who initiated access, and when.
The new audit logs are accessible through Microsoft Purview or the Microsoft 365 compliance center, and make the logs searchable through familiar interfaces; administrators can filter logs using the “MeetingParticipantDetail” operation name or search for “screenShared” keywords to quickly identify relevant activities.
The system also supports date range filtering, enabling targeted investigations of specific time periods or incidents. Information from this portal can be exported as CSV files for further analysis.
Such a level of detail provides IT teams with unprecedented insight into how sensitive content flows through their organization’s virtual meetings.
This can not only help IT teams with auditability and compliance efforts by giving greater visibility into meetings but also aid in uncovering suspicious behavior that could be a sign of a security issue.
The Growing Threat Landscape
Microsoft’s recent update to Teams recognizes that the UC platform is increasingly being targeted, as hackers see it as a way to gain mission-critical information.
For instance, the Scattered Spider hacking group has been particularly active in exploiting Teams and similar collaboration platforms, using advanced social engineering techniques to manipulate employees and gain unauthorized access to corporate networks.
These attacks leverage the inherent trust users place in internal communication platforms, making them particularly dangerous and difficult to detect.
Once attackers establish a presence within Teams environments, they can gather intelligence about organizational structure, ongoing projects, and security practices.
Such tactics demonstrate that traditional security measures require reinforcement with more advanced monitoring and behavioral analytics.
Thus, the new capabilities to see who requested screen sharing can give additional clues to IT teams about users acting suspiciously and who need further investigation.
This particular focus on screen sharing seems to be of acute interest for Microsoft as they aim to make Teams more secure.
Last month, the company announced it is introducing a screen capture prevention feature, which will black out meeting windows when participants attempt to take screenshots.
Equally, participants joining a Teams call from unsupported platforms will be restricted to audio-only mode.
These technical controls further demonstrate that the tech titan sees its Teams meetings as a potential weak link for its customers.
Making Meetings More Secure
The introduction of advanced audit logging represents another incremental security improvement Microsoft is making to Teams and its meetings.
With these new audit tools, organizations can enhance their security posture by establishing baseline behavioral patterns for screen sharing and content access, enabling them to detect anomalies that might indicate security incidents or policy violations.
Equally, with Microsoft coincidentally rolling out remote diagnostic capabilities that gets logs from users’ devices, and an update that enables transcription policies by default for new tenants, this tool can work as part of a holistic approach to examining user behavior.
Such intelligence can inform targeted training programs and policy adjustments to reduce security risks.
Equally, such capabilities can prove particularly valuable for industries with strict compliance requirements, extending their level of auditability essential for regulatory compliance.
