Learn about Microsoft 365 log protection and retention

Completed

Microsoft 365 is a dynamic, hyper-scale cloud containing a variety of system components. To effectively process log data from our environment and protect logs from modification, we perform log collection and analysis using secure, centralized processing, and storage services.

Log aggregation

Each system includes a custom logging agent, Office Data Loader (ODL), which is installed as part of the system baseline. ODL is responsible for enforcing central logging policies defined by the Microsoft 365 Security Team and uploading the log data to centralized services for processing and storage. ODL is configured to scrub all end-user information automatically and upload events in batches every few minutes, removing and replacing fields that contain customer data with a hash value. All log data transfers occur over a FIPS 140-2-validated TLS encrypted connection on approved ports and protocols to protect log data in transit. Permanent or irreversible changes to audit record content and time ordering, aside from the scrubbing described previously, are prohibited. Log data is uploaded to a proprietary security monitoring solution for near real-time analysis, checking logs for potential security events and performance indicators. Logs are also uploaded to a big data computing service (Azure Data Lake) for long-term storage. The central storage service dynamically allocates audit storage space for audit logs, ensuring no data is lost due to lack of storage space. Any audit processing failures are reported and escalated to Microsoft 365 Security as appropriate.

Log retention

Microsoft 365 retains audit log data in accordance with security best practices and compliance regulations. Most types of audit log data are retained for a minimum of 90 days to support incident investigations and compliance requirements. Service teams may select alternative retention periods for specific types of log data to support the needs of their applications.

In addition, Microsoft 365 retains many types of audit records in an internal data storage and computing service called Cosmos for at least one year to support investigations of security incidents and to meet regulatory retention requirements. Access to this log data is limited to a small number of security team personnel. Microsoft 365 log retention and backup policies ensure log data is readily available for incident investigations, compliance reporting, and any other business requirements.

Access control

Microsoft performs extensive monitoring and auditing of all delegation, privileges, and operations that occur within Microsoft 365. Access to Microsoft 365 log data stored in Azure Data Lake is restricted to authorized personnel, and all access control requests and approvals are captured for security event analysis. Microsoft reviews access levels to ensure that its systems can only be accessed by users who have authorized business justifications and meet the eligibility requirements. All permitted access is traceable to a unique user. The management of audit logs is restricted to a limited subset of Security Team members responsible for audit functionality, who do not have standing administrative access.