Audit & Audit Retention

Search and retain unified audit logs to support forensic investigations, internal investigations, and compliance obligations across Microsoft 365.

Microsoft Purview Audit provides an integrated auditing solution that helps organisations respond to security events, forensic investigations, internal investigations, and compliance obligations. The unified audit log captures and retains thousands of user and admin operations performed across many Microsoft services, enabling you to investigate what happened, who did it, and when it occurred.
LW IT Solutions implements Audit as an investigation-ready capability. We confirm audit logging is enabled, establish a least-privilege permissions model for audit access (including administrative unit scoping where appropriate), and align audit retention to your requirements. We then build practical investigation playbooks - repeatable search patterns, export workflows, and analysis guidance - so security, compliance, and IT teams can use auditing consistently. Finally, we provide runbooks and an operating cadence so your audit posture stays effective as your Microsoft 365 environment evolves.

Talk through your requirements and leave with a clear next-step plan.

Book a discovery call

Service Overview

Highlights

  • Audit readiness and configuration validation (confirm audit logging status, sources, and access model)
  • Role-based access and administrative scoping for audit searches (restricted vs unrestricted access based on admin units)
  • Audit search and investigation workflow design (search patterns, filters, and defensible documentation)
  • Export and evidence handling: structured export approach and Excel/Power Query transformation to make audit data reviewable
  • Audit retention strategy: confirm default retention and implement custom audit log retention policies where required
  • Audit (Premium) uplift where required: customised retention policies, longer retention, and higher bandwidth access to the Office 365 Management Activity API
  • SIEM/SOAR alignment: prepare audit data for security operations workflows and integrations

Business Benefits

  • Improve investigation speed and quality by standardising audit searches, exports, and evidence handling
  • Increase visibility into user and admin activity across Microsoft 365 services via the unified audit log
  • Reduce compliance risk by aligning audit retention with regulatory and internal requirements
  • Enable consistent operational use through runbooks, role guidance, and documented playbooks

Typical use cases

  • Security incident investigations: determine scope of compromise and confirm actions taken across Microsoft 365
  • Administrative activity reviews (e.g., privileged changes) with clear evidence trails and scoping controls
  • Mailbox and collaboration investigations (Exchange, SharePoint, OneDrive, Teams) where audit data is required for triage
  • Regulatory and internal audit requirements needing defined retention and export processes
  • Preparing audit data for ingestion or correlation in a SIEM (e.g., Microsoft Sentinel) to support broader detection and response

Objectives & deliverables

What Success Looks Like

  • An audit capability that is enabled, accessible to the right people, and usable for real investigations
  • A retention approach that matches your regulatory and operational requirements
  • Repeatable processes for searching, exporting, and handling audit evidence

What You Get

  • Audit readiness pack (current-state findings, access model, retention requirements, and implementation backlog)
  • Configured access model (roles, permissions, administrative scoping) for audit searching
  • Audit search playbook (common investigation queries, filters, and validation approach)
  • Export and analysis workflow (including Excel/Power Query guidance for AuditData JSON transformation)
  • Audit retention policy configuration where required (including custom audit retention policies where applicable)
  • Admin runbooks and operational handover

How It Works

  1. Discovery and requirements - confirm investigation needs, retention requirements, stakeholder roles (security, IT, compliance), and existing processes.
  2. Validate audit logging and access - confirm auditing status, enable if required, implement least-privilege access and administrative scoping for audit searches.
  3. Design retention - confirm default retention behaviour and implement custom audit retention policies where required (aligned to licensing constraints).
  4. Build playbooks and exports - create practical search patterns and evidence-handling workflows, including reliable export and analysis patterns.
  5. Operationalise - deliver runbooks, train relevant roles, and establish a cadence for periodic review and improvement.

Engagement Options

  • Audit Readiness Assessment - validate configuration, access, and retention; deliver recommendations and implementation backlog
  • Audit Standard Deployment - establish access model, playbooks, exports, and operational handover for Audit (Standard)
  • Audit Premium Uplift - implement premium retention requirements and custom policies, and prepare for higher-volume exports and integrations
  • Operate - ongoing support for investigation workflows, retention changes, and audit reporting

Additional Information

Prerequisites & licensing

Audit (Standard) is enabled by default for most Microsoft 365 organisations, and audit records can be retained and searched for 180 days by default. Audit (Premium) adds capabilities such as longer default retention, customised audit retention policies, and higher bandwidth access to the Office 365 Management Activity API. We confirm the right licensing and the retention requirements during discovery using Microsoft’s official documentation and licensing guidance.
  • Default retention for Audit (Standard) is 180 days (with historical variation before October 2023).
  • Audit (Premium) includes a default policy that retains Exchange Online, SharePoint, OneDrive, and Microsoft Entra audit records for one year for appropriately licensed users; other activities default to 180 days unless adjusted with custom retention policies.
  • To retain audit logs beyond 180 days (up to 1 year) or for 10 years, the user generating the audited activity must meet the licensing requirements described by Microsoft (including add-ons where applicable).

Security & Compliance Notes

  • Audit search access can be scoped using administrative units; restricted admins can search/export within assigned scope, while unrestricted admins can access all audit logs.
  • If auditing is not enabled, it can be turned on in the Purview portal; it may take several hours after enabling before results are available in searches.
  • Custom audit log retention policies take priority over default retention and require the appropriate administrative role to create and manage.

Common Bundles

Customers who use this service often bundle with these services

Legacy SIEM to Microsoft Sentinel Migration
Migrate legacy SIEM detections, workflows and data into Microsoft Sentinel with phased cutover that maintains monitoring continuity for security operations teams.

eDiscovery (Premium)
Configure Microsoft Purview eDiscovery Premium with defensible case setup, legal holds, collections, and review workflows for investigations and litigation support.

eDiscovery (Standard & Premium)
Configure Microsoft Purview eDiscovery so legal hold, collections, review and export workflows support investigations and regulatory requests effectively.

Insider Risk Management
Implement Microsoft Purview Insider Risk Management to detect risky internal activity, apply privacy controls, and establish repeatable investigation and response workflows.

Information Protection & Sensitivity Labels
Design and deploy Microsoft Purview sensitivity labels to classify data, apply protection controls, and support safer collaboration across Microsoft 365.

Data Loss Prevention (DLP)
Policy-driven Microsoft Purview DLP detects and controls sensitive data across Microsoft 365 and endpoints, balancing protection with user productivity.

Information Barriers
Design and deploy Microsoft Purview Information Barriers to restrict regulated collaboration, prevent conflicts of interest, and protect sensitive internal information.

Microsoft Purview E5 Information Protection & Governance Add-on Enablement
Enable Purview E5 add-on capabilities for advanced information protection, auto-labelling, records management, and governance controls beyond standard E3 features.

Frequently Asked Questions

Get an expert-led assessment with a prioritised remediation backlog.

Request an assessment