Different types of logging – Microsoft Purview Audit

Posted by

Estimated reading time: 5 minutes

Accountability and insights are two important components for compliancy and security. Insights can be used to audit-trail specific actions that were performed by either users or administrators or bad actors within the organisation.

To support this, Microsoft 365 offers Office 365 audit logs, Azure AD sign-in logs and Azure AD audit logs. In this short article I want to focus on the Office 365 audit log and the three (yes: three) options based on licensing. Some regulations require specific retention for audit logging. As I’m sometimes asked about these options, I wanted to write these down. So let’s take a look.

Different types

Audit logging has been around for quite some time. Even in the on-premises SharePoint world, you could set audit settings on the site-collection, although some options were not available. In the cloud, these options were still available, until the advent of the unified logging options.

Unified logging brought the logging of activities within Office 365 from the workloads themselves to the Security & Compliance Center. From there, you had a (somewhat) limited view of activities in Exchange Online and SharePoint Online. In the last couple of years, this logging has been extended and you can even use Microsoft Sentinel to use the Office 365 logs.

Types of logging

Standard logging (Microsoft Purview Audit Standard) for Office 365 includes the activities for the many workloads in the platform. Ranging from data lifecycle management, information protection, Power Platform, PowerBI and more. A complete list can be found here. Activities are accessible for up to 90 days.

Searching the audit log is quite easy – although the activities section still (IMHO) requires some improvement. The detail of the activities presented is staggering. And Microsoft adds activities to the unified log when available.

If you need to, you can even use these activities within your alerts. For example, receiving an alert when a new Power Automate Flow has been created in your environment.

In addition to this standard enabled logging, an organization may have the need for more advanced options. And these are included in Microsoft Purview Audit Premium. This is the second option for audit logging. This premium component (part of Microsoft 365 E5 Compliance) offers several functions, but beware the licensing – this is per-user based!

I will get to the retention period included in this option below. But Audit Premium goes beyond extending this retention period. It also offers some very specific (Premium) audit events. For example the new MailItemsAccessed event-category. This allows you to do forensic research into a specific mailbox. Another part of Audit Premium is the higher bandwidth for the Office 365 Management Activity API.

But in my experience, one of the best use-cases for this premium option is the use of longer retention periods.

A one year retention period for audit records is part of the premium offering and will be enabled by default when the license is activated. But beware that this only encompasses Exchange Online, SharePoint Online and Azure Active Directory audit records for users that have this license assigned. All other workloads still conform to the 90 days retention period – unless you use retention policies.

An Audit log retention policy allows you to select specific audit records, for specific workloads and retain these for a specific period. This can be up to one year. For example: you might have a requirement to store specific DLP events. This can be achieved using such a retention policy.

When you set a specific audit log policy, then this will take president over the default policy, even if this means that the audit log records will be deleted earlier. For example: if you have a SharePoint Online specific audit log policy that will keep the records for six months, than this will take precedent over the default one year period for these types of activity. And when you create multiple policies, please note the priority. The lower the number, the higher the priority.

Please also that note that an administrator will need the Organization Configuration role assigned. Also, take care with these policies as there’s a maximum of 50 per organization!

Microsoft Purview Audit (Premium) allows for a period up to one year….. But hang on – I can clearly see a ten year radiobutton?! Yes – this is the third option for retention. To enable a ten year retention period, you will need to acquire a very specific add-on license.

To summarize

So, let’s summarize this. Microsoft 365 standard offering for audit logging is a 90 days period for Office 365 and Azure Active Directory. If you want to extend this, you will need Microsoft Purview Audit (Premium) – which is a user-based license. This license will extend the period to one year. If you need a maximum of ten years – the you will need a third license (10-year Audit Log Retention add-on) option.

Microsoft Purview Audit (Premium) is part of Microsoft & Office 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 eDiscovery and Audit.

Who has access?

The information in the logs can only be accessed by people with the Global Administrator, Global Reader, Security Reader, Security Administrator or Report Reader roles assigned. Please make sure to implement Privileged Identity Management, Multifactor Authentication and even Privileged Workstations for these roles.

Other options

Although 90 days, one year and even ten years should be quite sufficient for storing the audit log records, there are some other ways to safeguard this information. You might use the export-function for this. When using Microsoft Defender for Cloud Apps you could set a detection rule which applies a Microsoft Information Protection sensitivity label when this information is opened in Excel (for instance).

If the organization is already using a SIEM/SOAR platform (for example: Microsoft Sentinel), you should look into connecting this to Office 365. There is a standard connector for this and this will enable you to use Sentinel to query the audit logs. And in addition – the information will be entering a Log Analytics workspace, where you can have alternative retention policies.

Closing up

As part of Microsoft Purview, the Microsoft 365 auditing capabilities are powerful. Even the Standard edition. Some regulations (for example in The Netherlands, the Information Protection Baseline for Government or BIO) do require more than 90 days of records to be kept. I hope this article gives some insights into the available options for this.

3 comments

  1. Hi,

    great articel! One question. I have failed to find a solution for exporting the Unified Audit Log from O365 to a LogAnalytics workspaces. As you mentioned, there’s Office365 Data Connector in Sentinel, so the integration is done by just few clicks, but are you aware of any way to ingest the Unified Audit Log in a Log Analytics workspace that is not Sentinel enabled ? Thank you!

    1. Hi Adam,

      As far as I’m aware – this is (no longer) possible. But I will ask around to see if there’s any information of this. When/if I find something, I will get back to you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s