Audit log retention is not what you think

Every Microsoft 365 tenant has audit logging enabled by default. That sounds reassuring until you ask how long the logs are kept.

Audit Standard retains logs for 180 days. That is it. No configuration option to extend it. No warning before records are deleted. On day 181, the oldest records start disappearing.

Before October 2023, it was even worse - the default was 90 days. If your tenant was set up before that date, some of your older records may have been retained for only 90 days before they were purged.

This means if someone reports suspicious activity from 7 months ago, or a regulator asks for evidence of what happened last year, you have nothing. The data existed. It was captured. And then it was quietly deleted because your retention window expired.

E3 / Business Premium (Audit Standard)

• 180-day retention for all activity types
• No custom retention policies
• Export limit of 50,000 records per search
• No intelligent insights (no visibility into mail item access, search queries, or detailed Teams events)

E5 / E5 Compliance add-on (Audit Premium)

• 1-year default retention for Exchange, SharePoint, OneDrive, and Entra ID activities
• 180-day default retention for everything else
• Custom retention policies - you choose which activities to retain and for how long (up to 1 year, or up to 10 years with an add-on)
• Export limit of 100,000 records per search
• Intelligent insights including mail access events, search queries, and detailed Teams activity
• Higher API bandwidth for programmatic access

10-Year Audit Log Retention add-on (requires E5)

• Extends custom retention policies up to 10 years
• Per-user add-on licence
• Policies are not retroactive - they only apply to logs generated after the policy is created

Most security investigations do not start the day something happens. They start weeks or months later, when someone notices something unusual or a pattern emerges.

Common scenarios where 180 days falls short:

• Insider threat investigations. HR flags an employee who has been behaving unusually. By the time the investigation starts, the earliest suspicious activity is 8 months old. Gone.
• Regulatory requests. A regulator asks for evidence of data access controls over the past 12 months. You can only produce the last 6 months.
• Post-breach forensics. A compromised account is discovered. The attacker had access for 9 months. You can only see what happened in the last 6.
• eDiscovery and litigation. Legal needs to establish who accessed a document and when. The access happened 10 months ago. No record exists.

In all of these cases, the audit data was generated and available at one point. The organisation just did not retain it long enough.

If you have E5 licences, you already have 1-year retention for the core workloads (Exchange, SharePoint, OneDrive, Entra ID). But everything else - Teams, Power Platform, Defender events - still defaults to 180 days. Create custom retention policies for these.

In the Purview portal, go to Audit > Audit retention policies. Create a policy for each workload you care about and set the retention period. Prioritise:

• Entra ID sign-in and authentication events
• Exchange mailbox access events
• SharePoint and OneDrive file activity
• Teams message and meeting events
• Admin activity across all services

If you are on E3, you cannot extend retention within Microsoft 365. Your options are:

• Export logs regularly. Use PowerShell or the Management Activity API to pull audit logs on a schedule (weekly or monthly) and store them externally. This is manual but it works.
• Stream to a SIEM. If you have Sentinel, Splunk, or another SIEM, configure the Office 365 Management Activity API to stream audit events in near real-time. Retention is then governed by your SIEM, not Microsoft.
• Upgrade the users who matter. You do not need E5 for everyone. Assign E5 or the compliance add-on to high-risk users - admins, executives, finance, legal. Their logs get the extended retention. Everyone else stays on 180 days.

Regardless of licence tier, do not rely on the defaults. Check what you have, decide what you need, and close the gap before you need the data.

Search query auditing is not on by default. Exchange and SharePoint search events (what users searched for) require explicit enablement via PowerShell. Run `Set-Mailbox <user> -AuditOwner @{Add="SearchQueryInitiated"}` for each user. Without this, you have no visibility into what people are searching for in their mailbox or across SharePoint.

10-year retention policies are not retroactive. If you purchase the 10-year add-on and create a policy today, it only applies to logs generated from today onwards. It does not magically recover or extend logs that were already purged or committed at a shorter retention. If you think you will need long-term retention, set it up now - not when the investigation starts.