10-Year Audit Retention Add-On Not Retaining Data Beyond 1 Year

Question

10-Year Audit Retention Add-On Not Retaining Data Beyond 1 Year

V.kesavan 0

I have Microsoft E5 with the additional 10-year audit retention policy add-on. However, when I check my audit retention policies, I can only see the last one year of records, even though the policy was created and the license purchased in June last year. The data only shows from last August. I raised a ticket with Microsoft, and the engineer said it could take up to 180 days to propagate, but there’s still no solution. Why are we paying for the 10-year archive retention license if it’s not working? Does anyone know a solution?

1 answer

Your answer

Answer 1

Pratyush Vashistha 1,525 Microsoft External Staff Moderator

Thank you for explaining the scenario clearly.

Based on Microsoft documentation and validated community reports, this is a known limitation in some Microsoft audit retention implementations, particularly when using the 10-year (3,650-day) retention add-on with E5 licenses. Here’s a breakdown of what’s happening and where it’s documented:

The reasons why you’re seeing only one year of audit records are be as follows:

Microsoft Purview Audit (Premium) supports up to 10 years of audit log retention, but the default retention policy keeps most audit records for only one year unless a longer retention policy is explicitly configured and actively applies to all targeted activities and users.

Refer the following for more information:

https://learn.microsoft.com/en-us/purview/audit-solutions-overview

https://learn.microsoft.com/en-us/purview/audit-log-retention-policies

In practice, even after purchasing the 10-year audit retention add-on, organizations have reported that some audit logs (especially from the period before the add-on is fully propagated or for certain services/users) remain accessible for only one year or less.
Microsoft’s documentation specifies that:
- The default Premium policy keeps Exchange Online, SharePoint, OneDrive, and Entra ID (Formerly Azure AD) logs for one year if the user is licensed for Audit (Premium). For “all other activities,” logs are kept for 180 days unless a custom retention policy is set.
- A custom 10-year audit retention policy must be created and properly targeted to users, workloads, or actions to retain logs for the full duration.
- Any audit logs generated before the custom retention policy is in effect may not be retained beyond the default period—even if you later set up the 10-year policy.

What Should You Do?

Verify your custom audit retention policy: Review your organization’s policies in the Microsoft Purview portal to ensure the 10-year retention policy is active, published, and assigned to all relevant users and workloads. How to manage audit log retention policies
Understand policy start times: Logs created before the 10-year policy was in effect generally follow the old (1-year) retention rule and may not be retrievable—even after policy/ license upgrades.

References and Official Documentation:

Kindly let me know for your other queries on the same.

Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues. User's image

V.kesavan 0 Reputation points

2025-08-14T07:37:45.3733333+00:00

Thank you again for the detailed explanation and references.

I’ve followed the recommended steps and successfully created a custom audit log retention policy targeting a specific user. When I verify the policy using Get-UnifiedAuditLogRetentionPolicy, I can confirm the following:

Priority: 1

Name: Audit Log Retention

Enabled: True

Mode: Enforce

RetentionDuration: TenYears

UserIds: ******@abc.com

DistributionStatus: Pending

DistributionSyncStatus: Unknown

DistributionResults: (Blank)

WhenCreatedUTC: 6/28/2024 08:49:18 AM

WhenChangedUTC: 6/28/2024 08:49:18 AM

My concern is that even though the policy was created on June 28, 2024, the DistributionStatus is still Pending, and the DistributionResults remain blank as of today (August 14, 2025). This status has not changed in over a month, which seems unusual given that documentation suggests propagation should complete within 24–48 hours.

Could you please clarify:

Is this delay in distribution normal under certain conditions?

Are there known issues that could cause a policy to remain in a pending state indefinitely?

Is there a way to force or re-trigger distribution, or verify if the policy is actually being applied behind the scenes?

I’ve verified that the targeted user has the appropriate licensing (E5 + 10-year audit retention add-on), and the policy appears correctly configured otherwise.

Appreciate your guidance on how to proceed
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-14T10:11:37.7566667+00:00
Hello V.kesavan!

Thanks for your prompt response!
No, this is not expected under normal circumstances. Microsoft documentation states that changes to audit log retention policies—including creation and modification—should propagate and apply within 24–48 hours in most cases. Extended Pending status beyond this period strongly suggests a problem in distribution or a backend sync issue.

There are no widespread, officially documented Microsoft Learn reports about audit log retention policies hanging in “Pending” permanently, but reports for similar policies (such as DLP and compliance policies) show that a stuck “Pending” can be associated with:

Backend sync errors or failed jobs not surfaced to admins

Losing connection to policy distribution services

Schema or attribute mismatches in policy creation

Most community and support threads on policy “Pending” status relate to delays of a few days, not months, and typically require Microsoft support intervention if they do not resolve.

Documentation reference: Manage audit log retention policies – Microsoft Learn

However, There is no self-service option to force or manually re-trigger policy propagation for audit log retention (unlike some message trace or transport rules). No PowerShell cmdlet or UI action to push, nudge, or “re-distribute” an individual policy—DistributionStatus is reported by the Microsoft backend and cannot be triggered by administrators. Most guidance is:

Double-check and, if needed, re-save the policy settings in both PowerShell and the Microsoft Purview portal.

Confirm the target user’s UPN and licensing are fully correct and synchronized.

If status remains “Pending” beyond a few days, the standard remediation is to:

Delete and recreate the policy to trigger a fresh distribution

To further troubleshoot and potentially reproduce or escalate the scenario, could you please share the following details:

Was there any name change, UPN change, or moved between tenants since the policy was created? (https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-userprincipalname)

Are you actively generating audit log records in the retention period, and are the same visible in search tools? Were you able to see the logs ever before?

Has an attempt been made by you to delete and re-create the policy and what was the result?

Is tenant licensing and service health all green (no unresolved license/service alerts in the Microsoft 365 admin center)?

Was the policy created in the portal or strictly via PowerShell? (If via PowerShell, were all required parameters—RecordType, Operation, etc.—explicitly set?) https://learn.microsoft.com/en-us/purview/audit-log-retention-policies#create-and-manage-audit-log-retention-policies-in-powershell

Meanwhile, I will work with dedicated team to gather more insights on your issue. Thank you for your understanding and patience.

Pratyush
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-18T05:22:52.1333333+00:00

Hello V.kesavan!

Following up to see if you have a chance to check my previous response and help us with requested information to check and assist you further on this.

Thanks

Pratyush
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-19T04:40:25.9033333+00:00

Hello V.kesavan!

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Thanks

Pratyush
V.kesavan 0 Reputation points

2025-08-19T07:36:06.27+00:00

Hello Pratyush,

Sorry for the delayed response, and thank you for your patience. Please find my answers below:

Did the user account have any UPN/tenant changes? No.

Are audit logs being generated and visible? Yes, logs are visible for the last 1 year. However, since I created the policy earlier, I expected logs for more than 1 year to be available.

Have you tried deleting and re-creating the policy?

No, I have not attempted this yet.

Is your tenant licensing and service health okay?

Yes, all relevant licenses are active, and service health is showing green.

Please let me know the next recommended steps.

Best regards,

V. Kesavan
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-19T08:09:04.15+00:00
Hello V.kesavan!,

Thanks for providing your inputs.

According to Microsoft’s own documentation, retention policy changes only affect audit records generated after the policy is created and distributed. Audit data that was already in the system before the 10-year policy took effect is subject to the retention settings in place at the time those records were committed (typically one year by default, even for customers with the E5 license).

This is stated here:

“Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These changes don't change any previously committed items.” Manage audit log retention policies – Microsoft Learn

So, even though you have had the add-on and policy for more than a year, the platform will only retain future records for ten years starting from the moment the policy became effective. Older logs are not retroactively brought under the longer retention period, and unfortunately, there is currently no Microsoft-supported way to surface or reclassify those records under the new policy.

Next Steps and Recommendation:

If you’d like a final check, you could try deleting and re-creating the retention policy to ensure proper assignment, but based on Microsoft documentation, this will not make past audit records available.

If this behavior impacts your compliance needs or if you have feedback on how this should work (for example: retroactive coverage or better transparency on log availability), Microsoft encourages product feedback here: https://feedback.azure.com/d365community/

Please "Accept as Answer" if the information provided is useful, so that you can help others in the community looking for remediation for similar issues.

Thanks for your understanding.

Pratyush
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-20T07:14:57.6666667+00:00

Hello V.kesavan!

Following up to see if you have a chance to check my previous response and let me know if you need further assistance on the same.

Thanks

Pratyush
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-21T04:11:44.3566667+00:00

Hello V.kesavan!

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. if you have feedback on how this should work, Microsoft encourages product feedback here: https://feedback.azure.com/d365community/

Thanks

Pratyush
V.kesavan 0 Reputation points

2025-08-21T07:04:41.3366667+00:00

We ran an audit log search on August 14, 2025, and initially received data starting from August 13, 2024. However, re-running the same query returned logs only from August 20, 2024 onward. This confirms that we currently have access to only one year of audit log data, despite having:

Microsoft 365 E5 licenses (active and valid)

A 10-year audit log retention license, purchased in 2023 and renewed on schedule

No logs have been manually deleted. This suggests the extended retention policy may not be applied or functioning correctly. We're investigating this with Microsoft support.
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-21T07:08:52.4166667+00:00

Thanks for your response V.kesavan. Please let me and others in the community know about the outcome of the investigation you are doing with Microsoft Support.
V.kesavan 0 Reputation points

2025-08-21T08:30:48.82+00:00

Hello Pratyush Vashistha

Thanks for your continued follow-up and support on this matter, and for your interest in helping to address it. Unfortunately, I still haven’t received a proper response from Microsoft, even though it has now been more than 15 days. Given that we are paying and maintaining additional licenses at a significant cost, I was expecting a timely and proper solution.

It would also be very helpful if the community could be kept informed about the outcome of the ongoing investigation you are conducting with Microsoft Support. This will ensure transparency and help us all understand the way forward.
Pratyush Vashistha 1,525 Reputation points Microsoft External Staff Moderator

2025-08-21T08:55:38.0733333+00:00

Dear V.kesavan,

I completely understand your concern. I have got your support ticket tracking# which you shared, will do my best to resolve it at earliest. Otherwise, will escalate to further level for prompt resolution.

Thanks for your understanding and patience.

Thanks

Pratyush

Share via

10-Year Audit Retention Add-On Not Retaining Data Beyond 1 Year

1 answer

Your answer