Audit logs in Microsoft 365 are crucial for organizations that need to comply with regulations and security frameworks such as HIPAA, CIS, and ISO 27002. By capturing both user and admin activities across your tenant, these logs help you detect security incidents, demonstrate compliance, and swiftly investigate issues.
In this post, we’ll explore key considerations for enabling, searching, retaining, and monitoring Microsoft 365 audit logs. We’ll also highlight specific compliance requirements so you can align your logging practices with recognized standards.
Why Auditing Matters
Audit logs form the backbone of a strong cybersecurity and compliance strategy. They capture detailed records of user logins, file access, and administrative changes—data that’s crucial for meeting regulatory demands and protecting sensitive information.
HIPAA requires organizations to maintain “audit controls” (45 C.F.R. 164.312(b)) that record and monitor access to Protected Health Information (PHI).
CIS states: “Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.”
ISO 27002 includes directive:
A.12.4.1 Event logging
By following best practices for Microsoft 365 audit logging, you can strengthen security, support these standards, and ensure you have the visibility needed to manage threats effectively.
The Unified Audit Log
Microsoft 365 provides a Unified Audit Log that captures activities across key services, including Exchange, SharePoint, OneDrive, and Teams. This consolidated approach simplifies investigations by centralizing all major events in one location.
Note: Audit logging is turned on by default in newly created Microsoft 365 organizations. However, if your organization was created before July 2023, auditing might not have been enabled automatically. You should verify its status to ensure compliance and thorough recordkeeping.
To confirm that auditing is turned on for your organization, run the following command in Exchange Online PowerShell:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledA value of True indicates that auditing is turned on.
A value of False indicates that auditing is turned off.
Enabling Audit Logging
Enabling and managing audit logs requires a Global Admin or Compliance Admin role. Check that your team members have the correct privileges to enable and access audit logs.
Sign In with an Appropriate Role to the Microsoft Purview compliance portal.
Open the Audit Solution. Select Audit in the left navigation pane.
If auditing isn’t turned on, a banner will prompt you to enable logging. Select Start recording user and admin activity.
It may take up to 60 minutes for the change to take effect.
Enabling Audit Logging via PowerShell
If you prefer to enable auditing using PowerShell:
Connect to Exchange Online PowerShell and run:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $trueYou’ll see a message indicating it may take up to 60 minutes for the change to be fully applied.
Turning Off Auditing
To turn off auditing, you must use Exchange Online PowerShell:
Connect to Exchange Online PowerShell and run:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $falseAfter a short delay, verify that auditing is disabled:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledA value of False indicates that auditing is turned off.
You can also go to the Audit page in the compliance portal. A banner will display if auditing isn’t turned on for your organization.
Checking Audit Records When Auditing Status Changes
Changes to the auditing status in your organization are themselves audited. You can search the Exchange admin audit log for these records. For instance, to find entries related to turning auditing on or off, run:
Search-UnifiedAuditLog -Operations Set-AdminAuditLogConfigFor additional details, see Audit records when auditing status is changed
Searching, Filtering, and Exporting Audit Logs
Basic Searches
You can query the audit log using keywords, date ranges, users, or activities. For example, you might search for file deletion events in the last week to investigate potential data loss.
Advanced Filtering
Activity Filter: Narrow your search to specific event categories, like “File and Folder Activities,” “Exchange Admin Activities,” or “Teams Chat Activities.”
Drilling Down by User: Focus on a single user or department to detect unusual patterns.
Exporting Logs
After refining your search, export the results (in CSV format) for deeper analysis or archiving.
Retaining Audit Logs for Compliance
By default, Microsoft 365 retains audit records of user and admin activities for 180 days. After that period, these records are removed from the audit log.
Audit log retention policies are part of Microsoft Purview Audit (Premium) capabilities. An audit log retention policy lets you specify how long to keep logs in your organization—up to 10 years if needed. You can create policies based on:
All activities in one or more Microsoft services
Specific activities in a Microsoft service, performed by all users or by specific users
A priority level that determines which policy takes precedence if multiple policies exist
For detailed steps on creating an audit log retention policy, see Audit log retention policies
Microsoft 365’s unified audit log is a powerful tool for tracking activities and demonstrating strong internal controls. By enabling auditing, defining retention policies, and actively monitoring user behavior, you reduce the risk of unauthorized data access and maintain clear visibility into your environment.
If you have questions about auditing best practices or need help optimizing Microsoft 365 for your organization, PlexHosted can provide the guidance and support you need. From initial setup to ongoing monitoring, we tailor solutions to help you meet stringent security standards and stay ahead of emerging threats.
Need Expert Assistance?
Contact PlexHosted for a customized approach to Microsoft 365 security and compliance best practices.