Audit log search in the Microsoft Defender portal

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, the unified audit log records supported user and admin operations. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in the organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.

Tip

Audit log search in Microsoft Defender portal is identical to audit log search in the Microsoft Purview compliance portal at https://compliance.microsoft.com/auditlogsearch.

What do you need to know before you begin?

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:
    • Exchange Online permissions: Membership in the Organization Management or Compliance Management role groups.

    • Microsoft Entra permissions: Membership in the Global Administrator* or Compliance Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

In the Microsoft Defender portal at https://security.microsoft.com, go to Audit. Or, to go directly to the Audit page, use https://security.microsoft.com/auditlogsearch.

On the Audit page, create the audit log search. For instructions, see the following articles: