How to use Microsoft 365’s unified audit log

Thousands of user and admin operations, performed in dozens of Microsoft 365 services and solutions, are captured, recorded, and retained in a unified audit log, available in Microsoft 365 Defender. Using the audit log search tool, you can search for, view, and export (to a CSV-file) the audit records for any of these operations. Typical document management activities that you can search for in the logs are:

  1. accessed or previewed documents
  2. modified documents
  3. uploaded documents
  4. deleted or restored document
  5. downloaded or synchronized documents
  6. checked in or checked out documents
  7. copied or moved documents

Microsoft 365 provides two auditing solutions:

  1. Basic Audit
    • For Microsoft 365 licenses (non-E5)
    • 90-day audit record retention
    • Accessed by GUI, cmdlet, and API
  2. Advance Audit
    • For Microsoft 365 E5 licenses
    • 1-year audit record retention (can be extended to 10 years, with additional licenses)
    • Longer retention of audit records
    • Custom audit retention policies
    • High-value crucial events
    • Higher bandwidth access to API

Basic Audit is enabled by default for all organizations with the appropriate subscription (for a list of subscription and licensing requirements, see Auditing solutions in Microsoft 365). The only setup before you and others in your organization can search in the audit log is to assign the necessary permissions to access the audit log search tool.

Assign permissions to search the audit log

Admins and members of investigation teams must be assigned the “View-Only Audit Logs” or “Audit Logs” role in Exchange Online to search the audit log. By default, these roles are assigned to the “Compliance Management” and the “Organization Management” role groups in the Exchange admin center. This screenshot shows the two audit-related roles assigned to the “Compliance Management” role group:
Audit logs roles in Exchange admin center

Global administrators in Microsoft 365 and Microsoft 365 are automatically added as members of the “Organization Management” role. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the “View-Only Audit Logs” or “Audit Logs” role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online.

Search the audit log

To search in Microsoft 365 Defender’s audit log, do the following:

  1. Sign in to Microsoft 365 Defender using an account that has been assigned the appropriate audit permissions.
  2. In the left navigation pane click on “Audit“:
    Audit logs in Comliance center
  3. On the Audit page, configure the search using the following conditions on the Search tab:
    Audit settings in Compliance center
    • Date and time range – select a date and time range to display the events that occurred within that period. The date and time are presented in local time.
    • Activities – select the activities to search for. Use the search box to search for activities to add to the list. For a partial list of audited activities, see Audited activities. Leave this box blank to return entries for all audited activities.
    • Users – click in this box and start typing the name of users to display search results for. The audit log entries for the selected activities performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users in your organization.
    • File, folder, or site – type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL of a file or folder, be sure to type the full URL path or if you type a portion of the URL, don’t include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization.
  4. Click on the “Search” button. On the page you now see that the audit log search is running. When the search is completed, audit records are displayed on the page. Click a record to display a flyout page with detailed properties:
    Audit details for a specific log
  5. The search can now be exported to a CSV-file, by clicking on the “Export” function on the top of the audit report:
    Export an audit log
  6. The audit report also gets a unique URL, so this can be shared with users that has access to the audit log.

For more detailed information about the audit logs, see this page: Auditing solutions in Microsoft Purview.

Extending the audit record retention period

If you only have the basic 90-day audit record retention, you can, on a regular basis, run audit using PowerShell or APIs, and save the audit reports in an external repository. There are also 3rd party tools that deliver these capabilities, e.g.:

  1. Lepide’s SharePoint Online Auditor
  2. ManageEngine’s SharePoint Manager Plus
  3. Solarwinds’ SharePoint Online Audit Log Tool
  4. Netwrix Auditor for SharePoint
  5. Splunk Add-on for Microsoft Office 365
  6. SysKit’s SPDocKit
  7. Intelex Audit Management Software