Enable Unified Audit Logging in Microsoft 365

  • 3 minutes

Unified Audit Logging is a feature in Microsoft 365 that allows you to track and record user and admin activities across various services and applications, such as Exchange Online, SharePoint Online, OneDrive, Teams, Power BI, and Microsoft Entra ID.

With Unified Audit Logging, you can monitor and investigate security incidents, compliance violations, and operational issues. You can also generate audit reports and alerts based on specific events or criteria. The Unified Audit Log provides a centralized collection of audit events related to Microsoft 365. It encompasses activities such as file downloads from SharePoint or OneDrive, user sign-ins, and administrative actions.

You can access the audit log through the Microsoft Purview compliance portal. Activities are grouped by service, making it easier to search for specific events. Unified Audit Logging can help you achieve the following benefits:

  • Enhance security and compliance by detecting and responding to suspicious or unauthorized activities, such as data breaches, malware attacks, or policy violations.
  • Improve operational efficiency and performance by identifying and resolving issues, such as configuration errors, service outages, or user feedback.
  • Gain insights and visibility into user behavior and preferences by analyzing and reporting on user actions, such as file access, sharing, collaboration, or communication.

The audit log captures a wide range of activities, including:

  • Application administration activities
    • These activities include adding or changing applications registered in Microsoft Entra ID.
    • Operations such as adding delegation entries, managing service principals, and modifying authentication permissions fall under this category.
  • Microsoft Defender for Identity activities
    • These activities are logged in the unified audit log when they're enabled in the Microsoft Defender XDR portal.
    • To view these activities, ensure that the unified audit log is enabled.
  • Custom Searches
    • You can create custom searches using the Audit search functionality to retrieve relevant information from the unified audit log.

Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new Microsoft 365 organization, you should begin by verifying the auditing status for your organization (see the next section).

When auditing is turned on in the Microsoft Purview compliance portal, user and administrator activity from your organization is recorded in the audit log and automatically retained for 180 days. The retention (lifetime) for audit data starts when it's added to the auditing log and is retained based on audit log retention policies and the license assigned to users. Changes to the user licensing or retention policies also change the expiration date of audit data.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

An organization might have reasons for not wanting to record and retain audit log data. In these cases, a Global administrator can turn off auditing in Microsoft 365 for their organization.

Important

If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Microsoft Sentinel to access auditing data or logs for your organization. Turning off auditing means that no results will be returned when you search the audit log using the Microsoft Purview compliance portal, or when you run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell.

Verify the auditing status for your organization

To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing isn't turned on.

Important

Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.

Turn on auditing

You must be assigned the Audit Logs role in Exchange Online to turn auditing on or off. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.

If auditing isn't turned on for your organization, you can turn it on in the Microsoft Purview compliance portal, or by using Exchange Online PowerShell. It can take up to an hour or so after you turn on auditing before you can return results when you search the audit log.

If you prefer to turn on auditing in the Microsoft Purview compliance portal, then complete the following steps:

  1. Sign into the Microsoft Purview compliance portal.
  2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.
  3. If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
  4. Select the Start recording user and admin activity banner.

If you prefer to turn on auditing using Exchange Online PowerShell, then complete the following steps:

  1. Connect to Exchange Online PowerShell.

  2. Run the following PowerShell command to turn on auditing.

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Organizations that implement audit logging should also consider the following tasks to enhance their auditing experience:

  • Configure the audit log retention policy. Navigate to undefined and select the Audit retention policies tab. You can specify how long you want to retain the audit logs for each service and activity. The default retention period is 90 days, but you can extend it up to one year.
  • Search and export the audit logs. Navigate to undefined and specify the date range, service, and activity that you want to search for. You can also use filters and keywords to refine your search. You can then export the results to a CSV file or to an Azure Storage account.
  • Create audit alerts and reports. Navigate to undefined and select the New alert policy button. You can then define the conditions, actions, and recipients for the alert. You can also use the PowerShell cmdlet New-ProtectionAlert to create custom alerts. You can also navigate to undefined and view the built-in audit reports, such as the Activity report, the User activity report, or the Sharing and access request report.