Learn about the unified Microsoft auditing capabilities in Microsoft 365 that provide organizations with an integrated data management and security solution, and increased visibility.
Centralize your SharePoint and Teams reporting: Choose from pre-built and custom reports in ShareGate
Microsoft Purview combines the auditing and audit log capabilities of the Microsoft 365 Compliance portfolio with the data governance capabilities of Azure Purview to provide unified data governance, compliance, and risk management.
The holistic approach leverages Microsoft Data, AI, and Microsoft Security features to help you gain visibility into your entire data estate while managing end-to-end risks and safeguarding sensitive data across clouds, apps, and endpoints.
Using Microsoft Purview, you get a data management and security solution that helps to address evolutions in your workplace. In this era of widespread distributed work, it’s crucial to address security threats and increase visibility into your operations.
In this article:
- How to audit with Microsoft 365
- Why auditing Microsoft 365 is important to do regularly
- What is Microsoft Purview Audit in Microsoft 365?
- Getting started with Microsoft Purview Audit
How to audit with Microsoft 365
Auditing in Microsoft 365 is part of Microsoft Purview. Thousands of actions and operations conducted across Microsoft 365 services and solutions are reported in your organization’s unified audit log. IT admins, risk teams, and compliance and legal operators within an organization can search audit logs using the audit log search tool.
Good to know
- Microsoft Purview Audit is enabled by default, meaning immediately upon subscription, thousands of activities will start to be captured.
- You need to assign the relevant permissions to the audit log search tool within your organization.
- Once the configuration is complete, people can search for specific activities, filtering by user, type of activity, date range, or a combination of criteria.
Example: Searching within the audit log on the compliance portal to recover a lost file
Heather is an IT team member and compliance auditor at Company X.
A user at the same company has submitted a support ticket related to a lost Excel file that they need to recover for a priority project. The user had accessed the file within the last two weeks but has not been able to find the file for the last few days.
Using a two-week timeframe parameter, combined with filtering by file type and user, Heather can search within the audit log on the compliance portal and determine that a different business user moved the file to the recycling bin, and from there deleted it.
In addition to the compliance portal, audit log records can also be searched and retrieved using the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell, via Office 365 Management Activity API, or exported as a CSV file. Audit logs are automatically retained for 90-days in Audit (Standard), with the option to modify and customize retention length in Audit (Premium).
Why auditing Microsoft 365 is important to do regularly
The role of data in your organization continues to accelerate and grow. And with the shift to distributed work and async collaboration, cybersecurity risks are increasing.
That’s why auditing Microsoft 365 on a regular basis has become increasingly essential for enterprises relying on Microsoft solutions in some capacity or other.
Regular auditing helps organizations develop critical, proactive insight into threats, gives visibility into how software is being used by team members, and ensures appropriate permissions for users are maintained.
What is Microsoft Purview Audit in Microsoft 365?
Microsoft Purview Audit in Microsoft 365 provides comprehensive auditing and reporting solutions for your enterprise. The Microsoft 365 Defender portal, and Microsoft Purview compliance portal allow your organization to manage data protection and compliance needs, as well as audit user and administrator activity across the software.
The compliance portals include several valuable features, including:
- Customizable alerts
- Permission management
- Threat management
- Data governance
- Search & investigation
- Service assurance
Depending on your Microsoft Purview subscription, either Audit (Standard) or Audit (Premium), specific capabilities may vary.
Two types of licenses
To meet the specific needs of your organization, Microsoft Purview offers two solutions: Audit (Standard) and Audit (Premium).
|Audit (Standard)||Audit (Premium)|
|Log and search for audited activities: |
-Enabled by default
-Thousands of audited events
-90-day audit record retention
-Accessed by GUI, cmdlet, and API
|Advanced audit capabilities: |
-Longer retention of audit records
-Custom audit retention policies
-High-value, crucial events
-Higher bandwidth access to API
Audit (Standard) is enabled by default with Microsoft Purview and provides the ability to search amidst thousands of events using the audit search tool or Purview compliance portal. Audit logs are retained for 90-days and can be exported as a CSV or searched using the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell or via Office 365 Management Activity API.
Audit (Premium) builds on the capabilities of Audit (Standard) by providing additional features and more customizability. In Audit (Premium), audit logs for Exchange, SharePoint, and Azure Active Directory are automatically retained for one year by default.
IT admins are also able to modify other audit log retention policies, extending them up to one year, or up to 10 years for users with specific licenses.
Audit (Premium) provides higher bandwidth for accessing audit logs for large enterprises. It also creates high-value, crucial Audit (Premium) events for critical instances to help you conduct forensic and compliance investigations. These specific reports provide visibility into events such as user search history and email access and behavior.
Get started with Microsoft Purview
Microsoft Purview’s audit capabilities for Microsoft 365 are worth exploring. Even small or medium enterprises (SMEs) relying on Microsoft 365 and SharePoint can gain immense value from the audit log search tool and reports.
To get started using the auditing solutions in Microsoft Purview (Standard):
- Verify that your organization has a subscription that supports Audit (Standard) and if applicable, a subscription that supports Audit (Premium).
- Assign permissions in Exchange Online to people in your organization who will use the audit log search tool in the compliance portal or use the Search-UnifiedAuditLog cmdlet. Specifically, users must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online.
After completing step 1 and step 2, users in your organization can use the audit log search tool (or corresponding cmdlet) to search for audited activities.
- Go to https://compliance.microsoft.com and sign in using an account that has been assigned the appropriate audit permissions.
- In the left navigation pane of the compliance portal, click Show all and then click Audit.
- On the Audit page, configure the search using the following conditions on the Search tab.
For more information about the auditing solutions in Microsoft Purview and how to get started, check out the official Microsoft documentation to create greater visibility into your organization.