Audit Reader
Can search and export audit records through the Purview role group’s View-Only Audit Logs permission. Use for most analysts, auditors, and investigators who do not need to change audit settings.
Licensing, event coverage, retention, search, investigation, APIs, evidence, and governance
Prepare Microsoft Purview Audit Premium as an investigation and evidence service—not a checkbox license. Verify auditing and user eligibility, separate readers from administrators, model which events receive which retention, enable crucial search-query events, validate high-value activity, run reproducible UTC searches, reconcile export limits and duplicates, feed approved monitoring systems, protect audit evidence, and test the entire incident workflow before a real compromise.

Operating objective
Microsoft Purview Audit provides a unified audit log for thousands of activities across Microsoft 365 services. Audit Premium includes the Standard capabilities and adds longer, policy-driven retention, intelligent investigation signals, and higher-bandwidth access to the Office 365 Management Activity API. None of those benefits automatically proves that the tenant is ready for an incident, regulatory request, insider investigation, or litigation hold.
Readiness has five dependencies: the tenant must generate the event, the person whose activity creates the event must have the required eligibility where Premium benefits depend on user licensing, a retention rule must keep the event long enough, an authorized investigator must know how to find and interpret it, and the organization must preserve exported evidence outside the temporary search workspace. A license assigned only to the investigator does not retroactively create or extend every other user’s historical data.
Audit evidence also has limits. It records supported user, administrator, application, system, and policy operations; it is not packet capture, message-body journaling, endpoint forensic imaging, Entra sign-in telemetry for every investigative field, or an immutable SIEM archive. Coverage and properties vary by workload, operation, actor type, license, mailbox configuration, application context, ingestion behavior, and Microsoft service changes. Build the investigation plan around documented events and independent corroboration.
Control statement: The audit program must document tenant audit status, license-entitled populations, expected events and properties, custom retention policies and priority, role assignments, search and export procedures, API/SIEM collection, time handling, evidence custody, privacy boundaries, investigation use cases, validation tests, exception owners, monitoring, and rollback before Audit Premium is relied upon.
Capability and license boundary
| Capability | Audit Standard | Audit Premium | Readiness decision |
|---|---|---|---|
| Unified audit logging and search | Supported for appropriate subscriptions; thousands of events, portal search, PowerShell, Graph Audit Search, CSV export, and Management Activity API access. | Includes Standard capabilities. | Verify auditing is actually enabled. Microsoft notes that some SMB subscriptions do not enable it by default. Record the enablement date because older events cannot be recreated. |
| Default retention | 180 days for audit records generated on or after October 17, 2023; older Standard data followed the earlier 90-day default. | One year by default for licensed-user events in Exchange, SharePoint, OneDrive, and Microsoft Entra; other workloads normally remain 180 days unless a qualifying custom policy applies. | Map the event-generating user’s license and the record’s Workload/record type. Do not describe “the tenant” as one retention duration. |
| Custom audit retention policies | Not a Standard feature. | Policies can select users, record types, activities, duration, and priority; the organization can have up to 50 policies. | Build from regulatory and incident requirements. A custom policy overrides the default, including when it is shorter. |
| Extended retention | Not beyond the applicable Standard default through Premium retention policy controls. | Up to one year with qualifying Premium licensing; multi-year and 10-year options require the Audit Log Retention add-on and applicable user licensing. | Validate add-on assignment for the people generating records. Long retention is not a substitute for an external evidence or SIEM strategy. |
| Intelligent insights and high-value properties | Core events and properties supported by the Standard service/license. | Additional investigation value for events/properties such as mailbox-item access, replies/forwards, user searches, and Premium-specific properties across supported workloads. | List the exact Operation and required property, then test with a licensed user. Marketing names are not evidence of field availability. |
| Management Activity API bandwidth | Baseline tenant access, initially 2,000 requests per minute and dynamically adjusted. | Microsoft states E5/A5/G5 tenants receive about twice the bandwidth of non-E5 tenants, subject to seat-based adjustment and service caps. | Design checkpointing, backoff, monitoring, deduplication, late-arrival handling, and outage recovery; higher bandwidth does not guarantee ingestion completeness. |
Licensing must be validated against Microsoft’s current product terms and service description. Premium value is often tied to the user who performs the audited activity, not only the administrator who searches. Include guests, service accounts, shared mailboxes, unlicensed administrators, frontline users, executives, high-risk roles, departing staff, and newly acquired users in the coverage decision.
Roles and separation of duties
Can search and export audit records through the Purview role group’s View-Only Audit Logs permission. Use for most analysts, auditors, and investigators who do not need to change audit settings.
Can search/export and manage audit settings through Audit Logs and View-Only Audit Logs roles. Restrict this role, require separate privileged accounts, record changes, and avoid using it as a convenience role for every responder.
The Organization Configuration role is required to create or modify audit-log retention policies. Separate policy design/approval from daily investigation and use a peer-reviewed change ticket for priority, scope, or duration changes.
Exchange audit roles are still required for audit cmdlets and enable/disable operations. Graph and Management Activity API access require separate application permissions, consent, credential governance, monitoring, and least-privileged service principals.
Access rule: Global Administrator is not the routine audit-investigator role. Use the smallest Purview, Exchange, Graph, and application permissions that perform the approved task; monitor searches and exports; recertify access; remove guests and temporary responders; and maintain an emergency path with independent approval.
Retention architecture
| Retention layer | What controls it | Key behavior | Evidence and validation |
|---|---|---|---|
| Standard default | Audit status, eligible base subscription, event date, and user/workload behavior. | 180-day default for modern Standard audit records. Auditing must have been enabled when the activity occurred. | Audit status, enablement date, user license, test event, creation time, expiration expectation, and successful search near the boundary. |
| Premium one-year default | Qualifying E5/Purview Suite or eDiscovery and Audit add-on assigned to the user generating the event. | One-year default applies to Exchange, SharePoint, OneDrive, and Microsoft Entra Workload values for eligible users; guests and non-E5 users normally receive 180 days. | License snapshot, user population report, Workload/record type, event date, expected lifetime, sampling at 180+ days, and exceptions. |
| Custom Premium policy | Users or all users, one/multiple record types, optional activities for a single record type, duration, and numeric priority. | Any custom policy takes precedence over the default. A lower priority number wins. A broad higher-priority policy can shadow a narrower policy; a shorter custom duration can reduce the one-year default. | Exported policy inventory, scope, priorities, conflict analysis, approval, test events, effective result, and rollback record. |
| Multi-year retention | Qualifying Premium and Audit Log Retention add-on assigned to the event-generating user, plus a matching policy. | Microsoft exposes multi-year choices and a 10-year option with the required add-on. Entitlement must exist for the users whose records are retained. | Product terms, add-on assignments, policy, legal/regulatory rationale, cost owner, sampled events, and renewal/offboarding control. |
| External SIEM or archive | Management Activity API or other supported collection path, application permissions, subscriptions, checkpoints, storage, and independent retention. | Provides operational analytics, correlation, alerts, or retention independent of the portal window. API output may include duplicates and late content; collection can be throttled or fail. | Subscriptions, app identity, collection lag, blob/checkpoint inventory, duplicate strategy, health alerts, storage immutability, access, recovery test, and deletion policy. |
Non-retroactivity warning: The audit item’s lifetime is established as it enters the auditing pipeline under the applicable license and policy. Do not assume a newly assigned license or policy can recover an event that expired or was never generated. Preserve critical evidence externally when the business requirement exceeds portal availability.
Twelve-step readiness runbook
List incident, fraud, insider, privacy, legal, administrative-change, data-sharing, mailbox, application, and policy use cases. For each, define event, property, actor, source, retention, latency, search, corroboration, alert, evidence, and owner.
Confirm unified auditing in Purview and Exchange; record when it was enabled; check SMB/manual-enable exceptions; protect the enable/disable role; search for audit-configuration changes; and create an alert/escalation for unexpected disablement.
Inventory E5/Purview Suite/add-on eligibility by user, group, role, executive, responder, service account, guest, shared mailbox, contractor, location, and acquisition population. Compare intended versus effective license assignment and capture gaps.
Assign Audit Reader for routine search/export, limit Audit Manager and Organization Configuration, separately govern Exchange cmdlet and Graph/API permissions, use privileged accounts, MFA/Conditional Access, approvals, logging, and quarterly recertification.
Translate requirements into default and custom policies. Model user, record type, activity, duration, priority, add-on, cost, conflict, shorter-policy risk, and external archive. Obtain legal/compliance approval before change.
Explicitly enable SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint where required, verify mailbox audit settings and customized mailboxes, and document Premium-dependent events/properties. Avoid blindly adding actions unsupported for the mailbox or license.
Using approved test accounts, perform identity, mailbox, file, sharing, Teams, admin, application-consent, search, and security operations. Record exact UTC/local time, actor, target, workload, client, IP expectation, operation, property, and correlation identifiers.
Run named portal search jobs, PowerShell, Graph Audit Search, and API collection as applicable. Test UTC boundaries, operation versus friendly name, user/service account, shared mailbox, keyword/common-schema behavior, workload, file/site, admin unit, result limits, and duplicates.
Build a timeline using sign-ins, token/session context, role/consent changes, mailbox access, rules/forwarding, send/reply/forward, searches, file access/sharing, Teams/app activity, quarantine/security actions, and corroborating Defender/Entra/endpoint/network evidence.
Segment large searches, preserve exact criteria and job IDs, export raw CSV/AuditData, retain schemas and activity references, calculate hashes, record analyst/time/tool, store originals securely, issue controlled working copies, and log custody and disposition.
Confirm subscriptions, permissions, secrets/certificates, polling/webhook path, checkpoints, late-arrival window, deduplication, throttling/backoff, schema change, storage, alerting, outage recovery, and replay. Compare source samples with ingested records.
Monitor audit status, eligible-user coverage, policy conflicts, search/export success, collection lag, gaps, throttling, access, investigations, evidence, and Microsoft roadmap changes. Assign remediation, retest failures, and preserve before/after records.
Search engineering
Use an incident/matter ID, hypothesis, actor/workload, UTC range, and version. Preserve filters, friendly and operation names, users, admin units, file/site, workload, keyword, creation time, creator, status, count, export, and interpretation.
The current Purview search interface supports a maximum 180-day range per search job and up to 10 parallel jobs per user. Segment longer or high-volume investigations; do not run broad “all activities/all users” searches that exceed export capacity.
Friendly names help analysts, but PowerShell, policies, alert rules, and exported records rely on exact Operation/record-type values. Consult the current activity and schema references; some operation names include punctuation that must be preserved.
The portal’s keyword field searches indexed common-schema content and selected item/file/site fields; it does not free-text search every property inside raw AuditData JSON. Export and parse AuditData or use the appropriate API/filter for deeper fields.
For shared-mailbox investigations, Microsoft recommends using the primary SMTP address or Exchange GUID in Keywords rather than Users. Distinguish owner, delegate, admin, application, service principal, system, and impersonated actions.
The portal search result total removes duplicates, while the Management Activity API does not automatically deduplicate. Export limits can differ by search experience. Segment by UTC time, workload, operation, or user; preserve each slice and prove gap/overlap handling.
Evidence rule: A screenshot of filtered results is not the complete record. Preserve the search definition, job metadata, raw export, AuditData JSON, source schema/version, time zone, investigator notes, hashes, and any missing/duplicate/limit reconciliation.
Investigation signal design
| Investigation question | Audit signals to validate | Important caveat | Corroborating evidence |
|---|---|---|---|
| Which messages or folders did the actor access? | MailItemsAccessed with MailAccessType, client/application/session properties, actor, mailbox, item/folder context, and timestamps. | Sync can create a folder-level event rather than one event per item; operation behavior and properties depend on license, access path, and mailbox auditing. | Entra sign-ins, token/session IDs, Defender incident, endpoint/browser telemetry, message trace, mailbox configuration, and user interview. |
| Did the actor send, reply, forward, delete, or move mail? | Send, SendAs, SendOnBehalf, Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, and relevant mailbox operations. | Owner/delegate/admin audit sets differ; shared mailbox search needs the right field; application actions might identify a service principal rather than a person. | Message trace, mailbox rules/forwarding, delegate permissions, sent-item configuration, recipients, DLP/Defender, and recovered content. |
| What did the user search for? | SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint plus supported query/context properties. | These crucial events must be explicitly enabled and tested. A missing event can mean disabled capture, unsupported context, license gap, latency, or incorrect search—not proof no search occurred. | Browser/endpoint history where authorized, eDiscovery activity, SharePoint/Exchange context, DLP/insider alerts, and user/account timeline. |
| Was access or policy changed? | Role, group, Conditional Access, authentication, application-consent, sensitivity/DLP/retention, sharing, mailbox, transport, Teams, and Purview configuration events. | Operation names and service schemas change; administrative action can be performed by a portal, PowerShell, API, managed identity, or Microsoft service. | Entra audit/sign-in logs, change ticket, configuration snapshots, Graph/Exchange history, Defender alerts, and administrator interview. |
| Was data accessed or shared? | SharePoint/OneDrive file access, download, sync, link, sharing, invitation, permission, label, DLP, Teams message/app, and related operations. | High-volume sync/service activity can obscure human behavior; IP and user agent can be proxies/services; not every content detail is present in the audit record. | File version/permissions, sharing report, endpoint/cloud-app telemetry, DLP alert, Defender for Cloud Apps, network logs, and recipient confirmation. |
| Did an application act on the user’s behalf? | AppId, ClientAppId, AppAccessContext, service-principal, consent, token/session, mailbox/Teams/SharePoint operations, and actor type. | A user field alone can misattribute application activity. Some premium properties require eligible licensing; managed/service operations may use different identities. | Entra service-principal sign-ins, consent grants, app roles, access reviews, Defender for Cloud Apps, application logs, and secret/certificate activity. |
API, SIEM, and evidence pipeline
Use the portal for interactive investigations, Search-UnifiedAuditLog for controlled scripts, Graph Audit Search for programmatic search jobs, and the Management Activity API for continuous workload subscriptions and SIEM/archive ingestion. Document which path is authoritative for each use case.
Use a dedicated Entra application or managed identity where supported, minimum API permissions, admin-consent record, certificate/secret rotation, Conditional Access/workload-identity controls, owner, inventory, alerts, and an emergency revocation procedure.
Track every tenant/content-type subscription, webhook/polling schedule, content blob ID, first/last seen time, checkpoint, response, retry, and storage object. Never advance a checkpoint until the content is durably written and validated.
The API does not de-duplicate like the portal result total. Use a stable event identity and documented fallback keys, retain an overlap window, handle updates/late blobs, and measure duplicate and late-arrival rates without discarding distinct events.
Honor retry guidance, exponential backoff, service health, dynamic quotas, publisher/tenant behavior, timeouts, certificate expiry, permission loss, storage failures, and schema changes. Alert on lag before the portal retention window closes.
Separate raw immutable or write-controlled audit objects from normalized analytics. Preserve original JSON, ingestion metadata, schema version, transformation code, hashes, access logs, encryption, geography, retention, backup, recovery, and deletion approvals.
Top Audit Premium risks and misconfigurations
The people generating crucial events are not eligible, so longer retention or premium properties do not apply as expected.
An SMB or unmanaged tenant never enabled unified auditing, or an authorized role disabled it without an alert.
Guests, non-E5 users, other workloads, record types, and custom shorter policies are ignored.
A low-number, wide-scope policy shadows the intended narrow policy and silently changes effective retention.
A new license or retention rule is expected to recover historical events that were never generated or already aged out.
Investigators expect Exchange/SharePoint search insight but the crucial events were not explicitly activated and tested.
Investigators receive excessive tenant power instead of Audit Reader, while searches/exports are poorly recertified.
Duplicate removal, UTC boundaries, keyword scope, service latency, limits, actor type, and missing properties are not considered.
Expired credentials, throttling, missed blobs, checkpoint errors, schema changes, or storage failure create an unnoticed data gap.
Criteria, AuditData, schemas, hashes, time zone, analyst, source job, and secure evidence storage are not retained.
Evidence, metrics, and recurring control
Verify audit status, crucial-event samples, eligible-user changes, retention-policy changes, collector lag/errors, privileged access, investigations, open gaps, and Microsoft service notices.
Recertify roles/apps, reconcile licensing, analyze policy priority/conflicts, test portal/PowerShell/API searches, simulate a compromise, sample SIEM completeness, and test evidence recovery.
Revalidate legal/regulatory retention, add-on value, high-risk populations, use cases, privacy, data residency, vendor/SIEM contracts, storage cost, investigation lessons, runbooks, and disposition.
Related architecture and authoritative references
Frequently asked questions
No. The one-year default applies to qualifying users’ Exchange, SharePoint, OneDrive, and Microsoft Entra audit records. Other workloads normally retain 180 days unless a qualifying custom policy applies. Guest and non-E5 user records normally remain 180 days. Custom policies take precedence and can shorten retention. Map the user license, Workload/record type, activity, and effective policy.
Investigators need the permissions and applicable license to use their tools, but many Premium retention and high-value-event benefits depend on licensing the user who generates the audited activity. Build a coverage matrix for the populations whose events must receive Premium treatment. Assigning a license after an event expired or was never generated does not recreate history.
Not always. Microsoft states that auditing is not enabled by default for certain SMB licenses, including Business Basic, Business Standard, and Business Premium. Verify the tenant’s actual unified-auditing state, record the enablement date, restrict the role that can disable it, and generate known test events. Do not infer status from the presence of the Audit solution card.
Possible causes include auditing disabled at the time, event outside retention, wrong UTC range, incorrect operation/record type, keyword searching only common-schema fields, user versus shared-mailbox field selection, service or ingestion latency, unsupported activity/property, mailbox audit customization, missing Premium eligibility, API collection gaps, or a search/export limit. Test the exact path and corroborate with other telemetry.
No. Purview Audit is the Microsoft 365 audit source and investigation interface. A SIEM provides continuous ingestion, normalization, correlation, analytics, alerting, case workflow, broader source context, and independent retention. Organizations can use the Management Activity API or supported connectors, but must monitor credentials, subscriptions, lag, duplicates, throttling, schemas, storage, and recovery.
No. It is an operational readiness guide. Incident scoping, employee monitoring, privacy, cross-border transfers, legal hold, privilege, evidence admissibility, regulatory retention, and disciplinary use require qualified legal, privacy, HR, forensic, and compliance guidance. A checklist does not replace tenant-specific validation, a professional cybersecurity audit, forensic investigation, or legal review.
Evidence-first Microsoft 365 operations
IT Perfection can help Orange County and Southern California organizations map licensing and event coverage, design audit retention policies, validate critical events, test investigation searches, harden API/SIEM collection, document evidence custody, and coordinate Microsoft 365 operational remediation with internal IT, legal, privacy, and compliance owners.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.
This guide is for initial operational guidance only. It does not replace legal advice, a professional cybersecurity audit, a compliance assessment, forensic investigation, penetration test, incident-response engagement, or legal/compliance review.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.