Auditing solutions in Microsoft Purview
Updated: Nov 2
About Alif: Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labeled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, SharePoint, Power Platform, SQL, Azure DevOps, and a lot more. Our headquarter is in Pune, India where we work with over 50 partners across the globe that trust us with their client delivery.
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft Purview Audit (Standard) allows you to log and search for audited activities and power your forensic, IT, compliance, and legal investigations.
Enabled by default. Audit (Standard) is turned on by default for all organizations with the appropriate subscription. That means records for audited activities will be captured and searchable. The only setup that is required is to assign the necessary permissions to access the audit log search tool (and the corresponding cmdlet) and make sure that users are assigned the right license for Microsoft Purview Audit (Premium) features.
Thousands of searchable audit events. You can search for a wide range of audit activities that occur in most of the Microsoft 365 services in your organization. See Audit log activities for a list of the activities you can search for. See the Audit log record type for a list of the services and features that support audited activities.
The audit search tool in the Microsoft Purview compliance portal. Use the Audit log search tool in the compliance portal to search for audit records. You can search for specific activities, activities performed by specific users, and activities that occurred with a date range. Here's a screenshot of the Audit search tool in the compliance portal.
Search-UnifiedAuditLog cmdlet. You can also use the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell (the underlying cmdlet for the search tool) to search for audit events or to use in a script.
Export audit records to a CSV file. After running the Audit log search tool in the compliance portal, you can export the audit records returned by the search to a CSV file. This lets you use Microsoft Excel to sort and filter different audit record properties. You can also use Excel Power Query transform functionality to split each property in the AuditData JSON object into its column. This lets you effectively view and compare similar data for different events.
Access to audit logs via Office 365 Management Activity API. A third method for accessing and retrieving audit records is to use the Office 365 Management Activity API. This lets organizations retain auditing data for longer periods than the default 90 days and lets them import their auditing data to a SIEM solution.
90-day audit log retention. When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. In Audit (Standard), records are retained for 90 days, which means you can search for activities that occurred within the past three months.
Audit (Premium) builds on the capabilities of Audit (Standard) by providing audit log retention policies, longer retention of audit records, high-value crucial events, and higher bandwidth access to the Office 365 Management Activity API.
Audit log retention policies. You can create customized audit log retention policies to retain audit records for longer periods of up to one year (and up to 10 years for users with required add-on licenses). You can create a policy to retain audit records based on the service where the audited activities occur, specific audited activities, or the user who performs an audited activity.
Longer retention of audit records. Exchange, SharePoint, and Azure Active Directory audit records are retained for one year by default. Audit records for all other activities are retained for 90 days by default, or you can use audit log retention policies to configure longer retention periods.
High-value, crucial Audit (Premium) events. Audit records for crucial events can help your organization conduct forensic and compliance investigations by providing visibility to events such as when mail items were accessed, or when mail items were replied to and forwarded, or when and what a user searched for in Exchange Online and SharePoint Online. These crucial events can help you investigate possible breaches and determine the scope of compromise.
Higher bandwidth to the Office 365 Management Activity API. Audit (Premium) provides organizations with more bandwidth to access auditing logs through the Office 365 Management Activity API. Although all organizations (that have Audit (Standard) or Audit (Premium)) are initially allocated a baseline of 2,000 requests per minute, this limit will dynamically increase depending on an organization's seat count and licensing subscription. This results in organizations with Audit (Premium) getting about twice the bandwidth as organizations with Audit (Standard).
Comparison of key capabilities
The following table compares the key capabilities available in Audit (Standard) and Audit (Premium). All Audit (Standard) functionality is included in Audit (Premium).
Enabled by default
Thousands of searchable audit events
The audit search tool in the compliance portal
Export audit records to CSV file
Access to audit logs via Office 365 Management Activity API 1
90-day audit log retention
1-year audit log retention
10-year audit log retention 2
Audit log retention policies
High-value, crucial events
The following sections identify the licensing requirements for Audit (Standard) and Audit (Premium). Audit (Standard) functionality is included with Audit (Premium).
Microsoft Business Basic/Standard subscriptions
Microsoft 365 Apps for Business subscription
Microsoft 365 Enterprise E3 subscription
Microsoft 365 Business Premium
Microsoft 365 Education A3 subscription
Microsoft 365 Government G1/G3 subscriptions
Microsoft 365 Frontline F1 or F3 subscription, or F5 Security add-on
Office 365 Enterprise E1/E3 subscription
Office 365 Education A1/A3 subscriptions
Microsoft 365 Enterprise E5 subscription
Microsoft 365 Enterprise E3 subscription + the Microsoft 365 E5 Compliance add-on
Microsoft 365 Enterprise E3 subscription + the Microsoft 365 E5 eDiscovery and Audit add-on
Microsoft 365 Education A5 subscription
Microsoft 365 Education A3 subscription + the Microsoft 365 A5 Compliance add-on
Microsoft 365 Education A3 subscription + the Microsoft 365 A5 eDiscovery and Audit add-on
Microsoft 365 Government G5 subscription
Microsoft 365 Government G3 subscription + the Microsoft 365 G5 Compliance add-on
Microsoft 365 Government G3 subscription + the Microsoft 365 G5 eDiscovery and Audit add-on
Microsoft 365 Frontline F5 Compliance or F5 Security & Compliance add-on
Office 365 Enterprise A5/E5 subscriptions
Set up Microsoft Purview auditing solutions.
To get started using the auditing solutions in Microsoft Purview, see the following setup guidance.
Set up Audit (Standard)
The first step is to set up Audit (Standard) and then start running audit log searches.
Verify that your organization has a subscription that supports Audit (Standard) and if applicable, a subscription that supports Audit (Premium).
Assign permissions in Exchange Online to people in your organization who will use the audit log search tool in the compliance portal or use the Search-UnifiedAuditLog cmdlet. Specifically, users must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online.
Search the audit log. After completing steps 1 and step 2, users in your organization can use the audit log search tool (or corresponding cmdlet) to search for audited activities.
Set up Audit (Premium)
If your organization has a subscription that supports Audit (Premium), perform the following steps to set up and use the additional capabilities in Audit (Premium).
1. Set up Audit (Premium) for users. This step consists of the following tasks:
Verifying that users are assigned the appropriate license or add-on license for Audit (Premium).
Turning on the Audit (Premium) app/service plan must be for those users.
Enabling the auditing of crucial events and then turning on the Audit (Premium) app/service plan for those users.
2. Enable Audit (Premium) events to be logged when users perform searches in Exchange Online and SharePoint Online.
3. Set up audit log retention policies. In addition to the default policy that retains Exchange, SharePoint, and Azure AD audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams.
4. Search for crucial Audit (Premium) events and other activities when conducting forensic investigations. After completing steps 1 and step 2, you can search the audit log for Audit (Premium) events and other activities during forensic investigations of compromised accounts and other types of security or compliance investigations.