Data retention information for Microsoft Defender for Office 365

By default, data across different features is retained for a maximum of 30 days. However, for some of the features, you can specify the retention period based on policy. See the following table for the different retention periods for each feature.


Microsoft Defender for Office 365 comes in two different subscriptions: Plan 1 and Plan 2. If you have Threat Explorer at, you have Plan 2. Otherwise, you have Real-time Detections at as part of Plan 1.

Your Defender for Office 365 subscription affects the tools that are available to you, so make sure you know which subscription you have as you learn.

Defender for Office 365 Plan 1

Feature Retention period
Alert metadata details (Defender for Office 365 alerts) 90 days.
Entity metadata details (Email) 30 days.
Activity alert details (audit logs) 7 days.
Email entity page 30 days.
Quarantine 30 days (configurable; 30 days is the maximum).
Reports 90 days for aggregated data.

30 days for detailed information.
Submissions 30 days.
Real-Time detections 30 days.

Defender for Office 365 Plan 2

Defender for Office 365 Plan 1 capabilities, plus:

Feature Retention period
Action Center 180 days.

Office Action Center 30 days.
Advanced Hunting 30 days.
AIR (Automated investigation and response) 60 days for investigations metadata.

30 days for email metadata.
Attack simulation training data 18 months.
Campaigns 30 days.
Incidents 30 days.
Remediation 30 days
Threat Analytics 30 days.
Threat Explorer 30 days.
Threat Trackers 30 days.