Learn about auditing solutions in Microsoft Purview
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your organization.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Comparison of key capabilities
The following table compares the key capabilities available in Audit (Standard) and Audit (Premium). All Audit (Standard) functionality is included in Audit (Premium).
Capability | Audit (Standard) | Audit (Premium) |
---|---|---|
Enabled by default | ||
Thousands of searchable audit events | ||
Audit search tool in the Microsoft Purview portal and compliance portal | ||
Audit Search Graph API | ||
Search-UnifiedAuditLog cmdlet | ||
Export audit records to CSV file | ||
Access to audit logs via Office 365 Management Activity API 1 | ||
180-day audit log retention | ||
1-year audit log retention | ||
10-year audit log retention 2 | ||
Audit log retention policies | ||
Intelligent insights |
Note
1 Audit (Premium) includes higher bandwidth access to the Office 365 Management Activity API, which provides faster access to audit data.
2 In addition to the required licensing for Audit (Premium) (described in the next section), a user must be assigned a 10-Year Audit Log Retention add-on license to retain their audit records for 10 years.
Audit (Standard)
Microsoft Purview Audit (Standard) provides with you with the ability to log and search for audited activities and power your forensic, IT, compliance, and legal investigations.
Enabled by default. Audit (Standard) is turned on by default for all organizations with the appropriate subscription. That means records for audited activities are captured and searchable. The only setup that required is to assign the necessary permissions to access the audit log search tool (and the corresponding cmdlet) and make sure that user's are assigned the right license for Microsoft Purview Audit (Premium) features.
Thousands of searchable audit events. You can search for a wide-range of audited activities that occur is most of the Microsoft services in your organization. For a list of the activities you can search for, see Audit log activities. For a list of the services and features that support audited activities, see Audit log record type.
Audit search tool in the Microsoft Purview portal or the compliance portal. Use the Audit log search tool in the portals to search for audit records. You can search for specific activities, for activities performed by specific users, and activities that occurred with a date range.
Audit Search Graph API. Microsoft Graph offers a unified API endpoint for accessing data from multiple Microsoft cloud services in a single response. The Audit Search Graph API allows you to programmatically access the audit search experience through Microsoft Graph.
Search-UnifiedAuditLog cmdlet. You can also use the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell (the underlying cmdlet for the search tool) to search for audit events or to use in a script. For more information, see:
Export audit records to a CSV file. After running the Audit log search tool in the Microsoft Purview portal or the compliance portal, you can export the audit records returned by the search to a CSV file. This lets you use Microsoft Excel sort and filter on different audit record properties. You can also use Excel Power Query transform functionality to split each property in the AuditData JSON object into its own column. This lets you effectively view and compare similar data for different events. For more information, see Export, configure, and view audit log records.
Access to audit logs via Office 365 Management Activity API. A third method for accessing and retrieving audit records is to use the Office 365 Management Activity API. This lets organizations retain auditing data for longer periods than the default 180 days and lets them import their auditing data to a SIEM solution. For more information, see Office 365 Management Activity API reference.
180-day audit log retention. When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. In Audit (Standard), records are retained for 180 days, which means you can search for activities that occurred within the past six months.
Important
The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.
Audit (Premium)
Important
Classic Search has been retired as of November 30, 2023. New Search includes enhancements such as faster search times, additional search options, ability to save searches, and more.
Audit (Premium) builds on the capabilities of Audit (Standard) by providing audit log retention policies, longer retention of audit records, high-value intelligent insights, and higher bandwidth access to the Office 365 Management Activity API.
- Audit log retention policies. You can create customized audit log retention policies to retain audit records for longer periods of time up to one year (and up to 10 years for users with required add-on license). You can create a policy to retain audit records based the service where the audited activities occur, specific audited activities, or the user who performs an audited activity.
- Longer retention of audit records. Microsoft Entra ID, Exchange, OneDrive, and SharePoint audit records are retained for one year by default. Audit records for all other activities are retained for 180 days by default, or you can use audit log retention policies to configure longer retention periods.
- Audit (Premium) intelligent insights. Audit records for intelligent insights can help your organization conduct forensic and compliance investigations by providing visibility to events such as when mail items were accessed, or when mail items were replied to and forwarded, or when and what a user searched for in Exchange Online and SharePoint Online. These intelligent insights can help you investigate possible breaches and determine the scope of compromise.
- Higher bandwidth to the Office 365 Management Activity API. Audit (Premium) provides organizations with more bandwidth to access auditing logs through the Office 365 Management Activity API. Although all organizations (that have Audit (Standard) or Audit (Premium)) are initially allocated a baseline of 2,000 requests per minute, this limit will dynamically increase depending on an organization's seat count and their licensing subscription. This results in organizations with Audit (Premium) getting about twice the bandwidth as organizations with Audit (Standard).
Long-term retention of audit logs
Audit (Premium) retains all Exchange, SharePoint, and Microsoft Entra audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of AzureActiveDirectory, Exchange, OneDrive, or SharePoint, for the Workload property (which indicates the service in which the activity occurred) for one year. Retaining audit records for longer periods can help with on-going forensic or compliance investigations. For more information, see the "Default audit log retention policy" section in Manage audit log retention policies.
In addition to the one-year retention capabilities of Audit (Premium), we've also released the capability to retain audit logs for 10 years. The 10-year retention of audit logs helps support long running investigations and respond to regulatory, legal, and internal obligations.
Note
Retaining audit logs for 10 years requires an additional per-user add-on license. After this license is assigned to a user and an appropriate 10-year audit log retention policy is set for that user, audit logs covered by that policy will start to be retained for the 10-year period. This policy is not retroactive and can't retain audit logs that were generated before the 10-year audit log retention policy was created.
Audit log retention policies
All audit records generated in other services that aren't covered by the default audit log retention policy (described in the previous section) are retained for 180 days. But you can create customized audit log retention policies to retain other audit records for longer periods of time up to 10 years. You can create a policy to retain audit records based on one or more of the following criteria:
The Microsoft service where the audited activities occur.
Specific audited activities.
The user who performs an audited activity.
Important
The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days. You can also specify how long to retain audit records that match the policy and a priority level so that specific policies take priority over other policies. Also note that any custom audit log retention policy takes precedence over the default audit retention policy in case you need retain Exchange, SharePoint, or Azure Active Directory audit records for less than a year (or for 10 years) for some or all users in your organization. For more information, see Manage audit log retention policies.
Important
The audit item lifetime for data is determined when it is added to the auditing pipeline and is based on the licensing defaults or applicable retention policies. Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These change don't change any previously committed items.
Audit (Premium) activity properties
Audit (Premium) helps organizations to conduct forensic and compliance investigations by providing access to important events such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online. These events can help you investigate possible breaches and determine the scope of compromise. In addition to these events in Exchange and SharePoint, there are events in other Microsoft services that are considered important events and require that users are assigned the appropriate Audit (Premium) license. Users must be assigned an Audit (Premium) license so that audit logs are generated when users perform these events.
These activities require that users are assigned the appropriate Audit (Premium) license. Users must be assigned an Audit (Premium) license so that audit logs are generated when users perform these activities and properties.
Audit (Premium) provides access to the following activity properties:
Exchange Online
Activity | Property |
---|---|
MailItemsAccessed | SensitivityLabel |
Microsoft Teams
Activity | Property |
---|---|
ChatCreated | AppAccessContext |
ChatRetrieved | AppAccessContext |
ChatUpdated | AppAccessContext |
MeetingParticipantDetail | IsJoinedFromLobby ArtifactShared |
MessageCreatedNotification | AppAccessContext |
MessageDeletedNotification | AppAccessContext |
MessageHostedContentsListed | AppAccessContext |
MessageHostedContentRead | AppAccessContext |
MessagesListed | AppAccessContext |
MessageRead | AppAccessContext |
MessageSent | AppAccessContext ParticipatingDomainInformation ParticipantInfo |
MessageUpdated | ParticipantInfo AppAccessContext |
MessageUpdatedNotification | AppAccessContext |
SubscribedToMessages | AppAccessContext |
High-bandwidth access to the Office 365 Management Activity API
Organizations that access auditing logs through the Office 365 Management Activity API were restricted by throttling limits at the publisher level. This means that for a publisher pulling data on behalf of multiple customers, the limit was shared by all those customers.
With Audit (Premium), this has changed from a publisher-level limit to a tenant-level limit. The result is that each organization get their own fully allocated bandwidth quota to access their auditing data. The bandwidth isn't a static, predefined limit but is modeled on a combination of factors including the number of seats in the organization and that E5/A5/G5 organizations get more bandwidth than non-E5/A5/G5 organizations.
All organizations are initially allocated a baseline of 2,000 requests per minute. This limit dynamically increases depending on an organization's seat count and licensing subscription. E5/A5/G5 organizations get about twice as much bandwidth as non-E5/A5/G5 organizations. There's a cap on the maximum bandwidth to protect the health of the service.
For more information, see the API throttling section in Office 365 Management Activity API reference.
Licensing requirements
Before you get started, review the subscription requirements for Audit (Standard) and Audit (Premium).
Training
Training your security operations team, IT administrators, and compliance investigators team in the fundamentals for Audit (Standard) and Audit (Premium) can help your organization get started more quickly using auditing to help with your investigations. Microsoft Purview provides the following resource to help these users in your organization getting started with auditing: Describe the eDiscovery and audit capabilities of Microsoft Purview.