How It Started:
Microsoft 365 unified auditing helps to track activities performed in the different Microsoft 365 services by both users and admins. Basic auditing is enabled by default for most Microsoft 365 organizations. In the Basic audit, audit records are retained and searchable for the last 90 days. To retrieve an audit log for more than 90 days, you need to adopt Advanced auditing, which requires E5/A5/G5 subscriptions. By default, advanced auditing retains all Azure Active Directory, Exchange, SharePoint, and OneDrive audit records for one year.
Increased From 90 Days
Most admins want to keep an audit log for more than 90 days without E5/A5/G5 license or any additional add-ons to meet forensic, internal, and compliance investigations. Is it possible to keep an audit log for more than 90 days without E5 license? Yes. Recently, when I play with the Search-UnifiedAuditLog cmdlet, it retrieved the last 365 days of audit data without any Microsoft 365 advanced auditing license.
In the below screenshot, I have retrieved July 2020 audit data, which is 365 days old data.
Unannounced but Most Welcome Feature:
Microsoft has not released any official announcement regarding long-term audit log availability for all the Microsoft 365 license types. So, you can check your tenant can retrieve the audit log for 365 days.
To check the long-term audit log capability, run the below cmdlet with a Date that is older than 90 days.
Search-UnifiedAuditLog –StartDate <StartDate> -EndDate <EndDate>
How to Keep an Audit Log for More than 365 Days?
Most organizations prefer retaining audit logs for years to support compliance investigations, respond to regulatory and legal obligations. If your organization adopts E5/A5/G5 license, then you can opt additional add-on (at additional cost) to retain an audit log for up to 10 years.
Current Challenges in Audit Log:
Even if you use advanced auditing licenses or add-ons, native Office 365 audit logging has more limitations.
- No predefined report. Admins have to set filters manually each time when they want to view related data.
- Limited searching options.
- Lacks in providing audit data in a user-friendly manner. You need to click each audit event to get additional details.
- The Audit log search can show only the last 90 days’ data only.
- Any activity can return a max of 5000 records per search. If the activity count exceeds, then the latest activity alone is displayed. So, you can’t monitor high-frequency activities like login success and failures.
We hope Microsoft will address these problems soon. Most admin tackles audit log challenges with Microsoft 365 Auditing tools like AdminDroid. How are you dealing with audit log search? You can share your experience with other admins and us through the comment section.