Before you start creating a monitoring plan to audit your SharePoint Online farm, plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard.
In the Cloud:
Initial data collection
- The account must be assigned the Global Administrator role in Azure AD (Company Administrator in Azure AD PowerShell terms)—Only required when first configuring a monitoring plan for auditing Azure AD domain.
After the initial data collection
- The Global Administrator role can be removed from the collection account. Ongoing audit data collection leverages granted Office 365 Management APIs access permission and therefore requires no tenant-level or site-level permissions.
NOTE: Accounts with multi-factor authentication are not supported.
The account needs to be created as a Cloud-Only account.