Are you confident that your organization captures the right audit evidence when an incident demands answers? We set the stage for a practical, expert-led walkthrough that shows exactly how to use microsoft 365 security audit tools and strengthen defenses. Our focus is on clear steps you can follow and the business value of reliable logs.
We explain where unified logs live now (Purview) and what those records reveal about user actions, file access, and system changes. You will learn how enabling auditing, running targeted searches, and exporting results supports compliance and incident investigation.
Expect concise guidance on role settings, retention limits, export caps, and practical workarounds. We also connect these logs to broader controls—classification, DLP, and defender signals—so you can act with confidence.
Key Takeaways
- Audit logs give time-stamped, attributable records for faster incident response.
- Purview hosts unified search, exports, and reporting across core services.
- Enable auditing, verify propagation, and run focused searches by user and activity.
- Know retention limits and licensing impacts on historical data.
- Exported CSVs include detailed JSON for deep analysis and automation.
Understand Microsoft 365 Auditing Today: Purview, Defender, and What’s Logged
Purview and Defender together deliver a joined record of operational and threat signals that we can query for investigations and reporting. Since the 2022 rebrand, compliance and risk components live in a single portal where admins enable search, reporting, classification, DLP, and insider risk controls.
The unified audit log collects standardized records across core cloud services. That centralization ensures consistent fields, protected storage, and faster queries for analysts reviewing events.
- Exchange Online: mailbox sign-ins, mail actions, and permission changes.
- SharePoint & OneDrive: view, edit, move, delete, upload, download, and sharing events.
- Teams: team and channel creation, membership changes, and message events.
- Entra ID: user and group administration and role assignments.
Purview’s information protection, DLP, and insider-risk features produce signals we can correlate with log entries for richer context. Defender products (Endpoint, Office, Cloud Apps, Identity, XDR) add detection alerts that we cross-reference against audit records during incident response.
For a detailed reference of recorded events and their names, consult the audit activities list.
Turn On and Configure Auditing in the Microsoft Purview Compliance Portal
We begin by validating roles and access; correct permissions are the foundation for reliable audit logging.
Required roles: Assign the Audit Logs role via Compliance Management or Organization Management role groups. Confirm that assigned admins can access the Purview portal before changing settings.
Enable ingestion in Purview under Solutions > Audit by selecting “Start recording user and admin activity.” The portal shows a banner if logging is off. Expect propagation up to 60 minutes after activation.
PowerShell alternative and verification
Use Exchange Online PowerShell to change ingestion: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true or $false to disable. Verify with Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled.
- Document each configuration change with timestamp and approver.
- Limit administrative permissions and use dedicated MFA-protected accounts.
- Checklist: verify roles, enable ingestion, confirm status, test a search, and record the change.
How to use microsoft 365 security audit tools for searches, filtering, and exports
We run focused queries in Purview to surface meaningful records fast. Start by specifying a precise UTC start and end time (max 90 days). Then pick activity groups or individual actions and narrow results by users or groups.
Filter by file name or full URL when you need hits for sensitive repositories, executive OneDrive accounts, or Teams channel libraries. The results grid returns events in 150-event increments; use Shift+End to load more pages. Purview shows up to the newest 50,000 events.
Export and interpret results
Choose “Download all results” to get a CSV. The AuditData column contains JSON with client app, IP, target object, and parameters. Parse AuditData for richer attributes before ingesting into a SIEM.
| Feature | What it shows | Limit | Recommended action |
|---|---|---|---|
| Date/time & user | Event timestamp and actor | UTC window up to 90 days | Normalize timestamps and user IDs |
| Activity & item | Action type and target object | Grid shows 150 per page | Filter by activity groups and URLs |
| AuditData JSON | Client app, IP, parameters | Included in CSV | Parse and join with endpoint telemetry |
| Exports | CSV bundles up to 50k | 50,000-event cap | Segment searches by time or user, then combine |
Operational tip: Save search criteria, use consistent export names, and secure CSVs as evidence. Combine exports with identity and endpoint signals for fuller context in reports and investigations.
Retention and Compliance: Keeping Audit Data Aligned with Policy and Licensing
Retention windows set the practical limit on how far back we can investigate incidents and meet regulatory requests. By default, audit records are retained for 90 days. That baseline determines the lookback available for routine reviews and internal investigations.
With Microsoft 365 E5 or the related E5 Compliance add-ons, retention for Azure AD, Exchange, and SharePoint extends to one year. Organizations can also create retention policies that raise other services to a one-year window.
Policy changes and non-retroactivity
Licensing or policy changes apply only going forward. Records created before an upgrade keep their original expiration. That constraint affects evidence preservation planning and legal holds.
Mapping retention to regulations
We recommend mapping retention windows to GDPR, HIPAA, and SOX requirements with legal counsel and risk management. Align retention with data loss prevention and classification so sensitive data handling is monitored and provable.
- Designate owners for retention policies and review quarterly.
- Document change impact when licensing tiers or policies shift.
- Maintain a preservation playbook: export older records quickly and store them under compliance archiving standards.
| Area | Default Retention | E5 / Add-on Retention | Recommended Action |
|---|---|---|---|
| General audit records | 90 days | Up to 1 year (per policy) | Map by regulation; set retention policy and owner |
| Azure AD, Exchange, SharePoint | 90 days | 1 year by default with E5 | Verify licensing; enable one-year retention where needed |
| Other services | 90 days | Can be raised to 1 year via policies | Create targeted retention policies; test exports |
| Evidence preservation | Subject to original expiration | Future logs extend only after change | Export quickly for incidents spanning older windows |
Operational tip: Run periodic test searches and report checks. Integrate retention objectives into your compliance calendar and make change impact notes part of formal governance.
Operationalize Auditing: Monitoring, Incident Response, and Extended Tooling
We build an operational layer that links Purview event streams with Defender alerts for continuous threat detection. This gives analysts context for incidents and speeds containment decisions.
Continuous monitoring and correlation
We recommend a monitoring program that correlates Purview events with Defender for Endpoint, Office, Identity, and Cloud Apps alerts. Correlation surfaces suspicious patterns faster and reduces false positives.
Incident response workflows and post-incident reviews
Audit records feed incident response procedures. We triage unusual downloads, privilege changes, and Teams membership edits by pivoting on user, IP, and resource. Playbooks must list what to export, how to preserve evidence, and who approves containment actions.
Strengthen controls and validate effectiveness
Use Secure Score, MFA, conditional access, data loss prevention, and classification to harden the environment. Validate changes by checking fewer risky sharing events and reduced anonymous access in periodic reports.
Scale with extended solutions
CoreView brings daily reports, change inventories, and rollback options for multi-tenant management. Netwrix provides cross-service reporting, alerting, and compliance-ready views. Both solutions simplify long-term management and evidence collection.
| Solution | Primary capability | Benefit |
|---|---|---|
| Purview + Defender | Monitoring & detection | Contextual alerts for faster incident response |
| CoreView | Daily reports & rollback | Operational visibility and quick remediation |
| Netwrix | Cross-service auditing | Compliance-ready reports and threat context |
- Address vulnerabilities by linking endpoint risk with event patterns for guided remediation.
- Formalize training so admins read JSON details and maintain repeatable incident documentation.
- Integrate exports with SIEM/XDR for centralized analytics and long-term retention.
Conclusion
We close with a concise roadmap that ties logging, retention, and correlation into repeatable governance.
Verify roles, enable unified ingestion, run precise searches, and export AuditData for analysis. These steps create a reliable record for investigations and compliance.
Tune retention (default 90 days; extended with appropriate licensing) and document that policy changes do not extend prior records.
Correlate logs with Defender alerts and other signals to speed response and preserve evidence that leadership and auditors demand.
Embed auditing into routine governance with playbooks for sharing changes, privilege escalation, and mass downloads. At scale, adopt CoreView or Netwrix for verification, rollback, and broader reporting.
Mastering searches, key fields, and retention aligns your organization’s data protection and demonstrates strong management of risk.
FAQ
Learn How to Use Microsoft 365 Security: Expert Tips
We recommend a phased approach: confirm roles and permissions, enable unified auditing in the Purview compliance portal, and integrate Defender alerts with audit logs. Focus initial efforts on critical workloads — Exchange, SharePoint, OneDrive, Teams, and Entra ID — and define clear retention and incident-response procedures. Train administrators on common log fields and regular reporting to reduce mean time to detect and respond.
From Office 365 to Microsoft Purview: Where auditing lives now
Auditing has consolidated into Microsoft Purview (the compliance portal) while many service-specific signals still surface in Defender and Entra. The unified audit log ingests events from Exchange, SharePoint, OneDrive, Teams, and Entra ID, so you can search across services from a single interface while retaining service-level diagnostics where needed.
What activities does the unified audit log track across Exchange, SharePoint, OneDrive, Teams, and Entra ID?
The log captures user and admin actions such as sign-ins, file accesses and sharing, mailbox changes, Teams channel and chat activities, group and role changes in Entra ID, and policy updates. Each record includes timestamp, actor, activity, target item, and contextual details for incident analysis and compliance reporting.
Required roles and access: Audit Logs role, Compliance/Organization Management
Administrators need the Audit Logs role or membership in Compliance or Organization Management to access Purview auditing and run searches. Delegate with least privilege: separate investigative roles from configuration roles and use dedicated service accounts for automated exports and integrations.
Enable or disable auditing via Purview and Exchange Online PowerShell
Auditing is enabled in Purview by toggling the unified audit log setting. For Exchange-specific control, use Exchange Online PowerShell cmdlets to verify or modify mailbox audit settings. Changes can be made in the portal for ease or scripted for scale through PowerShell.
Verify auditing status and expected propagation time
After enabling, allow up to 24 hours for full propagation though many events appear sooner. Validate by running a short, targeted search for a known test activity. Check service health and the audit log status in Purview if events do not appear within the expected window.
Run targeted searches in Purview Audit: date ranges, activities, users, and file/site filters
Construct focused queries using date range, activity types, user or group, and object identifiers (file name, site URL, mailbox). Narrow searches to reduce result volume and improve performance. Save common queries and use filters to speed repetitive investigations.
Interpret key audit fields: date/time, user, activity, item, details
Key fields include CreationTime (timestamp), Actor (user/principal), Operation (activity), TargetResources (item or object), and AuditData (JSON with extra context). AuditData often contains the most actionable details, like IP, device, and unique IDs for follow-up queries.
Export results to CSV and work with the AuditData column
Export searches to CSV when you need offline analysis. The AuditData column contains nested JSON; parse it with tools such as PowerShell, Excel Power Query, or a SIEM to extract fields like IP address, file path, and previous and new values for changes.
Handle limits and performance: 50,000-event cap and segmenting by time windows
Purview search returns up to 50,000 events per query. If you expect larger volumes, split the query into narrower time windows or activity types. For continuous export, use the Office 365 Management Activity API or direct SIEM ingestion to avoid UI limits.
Default retention windows and what changes with Microsoft 365 E5
Default audit retention varies by license tier; E5 increases retention for many audit types. Check your subscription details: upgrading can extend retention windows and improve access to advanced investigative features without manual archiving.
Create and adjust audit log retention policies without retroactive extension
Retention policies can be applied going forward but cannot retroactively extend retention for already purged events. Plan policy changes proactively and export or archive critical logs before retention expiry if longer preservation is required.
Map audit retention to regulations like GDPR, HIPAA, and SOX
Align retention settings with legal and regulatory requirements. Document decisions, demonstrate controls for auditors, and use Purview’s retention labels and policies to enforce consistent preservation that satisfies GDPR, HIPAA, SOX, and other mandates.
Build continuous monitoring with Purview auditing and Defender signals
Combine audit logs with Defender alerts and Entra identity signals for continuous monitoring. Feed events into a SIEM or Microsoft Sentinel to enable correlation, automated alerting, and long-term analytics across telemetry sources.
Use audit logs in incident response workflows and post-incident reviews
Integrate audit searches into your incident response playbooks: identify initial access, lateral movement, and data exfiltration via file and mailbox activity. Use exported logs for root-cause analysis and remediation evidence during post-incident reviews.
Strengthen controls with DLP, data classification, and Secure Score
Pair auditing with Data Loss Prevention (DLP) policies, sensitivity labels, and Microsoft Secure Score. Auditing shows what happened; DLP and classification reduce risk by preventing risky actions. Track improvement with Secure Score recommendations and remediation tasks.
Simplify at scale with CoreView reports and Netwrix auditing and data governance
Third-party solutions such as CoreView and Netwrix can centralize reporting, add role-based dashboards, and simplify multi-tenant or large-scale governance. Use those tools to normalize logs, produce executive reports, and automate compliance checks.
