Follow me on Twitter @AntonioMaio2

Monday, April 10, 2017

Office 365 Audit Log Data - How long are my logs retained for?

I'm a big fan of the Unified Audit Log in Office 365. Its a fantastic tool for monitoring user activity for suspicious behavior, getting automated alerts when particular activities occur and investigating data breaches. I'm talking about the central logging facility within Office 365 that collects log data from many Office 365 workloads, and can be searched in the Office 365 Security and Compliance Center: Go to > Click Search & Investigate > Click Audit Log Search.

I often get asked the question, how long are Office 365 log entries stored or retained for? There are several answers...

Office 365 Unified Audit Log

Microsoft has stated that audit log entries in the Unified Audit Log are stored for 90 days.

As an admin, you cannot modify this retention period. Once the age of any log entry passes 90 days, it's supposed to be purged from the log. However, I've tested this on several occasions and found that log entries can still be found in the system after the 90 day mark, as in the following example to the right.

Notice in the screenshot, the current date is April 8, 2017 but there are log entries showing up from the week of Dec 5, 2016.

Exchange Online Mailbox Audit Entries

The Unified Audit Log does not include Exchange mailbox data unless you enable Exchange Mailbox Auditing for each mailbox in your tenant. This can only be done through PowerShell. Here is an example of a simple script that you can use to enable mailbox auditing on all mailboxes in your tenant and configure a few useful settings:

#retrieve mailboxes for all users
$mailboxes = get-mailbox

foreach($mailbox in $mailboxes)
if($mailbox.AuditEnabled -eq $false)
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditEnabled $true -AuditLogAgeLimit 90
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update

Once enabled, Exchange Online mailbox audit data is retained by default for 90 days.

Notice the parameter used in the 7th line of my script: -AuditLogAgeLimit. This parameter is the number of days that Exchange mailbox audit data is retained for. The way Exchange mailbox auditing works is that Exchange Online actually stores audit log data for a particular mailbox within the mailbox itself, in a hidden folder. There is a background synchronization process which transfers this log data multiple times per day from Exchange Online to the Office 365 Unified Audit Log - mailbox audit events are transferred to the unified audit log every 30 minutes. In this PowerShell example, I'm setting that parameter to 90 days, which is the default setting. However, you can set it higher - to 180 days for example. Although the Unified Audit Log is supposed to purge data after 90 days, audit data in Exchange Online mailboxes will be retained longer if you set this parameter higher.

You can search mailbox audit data through the Office 365 Unified Audit Log, but you can also search mailbox audit data specifically using the following PowerShell:


Advanced Security Management (ASM)

If you have an E5 license or you have the Advanced Security Management license add-on, then ASM will subscribe to the unified audit log and transfer audit log data from Office 365 to its associated Azure instance. You cannot access this Azure instance because its used internally by ASM, however you can search audit log entries in ASM by using its audit log UX. To start this audit log transfer process, the first time you access ASM you'll be asked to select a checkbox labeled "Turn on Advanced Security Management in Office 365" and click the "Go to Advanced Security Management" button.

The audit log entries within ASM start with log data transferred from the Office 365 unified audit log. However, they are enhanced with heuristics, with data from the Microsoft Intelligent Security Graph, with IP address ranges and user groups that you identify in ASM, and finally with data that's collected as you manage ASM Alerts.

Advanced Security Management will retain this audit log data for 6 months.

Other Options

If you need to retain audit log data for longer periods of time, there are other options available:
  • You can download log data from the Unified Audit Log using PowerShell: Search-UnifiedAuditLog. You can run a script calling this command for the current day, on a daily basis scheduled using a Windows scheduled task, and store the resulting log file on premise for as long as you want.
  • You can use the PowerShell cmdlet mentioned to download audit log data daily and integrated it into an on premise SEIM solution.
  • You can subscribe to one of several hosted solutions which integrate with the Office 365 Unified Audit Log and store audit log entries longer term. An example of one of these solutions is Microsoft Operations Management Suite. This solution will subscribe to the Unified Audit Log in your tenant using the Management Activity API and it will store entries for as long as you wish. You can get more information on this integration here: Microsoft Operations Management Suite with Office 365.

More Information...

Microsoft documentation on searching the Office 365 Unified Audit Log can be found here: Search the audit log in the Office 365 Security & Compliance Center.

You can find more information on Advanced Security Management on this blog at this series of articles:



  1. Antonio,

    Great presentation at SharePoint Saturday NYC.
    I'm the one who questioned the 90 day maxiumum retention period for the Unified Audit Log in Office 365.

    It appears that the PowerShell cmdlt auditLogTrimmingRentention parameter = no. of days accepts values up to 2,147,483,647 days, or just over 58796 centuries.
    So a measly value of 7 years or 2520 shouldn't be much.

    It appears to be available with SharePoint 2013 on-premises.

    -Oliver Sawtelle

  2. Long Description Riskonnect is the trusted, preferred source of Integrated Risk Management technology, offering a growing suite of solutions on a world-class cloud computing model that enable clients to elevate their programs for management of all risks across the enterprise. Riskonnect allows organizations to holistically understand, manage and control risks, positively affecting shareholder value Compliance solutions

  3. nice post! I really like and appreciate your work, thank you for sharing such a useful information about auditing management strategies, keep updating the information, hear i prefer some more information about jobs for your career hr jobs in hyderabad .

  4. In many cases, entities and/or their agents don't adhere to this methodology.independent auditing services uk

  5. Nice post.Thank you so much for explaining about TrustShare point.This article very helpful for all people.Thank you for sharing.. Fixed Assets Audit
    Compliance Audit

  6. Amazing post. Keep it up. Much thanks to you such an incredible sum for sharing your beneficial blog. Duplicate Payment Review | Continuous Transaction Monitoring | Duplicate Payment Recovery

  7. Your work is totally appreciative and informative.
    filing cabinet

  8. Thanks for sharing useful information about Sharepoint online training
    Sharepoint online training in Hyderabad

  9. If I had to choose between resting and reading this blog, I’d definitely go with this blog.Mac trash bin data recovery

  10. I wish to show thanks to you just for bailing me out of this particular trouble. As a result of checking through the net and meeting techniques that were not productive, I thought my life was setup in dubai

  11. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. Odzyskiwanie danych Łódź

  12. This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. odzyskiwanie danych Warszawa

  13. A bewildering web journal I visit this blog, it's unfathomably heavenly. Oddly, in this present blog's substance made purpose of actuality and reasonable. The substance of data is informative
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

  14. This comment has been removed by the author.

  15. Thanks for a useful guide on backup creation ---

  16. Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great posts, have a nice weekend!auditors in dubai

  17. This is a brilliant blog! I'm very happy with the comments!.. RV campgrounds Lake Buchanan

  18. Telecommuting, where you work at home rather than go into the office, has had a bad press in the past. Many businesses, including SMEs, weren't too sure about it, after all there's no telling how productive someone is going to be if they are not under direct supervision org chart templates

  19. When replacing it, open the process unit cover. Copy Machine

  20. Thanks for a great tips, This would be a different idea from the routine tips. As an ISO 9001 certified company with over 30 years international experience in accounting, VAT and technology, we have the unique capabilities to ensure you are fully compliant to the UAE legislation. See our range of articles, white papers and learning resources and self-study material to learn accounting, VAT and taxation at your own pace

  21. Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle. netsuite data entry

  22. I am really happy with your blog because your article is very unique and powerful for new reader.Prefer to study this kind of material. Nicely written information in this post,the quality of content is fine and the conclusion is lovely. Things are very open and intensely clear explanation of issues. PHP Training in Chennai | Certification | Online Training Course | Machine Learning Training in Chennai | Certification | Online Training Course | iOT Training in Chennai | Certification | Online Training Course | Blockchain Training in Chennai | Certification | Online Training Course | Open Stack Training in Chennai |
    Certification | Online Training Course

  23. Nice Blog, Thanks for sharing

    auditing company in uae
    Today the associations are continually being tried to diminish the costs, most of working uses and various requirements.

  24. Management Consultancy UAE
    The officials is a strategy of masterminding, dynamic, sifting through, driving, motivation and controlling the HR, cash related, physical and information resources of a relationship to each it targets capably and feasibly.

  25. accounting companies in uae
    Accounting is known as the language of business. It is amazingly fundamental bit of an every business firms.

  26. vat consultancy services in uae
    About VAT the Value Added Tax was introduced in the UAE on 1 january 2018.

  27. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. bookkeeping data entry

  28. They are outsourcing simply because they want to do their main activity with an increase of perfection. Higher Efficiency: If your staff is free of routine and uninteresting procedure for entering information, they are able to deliver better result. quickbooks data entry

  29. They are outsourcing simply because they want to do their main activity with an increase of perfection. Higher Efficiency: If your staff is free of routine and uninteresting procedure for entering information, they are able to deliver better result. quickbooks data entry

  30. very interesting post.this is my first time visit here.i found so mmany interesting stuff in your blog especially its discussion..thanks for the post!

  31. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! shipping and receiving data entry

  32. I feel this is among the such a lot vital info for meCashflowbest

  33. Is the arrangement guaranteed by SAP? This will be a decent sign for the merchant's devotion to this item.

  34. Independent Escorts in Mumbai ( Sneha Singh )
    These prostitutes are so inviting that you just can conversation to them around anything in this world. Being persistent and caring, they will be all ears when it comes to sharing your issues or distresses that have been frequenting your intellect.
    Check the link for more information:-

  35. This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. Your Virtual Office London

  36. Enjoyed reading your blog. Please check my latest post on the accounting service in UAE and let me know what you think.

  37. Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though. Rubbish removal wolverhampton

  38. Thank you of this blog. That’s all I’m able to say. You definitely have made this web site into an item thats attention opening in addition to important. You definitely know a great deal of about the niche, youve covered a multitude of bases. Great stuff from this the main internet. All over again, thank you for the blog. buy bank logs

  39. Essentially, it is unthinkable on the grounds that any service is the interaction and it is difficult to refute that something was. IT company Hamilton

  40. We know how hard it is to keep track of what is currently in your data center. Our data center audits allow you to get control over investments already made, determine the items you can dispose of and end monthly maintenance contracts on redundant or obsolete items, and make better decisions going forward. it audit certification

    Company name 4sight Technologies (Pvt) Ltd
    Phone: 923008221603
    Location: Suite # 2B, 45-C, 27th Street Tauheed Commercial Area DHA, Phase V, Ext. Karachi, Pakistan
    Postal Code: 75500

  41. It's acceptable to check this sort of site. I figure I would such a great amount from you.
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

  42. Looking for a good deal on bulk glitter? Explore a wide range of the best bulk glitter on GlitterMall to find one that suits you! Besides good quality brands, you’ll also find plenty of discounts when you shop for bulk glitter during big sales. Don’t forget one crucial step - filter for items that offer bonus perks like free shipping & free return to make the most of your online shopping experience!