Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Your organization's unified audit log captures, records, and retains thousands of user and admin operations performed in dozens of Microsoft services and solutions. Security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization can search audit records for these events. This capability provides visibility into the activities performed across your organization.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Microsoft Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Comparison of key capabilities
The following table compares the key capabilities available in Audit (Standard) and Audit (Premium). Audit (Premium) includes all Audit (Standard) functionality.
| Capability | Audit (Standard) | Audit (Premium) |
|---|---|---|
| Enabled by default |  |
|
| Thousands of searchable audit events | |
|
| Audit search tool in the Microsoft Purview portal | |
|
| Audit Search Graph API | |
|
| Search-UnifiedAuditLog cmdlet | |
|
| Export audit records to CSV file | |
|
| Access to audit logs via Office 365 Management Activity API 1 | |
|
| 180-day audit log retention | |
|
| Up to 1-year audit log retention | |
|
| 10-year audit log retention 2 | |
|
| Audit log retention policies | |
|
| Intelligent insights | |
Note
1 Audit (Premium) includes higher bandwidth access to the Office 365 Management Activity API, which provides faster access to audit data.
2 In addition to the required licensing for Audit (Premium) (described in the next section), a user must be assigned a 10-Year Audit Log Retention add-on license to retain their audit records for 10 years.
Audit (Standard)
Microsoft Purview Audit (Standard) enables you to log and search for audited activities to support your forensic, IT, compliance, and legal investigations.
Enabled by default. Audit (Standard) is enabled by default for all organizations with the appropriate subscription. That configuration captures and makes searchable records for audited activities. You only need to assign the necessary permissions to access the audit log search tool (and the corresponding cmdlet) and ensure that users have the right license for Microsoft Purview Audit (Premium) features.
Thousands of searchable audit events. You can search for a wide range of audited activities that occur in most of the Microsoft services in your organization. For a list of the activities you can search for, see Audit log activities. For a list of the services and features that support audited activities, see Audit log record type.
Audit search tool in the Microsoft Purview portal. Use the Audit log search tool in the portal to search for audit records. You can search for specific activities, for activities performed by specific users, and activities that occurred within a date range.
Audit Search Graph API. Microsoft Graph offers a unified API endpoint for accessing data from multiple Microsoft cloud services in a single response. The Audit Search Graph API allows you to programmatically access the audit search experience through Microsoft Graph.
Search-UnifiedAuditLog cmdlet. You can also use the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell (the underlying cmdlet for the search tool) to search for audit events or to use in a script. For more information, see:
Export audit records to a CSV file. After running the Audit log search tool in the Microsoft Purview portal, you can export the audit records returned by the search to a CSV file. This process lets you use Microsoft Excel to sort and filter on different audit record properties. You can also use Excel Power Query transform functionality to split each property in the AuditData JSON object into its own column. This process lets you effectively view and compare similar data for different events. For more information, see Export, configure, and view audit log records.
Access to audit logs via Office 365 Management Activity API. A third method for accessing and retrieving audit records is to use the Office 365 Management Activity API. This method lets organizations retain auditing data for longer periods than the default 180 days and lets them import their auditing data to a SIEM solution. For more information, see Office 365 Management Activity API reference.
180-day audit log retention. When a user or admin performs an audited activity, the system generates an audit record and stores it in the audit log for your organization. In Audit (Standard), the system retains records for 180 days, which means you can search for activities that occurred within the past six months.
Important
The default retention period for Audit (Standard) changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023, are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023, follow the new default retention of 180 days.
Audit (Premium)
Important
Classic Search retired on November 30, 2023. New Search includes enhancements such as faster search times, additional search options, ability to save searches, and more.
Audit (Premium) builds on the capabilities of Audit (Standard) by providing audit log retention policies, longer retention of audit records, high-value intelligent insights, and higher bandwidth access to the Office 365 Management Activity API.
- Audit log retention policies. Create customized audit log retention policies to retain audit records for longer periods, up to one year (and up to 10 years for users with the required add-on license). Create a policy to retain audit records based on the service where the audited activities occur, specific audited activities, or the user who performs an audited activity.
- Longer retention of audit records. Microsoft Entra ID, Exchange, OneDrive, and SharePoint audit records are retained for one year by default. Audit records for all other activities are retained for 180 days by default, or you can use audit log retention policies to configure longer retention periods.
- Audit (Premium) intelligent insights. Audit records for intelligent insights can help your organization conduct forensic and compliance investigations by providing visibility to events such as when mail items were accessed, or when mail items were replied to and forwarded, or when and what a user searched for in Exchange Online and SharePoint Online. These intelligent insights can help you investigate possible breaches and determine the scope of compromise.
- Higher bandwidth to the Office 365 Management Activity API. Audit (Premium) provides organizations with more bandwidth to access auditing logs through the Office 365 Management Activity API. Although all organizations (that have Audit (Standard) or Audit (Premium)) initially receive a baseline of 2,000 requests per minute, this limit dynamically increases depending on an organization's seat count and their licensing subscription. This change results in organizations with Audit (Premium) getting about twice the bandwidth as organizations with Audit (Standard).
Long-term retention of audit logs
Audit (Premium) retains all Exchange, SharePoint, and Microsoft Entra audit records for one year. This retention happens through a default audit log retention policy that retains any audit record that contains the value of AzureActiveDirectory, Exchange, OneDrive, or SharePoint, for the Workload property (which indicates the service in which the activity occurred) for one year. Retaining audit records for longer periods can help with ongoing forensic or compliance investigations. For more information, see the "Default audit log retention policy" section in Manage audit log retention policies.
In addition to the one-year retention capabilities of Audit (Premium), we also released the capability to retain audit logs for 10 years. The 10-year retention of audit logs helps support long running investigations and respond to regulatory, legal, and internal obligations.
Note
Retaining audit logs for 10 years requires an additional per-user add-on license. After you assign this license to a user and set an appropriate 10-year audit log retention policy for that user, audit logs covered by that policy start to be retained for the 10-year period. This policy isn't retroactive and can't retain audit logs that were generated before the 10-year audit log retention policy was created.
Audit log retention policies
All audit records that other services generate and that the default audit log retention policy doesn't cover are retained for 180 days. You can create customized audit log retention policies to retain other audit records for longer periods, up to 10 years. You can create a policy to retain audit records based on one or more of the following criteria:
The Microsoft service where the audited activities occur.
Specific audited activities.
The user who performs an audited activity.
Important
The default retention period for Audit (Standard) changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023, are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023, follow the new default retention of 180 days. You can also specify how long to retain audit records that match the policy and a priority level so that specific policies take priority over other policies. Any custom audit log retention policy takes precedence over the default audit retention policy if you need to retain Exchange, SharePoint, or Azure Active Directory audit records for less than a year or for 10 years for some or all users in your organization. For more information, see Manage audit log retention policies.
Important
The audit item lifetime for data is determined when the auditing pipeline adds the data and is based on the licensing defaults or applicable retention policies. Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These changes don't affect any previously committed items.
Audit (Premium) activity properties
Audit (Premium) helps organizations conduct forensic and compliance investigations by providing access to important events, such as when users access mail items, reply to and forward mail items, and search in Exchange Online and SharePoint Online. These events can help you investigate possible breaches and determine the scope of compromise. In addition to these events in Exchange and SharePoint, other Microsoft services include important events that require assigning users the appropriate Audit (Premium) license. Assign an Audit (Premium) license to users so the system generates audit logs when they perform these events.
These activities require that you assign users the appropriate Audit (Premium) license. Assign an Audit (Premium) license to users so the system generates audit logs when they perform these activities and properties.
Audit (Premium) provides access to the following activity properties:
Exchange Online
| Activity | Property |
|---|---|
| MailItemsAccessed | SensitivityLabel |
Microsoft Teams
| Activity | Property |
|---|---|
| ChatCreated | AppAccessContext |
| ChatRetrieved | AppAccessContext |
| ChatUpdated | AppAccessContext |
| MeetingParticipantDetail | IsJoinedFromLobby ArtifactShared |
| MessageCreatedNotification | AppAccessContext |
| MessageDeletedNotification | AppAccessContext |
| MessageHostedContentsListed | AppAccessContext |
| MessageHostedContentRead | AppAccessContext |
| MessagesListed | AppAccessContext |
| MessageRead | AppAccessContext |
| MessageSent | AppAccessContext ParticipatingDomainInformation ParticipantInfo |
| MessageUpdated | ParticipantInfo AppAccessContext |
| MessageUpdatedNotification | AppAccessContext |
| SubscribedToMessages | AppAccessContext |
High-bandwidth access to the Office 365 Management Activity API
Organizations that access auditing logs through the Office 365 Management Activity API faced throttling limits at the publisher level. This throttling limit meant that if a publisher pulled data for multiple customers, all those customers shared the same limit.
With Audit (Premium), this limit changed from a publisher-level limit to a tenant-level limit. Each organization now gets its own fully allocated bandwidth quota to access its auditing data. The bandwidth isn't a static, predefined limit. Instead, it's modeled on a combination of factors, including the number of seats in the organization. E5, A5, and G5 organizations get more bandwidth than non-E5, non-A5, and non-G5 organizations.
All organizations initially get a baseline of 2,000 requests per minute. This limit dynamically increases based on an organization's seat count and licensing subscription. E5, A5, and G5 organizations get about twice as much bandwidth as non-E5, non-A5, and non-G5 organizations. A cap on the maximum bandwidth protects the health of the service.
For more information, see the API throttling section in Office 365 Management Activity API reference.
Licensing requirements
Before you get started, review the subscription requirements for Audit (Standard) and Audit (Premium).
Training
Training your security operations team, IT administrators, and compliance investigators in the fundamentals for Audit (Standard) and Audit (Premium) can help your organization get started more quickly using auditing to help with your investigations. Microsoft Purview provides the following resource to help these users in your organization get started with auditing: Describe the eDiscovery and audit capabilities of Microsoft Purview.