Audit Policy precedence

Question

You have a Microsoft 365 E5 subscription.

A user named User1 is assigned a Microsoft 365 E5 license.

You create the following audit retention policies:

• Audit1: Priority 10, no activity specified, applied to User1, duration 6 months
• Audit2: Priority 20, SiteRenamed activity, no user specified, duration 90 days
• Audit3: Priority 30, SiteRenamed activity, applied to User1, duration 10 years

User1 renames a Microsoft SharePoint Online site.

How long is the site renaming action of User1 retained in the audit log?

1 year, 6 months, 10 years, 90 days

In the practice assessment, Microsoft states that the answer is 90 days, however in the documentation I read that lower policies are interpreted as a higher precedence when evaluating audit policies.

https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal

1. Priority: This value determines the order in which audit log retention policies in your organization are processed. A lower value indicates a higher priority. Valid priorities are numerical values between 1 and 10000. A value of 1 is the highest priority, and a value of 10000 is the lowest priority. For example, a policy with a value of 5 takes priority over a policy with a value of 10. Any custom audit log retention policy takes priority over the default policy for your organization.

Answer 1

@Chandu Atluri - Thanks for the question and using MS Q&A platform.

Based on the documentation you provided: Manage audit log retention policies, you are correct that lower priority values indicate higher precedence when evaluating audit policies. In this case, Audit1 has a priority of 10 and Audit3 has a priority of 30, so Audit3 would take precedence over Audit1. Since Audit3 has a duration of 10 years and applies to User1 for the SiteRenamed activity, the site renaming action of User1 would be retained in the audit log for 10 years.

It's always a good idea to stay up to date with any changes to retention policies to ensure that your organization is in compliance with any relevant regulations or policies.

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

Your answer appears to be wrong and contradictory.

You start correctly by saying:

“lower priority values indicate higher precedence”

But then you immediately contradict yourself by claiming:

“so Audit3 would take precedence over Audit1”

This makes no logical sense. If 10 is a lower priority number(higher precedence) than 30, then Audit1 should take precedence, not Audit3.

The official Manage audit log retention policies documentation states:

“A lower value indicates a higher priority. For example, a policy with a priority of 2 takes precedence over a policy with a priority of 5.”

Manage audit log retention policies | Microsoft Learn

In the example:                                                                                            Audit1 with Priority 10, applies to User1 (all activities), 6 months retention                                       

Audit3 with Priority 30, applies to User1 (SiteRenamed), 10 years retention

Since 10 is lower than 30, Audit1 has higher precedence and should apply. That means the SiteRenamed event for User1 would be retained for 6 months, unless the user has the 10-year audit log retention add-on license (which they don’t in this scenario).

The current answer in this thread seems to reverse the priority logic, which contradicts the official documentation.

See also the Powershell Documentation "The Priority parameter specifies a priority value for the policy that determines the order of policy processing. A higher integer value indicates a lower priority. The value 1 is the highest priority, and the value 10000 is the lowest priority. No two policies can have the same priority value."