Microsoft 365 audit log query patterns

The Microsoft Purview unified audit log records administrative and user actions across Microsoft 365 — but with hundreds of event types and millions of entries per month in a busy tenant, finding what you need takes some skill. Knowing the right patterns saves hours.

Where to search

Two main surfaces:

• Purview portal → Audit — the GUI, suitable for ad-hoc searches.
• Search-UnifiedAuditLog PowerShell cmdlet — for scripted or repeated searches, or for very large date ranges.
• Office 365 Management Activity API — for SIEM ingestion at scale.

For one-off investigations, the GUI is fastest. For pattern-based or regular searches, PowerShell wins.

Search structure

Every audit search needs:

• Date range — narrowest first; expand if needed.
• Activities — specific operation types (multiple choice).
• Users — specific user(s) involved.
• Records — workload (Exchange, SharePoint, Entra, Teams, etc.).

Always start narrow and expand. Broad searches over months are slow.

Common investigation patterns

Mailbox compromise — what did the attacker do?

Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-7) `
    -EndDate (Get-Date) `
    -UserIds compromised.user@yourcompany.com `
    -RecordType ExchangeItem,ExchangeAdmin

Look for: new inbox rules created, forwarding configured, mass-delete operations, sign-in patterns, sent items, sharing of mailbox.

Suspicious file activity — mass downloads or shares

Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-1) `
    -EndDate (Get-Date) `
    -UserIds suspect.user@yourcompany.com `
    -Operations FileDownloaded,FileSyncDownloadedFull,SharingSet

A user suddenly downloading hundreds of files or creating many sharing links is often pre-departure data theft or compromise.

Admin changes — who did what to roles

Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-30) `
    -EndDate (Get-Date) `
    -RecordType AzureActiveDirectoryAccountLogon,AzureActiveDirectory `
    -Operations "Add member to role.","Remove member from role."

Useful for compliance reviews — who got Global Admin lately, who got Compliance Administrator, etc.

OAuth consent grants

Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-7) `
    -EndDate (Get-Date) `
    -RecordType AzureActiveDirectory `
    -Operations "Add OAuth2PermissionGrant.","Consent to application."

Track when users granted OAuth consent to apps — pre-attack reconnaissance for OAuth consent phishing.

Sensitivity label changes

Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-7) `
    -EndDate (Get-Date) `
    -Operations "SensitivityLabelApplied","SensitivityLabelChanged","SensitivityLabelRemoved"

Useful for tracking labelling adoption and detecting users downgrading labels inappropriately.

Sharing audit

Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-30) `
    -EndDate (Get-Date) `
    -Operations SharingInvitationCreated,AnonymousLinkCreated,SecureLinkCreated

Visibility into external sharing patterns.

Performance tips

• Narrow date ranges first — searches over weeks are dramatically slower than days.
• Specific UserIds are faster than broad workload searches.
• -ResultSize 5000 is the max per call — use -SessionId for pagination.
• Export results to CSV for offline analysis with Excel / Power BI.

Audit retention by tier

• Microsoft 365 / Office 365 E3: 180 days.
• Microsoft 365 / Office 365 E5: 1 year.
• Audit (Premium) add-on: 10 years with custom retention policies.

For investigations of events older than retention, the data is gone — there's no recovery. Plan retention deliberately for compliance use cases.

For SOC teams, building a library of saved audit queries pays back dramatically over time. What's a 20-minute investigation today becomes a 2-minute one once the right query is saved.