Updated 11 months ago

Default Microsoft 365 Audit Logging Retention Period Extended to 180 Days for Free!

by Kavya

3 min read

No Comments

Microsoft Purview Auditing plays a crucial role in maintaining security, identifying threats, conducting forensic investigations, and complying with regulations. Microsoft understands the challenges faced by IT admins and has taken a significant step forward with a recent update to its Microsoft Purview Audit. This update introduces several groundbreaking features, particularly for standard customers, without any additional cost! In this blog post, we will explore the latest advancements and how they benefit organizations and IT admins alike.

Expanded Microsoft 365 Audit Logging Capabilities at No Additional Cost

Starting from October 2023, the recent Microsoft Purview Audit update brings an array of expanded logging capabilities for standard customers at no additional cost, thanks to a collaborative partnership with Cybersecurity and Infrastructure Security Agency (CISA). It includes,

  • The extension of the default audit log retention period from 90 to 180 days for standard customers. .
  • 30+ new activities, such as Mail Item Accessed, Teams message read, Teams chat created, etc., have been added to the audit log, which were previously exclusive to the Microsoft Purview Audit (Premium) subscription.

This enhancement empowers IT admins to gain deeper visibility into their organization’s security data, enabling them to respond proactively to potential threats.

Default Microsoft 365 Audit Logging Retention Period Doubled!

In the past, Microsoft 365 admins faced challenges when trying to access audit log data beyond the initial 90-day window for basic plans (Premium licenses have the ability to keep the audit logs for up to 10 years). Although some customers could retrieve audit data up to one year with basic licenses, this feature was inconsistent and not available to all.

With the recent update, all Microsoft 365 customers now have access to a longer retention period, allowing them carry out in-depth forensic investigations, spot patterns, and identify potential threats that might have gone unnoticed previously.

Unlocking 30+ New Audit Events for Microsoft 365 Users

Microsoft has made available more than 30 new audit events for Microsoft 365 users. These security logs play a critical role in detecting and preventing threat activities. Previously, these events were only accessible at an additional cost for organizations with the Microsoft basic enterprise license.

However, with the latest update, Microsoft is offering these logs to its customers at no extra charge, enabling them to bolster their cyber defense and incident response capabilities.

New events include,


  • Send,
  • MailItemsAccessed,
  • SearchQueryInitiatedExchange


  • StreamInvokeGetTranscript,
  • StreamInvokeChannelView,
  • StreamInvokeGetTextTrack,
  • StreamInvokeGetVideo,
  • StreamInvokeGroupView

Yammer (Viva Engage)

  • ThreadViewed,
  • ThredAccessFailure,
  • MessageUpdated,
  • FileAccessFailure,
  • MessageCreation,
  • GroupAccessFailure

Microsoft Teams

  • MeetingParticipantDetail,
  • MessageSent,
  • MessagesListed,
  • MeetingDetail,
  • MessageUpdated,
  • ChatRetrieved
  • MessageRead,
  • MessageHostedContentRead,
  • SubscribedToMessages,
  • MessageHostedContentsListed,
  • ChatCreated,
  • ChatUpdated,
  • MessageCreatedNotification,
  • MessageDeletedNotification,
  • MessageUpdatedNotification

SharePoint Online

  • SearchQueryInitiatedSharepoint

Among the new audit events, the most noteworthy is the detailed logs of email access. This addition provides organizations with invaluable insights into email-related activities, enabling them to monitor and secure their email communication effectively.

The Welcome Move!

Microsoft’s commitment to improving security and empowering IT admins shines through with the latest update to Microsoft Purview Audit. The expanded logging capabilities, longer retention period, and access to new audit events are game-changing improvements that bolster an organization’s security posture.

Some claim that this update was prompted by the recent hack “Storm-0558,” where the attacker used a stolen Microsoft account (MSA) key to forge access tokens and gain unauthorized access to email accounts in more than 25 organizations, including U.S. government agencies. Despite the speculations, this update is undoubtedly a welcome move by Microsoft.

Share article