The length of time that an audit record is retained (and searchable in the audit log) depends on your Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that is assigned to specific users.įor users assigned an Office 365 E5 or Microsoft 365 E5 license (or users with a Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-on license), audit records for Azure Active Directory, Exchange, and SharePoint activity are retained for one year by default. When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet. You have to assign the permissions in Exchange Online. If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Microsoft 365 compliance center, they won't be able to search the audit log. For more information, see Manage role groups in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. For more information, see Turn audit log search on or off. The value of True for the UnifiedAuditLogIngestionEnabled property indicates that audit log search is turned on. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled Use a PowerShell script to search the audit logīe sure to read the following items before you start searching the audit log.Īudit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. For a more complete list of auditing record types, see Office 365 Management Activity API schema.įor more information about using PowerShell to search the audit log, see: Some services have multiple record types for different types of activities within the same service. The previous table also identifies the record type value to use to search the audit log for activities in the corresponding service using the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell or by using a PowerShell script. ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContentįor more information about the operations that are audited in each of the services listed in the previous table, see the Audited activities section in this article. SharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation Microsoft 365 service or featureĪzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogonĪipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeatĬomplianceDLPSharePoint, ComplianceDLPExchangeĭLPEndpoint, MSDEResponseActions, MSDEGeneralSettings, MSDEIndicatorsSettings, MSDERolesSettingsĮxchangeAdmin, ExchangeItem, ExchangeItemAggregatedĪirInvestigation, AirManualInvestigation, AirAdminActionInvestigation, MS365DCustomDetection The following table lists the Microsoft 365 services and features (in alphabetical order) that are supported by the unified audit log. Why a unified audit log? Because you can search the audit log for activities performed in different Microsoft 365 services. Microsoft 365 services that support auditing User's in your organization can use the audit log search tool to search for, view, and export (to a CSV file) the audit records for these operations.
Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the audit log search tool in Microsoft 365 compliance center to search the unified audit log to view user and administrator activity in your organization.