Set up Microsoft Purview Audit (Standard)
Microsoft Purview Audit (Standard) in Microsoft 365 lets you search for audit records for activities performed in the different Microsoft 365 services by users and admins. Because Audit (Standard) is enabled by default for most Microsoft 365 and Office 365 organizations, there's only a few things you need to do before you, and others in your organization can search the audit log.
This article discusses the following steps necessary to set up Audit (Standard).
These steps include ensuring the proper organizational subscriptions and user licensing required to generate and preserve audit records and assigning permissions to team members of your security operations, IT, compliance, and legal teams so that they can search the audit log.
For more information, see Audit (Standard) in Microsoft 365.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Step 1: Verify organization subscription and user licensing
Licensing for Audit (Standard) requires the appropriate organization subscription that provides access to audit log search tool and per-user licensing that's required to log and retain audit records.
When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. In Audit (Standard), audit records are retained and searchable in the audit log for 180 days.
The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.
For a list of subscription and licensing requirements for Audit (Standard), see Microsoft Purview auditing solutions.
Step 2: Assign permissions to search the audit log
Managing Audit permissions from the Exchange admin center will be discontinued starting February 2, 2024. You should start using the compliance portal now to manage Audit permissions and familiarize yourselves with the new permissions controls. To minimize impact to your organization, all existing Audit permissions currently assigned in the Exchange admin center will be automatically configured in the compliance portal on February 2, 2024.
Admins and members of investigation teams must be assigned the View-Only Audit Logs or Audit Logs role in the compliance portal to search or export the audit log. By default, these roles are assigned to the Audit Reader and Audit Manager role groups on the Permissions page in the complance portal.
You can also create custom role groups with the ability to search the audit log by adding the View-Only Audit Logs or Audit Logs roles to a custom role group. For more information, see Permissions in the Microsoft Purview compliance portal.
The following screenshot shows the two audit-related role groups in the compliance portal.
Assign permissions from compliance portal to scope audit logs (preview)
To search or export the audit log, administrators or members of investigation teams must be assigned to at least one of the following audit-related role groups in the compliance portal:
- Audit Manager: A user assigned to the Audit Manager role group can search and export the audit log and manage audit settings for the tenant (like enabling or disabling audit logging). This role group grants the View-Only Audit Logs and Audit Logs roles to the user.
- Audit Reader:A user assigned to the Audit Reader role group can only search and export the audit log. They can't enable or disable audit logging. This role group grants the View-Only Audit Logs role to the user.
Step 3: Search the audit log
Now you're ready to search the audit log in the Microsoft Purview compliance portal.
Go to https://compliance.microsoft.com and sign in using an account that has been assigned the appropriate audit permissions.
In the left navigation pane of the compliance portal, select Show all and then select Audit.
On the Audit page, configure the search using the following conditions on the Classic Search tab.
Starting November 30, 2023, Classic Search will be retired in place of New Search. New search includes enhancements such as faster search times, additional search options, ability to save searches, and more.
Date and time range. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC). The last seven days are selected by default.
Activities. Select the activities to search for. Use the search box to search for activities to add to the list. For a partial list of audited activities, see Audited activities. Leave this box blank to return entries for all audited activities.
Users. Select in this box and start typing the name of users to display search results for. The audit log entries for the selected activities performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
File, folder, or site. Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL of a file or folder, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization.
Select Search to run the search.
A new page is display that shows the audit log search is running. When the search is completed, audit records are displayed on the page. Select a record to display a flyout page with detailed properties.
For more detailed instructions, see Search the audit log in the compliance portal.