Browse all topics
All guidesGlossary

Microsoft Purview audit retention

How long Microsoft 365 retains audit logs by default, what Audit (Premium) adds, and how to think about retention.

The Microsoft Purview audit log records administrative and user activity across Microsoft 365 — mailbox access, file activity, sign-ins, permission changes, Copilot interactions, eDiscovery operations. How long that data is retained matters for compliance and incident investigation. Different licence tiers offer dramatically different defaults.

Default retention by tier

  • Microsoft 365 / Office 365 E3180 days of audit log retention.
  • Microsoft 365 / Office 365 E51 year of audit log retention.
  • Audit (Premium) add-on10 years of retention with longer-term storage and additional events.

The difference between 180 days and 1 year is whether you can investigate something that happened 7 months ago. The difference between 1 year and 10 years matters for long-running compliance regimes (financial services record-keeping, healthcare audit).

What's logged

Hundreds of event types across:

  • Exchange — message send, receive, delete, mailbox sign-in, mailbox permission change, transport rule, eDiscovery hold actions.
  • SharePoint and OneDrive — file access, edit, share, sync, permission change.
  • Microsoft Teams — channel and chat events, meeting events, app installs.
  • Entra ID — sign-ins (also in Entra-specific logs), role assignments, application consent, conditional access policy changes.
  • Power Platform — environment, flow, app activity.
  • Microsoft 365 Copilot — prompts and grounding (with appropriate Purview audit configuration).
  • Compliance and security operations — eDiscovery, sensitivity label applications, DLP detections.

Audit (Premium)

The Audit (Premium) add-on extends beyond basic retention with:

  • 10-year retention (vs 1 year on E5).
  • High-bandwidth Office 365 Management Activity API — faster export to SIEM at scale.
  • Critical events — additional event types (Mail Read for example, useful in BEC investigations).
  • Customisable audit log retention policies — set different retention per event type and user group.

For tenants subject to long-term record-keeping rules — SEC 17a-4, FINRA, MiFID II — Audit (Premium) is typically required.

Custom retention policies

With Audit (Premium), you can define custom retention policies that override the defaults. Examples:

  • Executives get audit log retention of 10 years.
  • General users get 1 year.
  • Privileged operations (admin actions) retained 10 years.
  • Regular file activity retained 1 year.

Policies are configured in Purview portal → Audit → Audit retention policies.

Operational considerations

  • Audit log isn't free of cost — Audit (Premium) adds licensing per user.
  • Search performance — large queries over years of data can be slow; use targeted searches.
  • API access — for high-volume integrations with SIEM or analytics tools, use the Office 365 Management Activity API.
  • Audit deletion — there's no manual delete; retention expiration is the only path to removal.
  • Long-term storage — for retention beyond 10 years, export to your own long-term storage.

Default policy after April 2024

Microsoft now turns audit logging on by default in all new tenants. Tenants created before that may need to verify it's enabled (Search-UnifiedAuditLog in Exchange Online PowerShell tests it). If it's off, turn it on immediately — you can't audit historical events you didn't log.

Practical advice

For most Microsoft 365 customers:

  • Verify audit is on in the tenant.
  • Know your retention — 180 days (E3), 1 year (E5), or 10 years (Audit Premium).
  • Configure your SIEM to ingest the audit log via the Management Activity API for cross-tenant correlation and longer retention.
  • Test investigation queries — practice running a query for a specific event so you can do it under pressure.

Audit logging is the kind of feature whose value only becomes apparent during an incident. Make sure it's ready before you need it.