Get started with auditing solutions

Microsoft Purview Audit (Standard) and Audit (Premium) allow you to search for audit records for activities performed in the different Microsoft 365 services by users and admins. Because Audit (Standard) is enabled by default for most Microsoft 365 organizations, there are only a few things you need to do before you, and others in your organization can search the audit log. There are a few more configuration steps you'll need to complete to use features only available in Audit (Premium).

For more information about Audit (Standard) and Audit (Premium) capabilities, see Microsoft Purview auditing solutions.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Step 1: Verify organization subscription and user licensing

Licensing for Audit (Standard) and Audit (Premium) requires the appropriate organization subscription that provides access to audit log search tool and per-user licensing that's required to log and retain audit records.

When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. In Audit (Standard) and Audit (Premium), audit records are retained and searchable in the audit log for 180 days.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

For a list of subscription and licensing requirements for these auditing solutions, see the subscription requirements for Audit (Standard) and Audit (Premium).

Step 2: Assign permissions to search the audit log

Admins and members of investigation teams must be assigned the View-Only Audit Logs or Audit Logs role in the compliance portal to search or export the audit log. By default, these roles are assigned to the Audit Reader and Audit Manager role groups on the Permissions page in the compliance portal.

Note

Access to enable or disable auditing and access to audit cmdlets currently requires permissions from the Exchange admin center. Use the existing Audit Logs and View-Only Audit Logs roles in the Exchange admin center to grant access to enable or disable auditing and access to audit cmdlets.

You can also create custom role groups with the ability to search the audit log by adding the View-Only Audit Logs or Audit Logs roles to a custom role group. For more information, see Permissions in the Microsoft Purview compliance portal.

Assign permissions from compliance portal to scope audit logs

To search or export the audit log, administrators or members of investigation teams must be assigned to at least one of the following audit-related role groups in the compliance portal:

  • Audit Manager: A user assigned to the Audit Manager role group can search and export the audit log and manage audit settings for the tenant (like enabling or disabling audit logging). This role group grants the View-Only Audit Logs and Audit Logs roles to the user.
  • Audit Reader:A user assigned to the Audit Reader role group can only search and export the audit log. They can't enable or disable audit logging. This role group grants the View-Only Audit Logs role to the user.

Step 3: Set up Audit (Premium) for users

Tip

Organizations using Audit (Standard) can skip this step.

Audit (Premium) features such as the ability to log intelligent insights such as MailItemsAccessed and Send require an appropriate E5 license assigned to users. Additionally, the Advanced Auditing app/service plan must be enabled for those users.

To verify that the Advanced Auditing app is assigned to users, complete the following steps for each user:

  1. In the Microsoft 365 admin center, go to Users > Active users, and select a user.

  2. On the user properties flyout page, select Licenses and apps.

  3. In the Licenses section, verify that the user is assigned an E5 license or is assigned an appropriate add-on license. For a list of licenses that support Audit (Premium), see Audit licensing requirements.

  4. Expand the Apps section, and verify that the Microsoft 365 Advanced Auditing checkbox is selected.

  5. If the checkbox isn't selected, select it, and then select Save changes.

    The logging of audit records for MailItemsAccessed and Send begins within 24 hours. You have to perform Step 2 to start logging of two other Audit (Premium) events: SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint.

Also, if you've customized the mailbox actions that are logged on user mailboxes or shared mailboxes, any new Audit (Premium) events released by Microsoft won't be automatically audited on those mailboxes. For information about changing the mailbox actions that are audited for each logon type, see the "Change or restore mailbox actions logged by default" section in Manage mailbox auditing.

Step 4: Enable Audit (Premium) events

Tip

Organizations using Audit (Standard) can skip this step.

You have to enable two Audit (Premium) events (SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint) to be logged when users perform searches in Exchange Online and SharePoint Online.

To enable these two events to be audited for users, run the following command (for each user) in Exchange Online PowerShell:

Set-Mailbox <user> -AuditOwner @{Add="SearchQueryInitiated"}

In a multi-geo environment, you must run the previous Set-Mailbox command in the forest where the user's mailbox is located. To identify the user's mailbox location, run the following command:

Get-Mailbox <user identity> | FL MailboxLocations

If the command to enable the auditing of search queries was previously run in a forest that's different than the one the user's mailbox is located in, then you must remove the SearchQueryInitiated value from the user's mailbox by running Set-Mailbox -AuditOwner @{Remove="SearchQueryInitiated"} and then add it to the user's mailbox in the forest where the user's mailbox is located.

Step 5: Set up audit retention policies in Audit (Premium)

Tip

Organizations using Audit (Standard) can skip this step.

In addition to the default policy that retains Microsoft Entra ID, Exchange, OneDrive, and SharePoint audit records for one year, organizations using Audit (Premium) can create audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams.

For more information, see Manage audit log retention policies.

Step 6: Search for audited events

Now that you have Audit (Standard) or Audit (Premium) configured for your organization, you're ready to search the audit log in the Microsoft Purview compliance portal.

  1. Go to https://compliance.microsoft.com and sign in using an account assigned the appropriate audit permissions.

  2. In the left navigation pane of the compliance portal, select Show all and then select Audit.

  3. On the Audit page, configure the search using the following conditions on the New Search tab.

    Important

    Classic Search has been retired as of November 30, 2023. New Search includes enhancements such as faster search times, additional search options, ability to save searches, and more.

    1. Date and time range. Select a date and time range to display the activities that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC). The last seven days are selected by default.

    2. Activities. Select the activities to search for. Use the search box to search for activities to add to the list. For a partial list of audited activities, see Audited activities. Leave this box blank to return entries for all audited activities.

    3. Users. Select in this box and start typing the name of users to display search results for. The audit log entries for the selected activities performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.

    4. File, folder, or site. Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL of a file or folder, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization.

  4. Select Search to run the search.

A new page is display that shows the audit log search is running. When the search is completed, audit records are displayed on the page. Select a record to display a flyout page with detailed properties.

For more detailed instructions, see Search the audit log in the compliance portal.