Office 365 Audit Retention Policy

I have spoken previously about the importance of ensuring that your unified audit logs are enabled in your Microsoft 365 tenant:

Enable activity auditing in Office 365

These logs are retained for 90 days by default for all plans. However, if you have Office 365 E5, Microsoft 365 E5 or Microsoft 365 E5 Compliance add-on license you can enable an audit retention policy for up to 1 year.

If you navigate to:

https://protection.office.com/unifiedauditlog

in your tenant you will see:

image

the button New audit retention policy at the bottom of the page as shown above.

image

Select that button will display the above dialog. Towards the bottom of this you will see that you can set up a retention policy of up to 1 year.

Of course you can enter the policy via the web interface but I prefer PowerShell. The command that you need to use is:

New-UnifiedAuditLogRetentionPolicy

you then use the recordtypes parameter to specify the audit logs of a specific record type that are retained by the policy. Currently, there are heaps of these:

  1. AeD
  2. AirInvestigation
  3. ApplicationAudit
  4. AzureActiveDirectory
  5. AzureActiveDirectoryAccountLogon
  6. AzureActiveDirectoryStsLogon
  7. CRM
  8. Campaign
  9. ComplianceDLPExchange
  10. ComplianceDLPSharePoint
  11. ComplianceDLPSharePointClassification
  12. ComplianceSupervisionExchange
  13. CustomerKeyServiceEncryption
  14. DLPEndpoint
  15. DataCenterSecurityCmdlet
  16. DataGovernance
  17. DataInsightsRestApiAudit
  18. Discovery
  19. ExchangeAdmin
  20. ExchangeAggregatedOperation
  21. ExchangeItem
  22. ExchangeItemAggregated
  23. ExchangeItemGroup
  24. HRSignal
  25. HygieneEvent
  26. InformationBarrierPolicyApplication
  27. InformationWorkerProtection
  28. Kaizala
  29. LabelExplorer
  30. MIPLabel
  31. MailSubmission
  32. MicrosoftFlow
  33. MicrosoftForms
  34. MicrosoftStream
  35. MicrosoftTeams
  36. MicrosoftTeamsAdmin
  37. MicrosoftTeamsAnalytics
  38. MicrosoftTeamsDevice
  39. MicrosoftTeamsShifts
  40. MipAutoLabelExchangeItem
  41. MipAutoLabelSharePointItem
  42. MipAutoLabelSharePointPolicyLocation
  43. OfficeNative
  44. OneDrive
  45. PowerAppsApp
  46. PowerAppsPlan
  47. PowerBIAudit
  48. Project
  49. Quarantine
  50. SecurityComplianceAlerts
  51. SecurityComplianceCenterEOPCmdlet
  52. SecurityComplianceInsights
  53. SharePoint
  54. SharePointCommentOperation
  55. SharePointContentTypeOperation
  56. SharePointFieldOperation
  57. SharePointFileOperation
  58. SharePointListItemOperation
  59. SharePointListOperation
  60. SharePointSharingOperation
  61. SkypeForBusinessCmdlets
  62. SkypeForBusinessPSTNUsage
  63. SkypeForBusinessUsersBlocked
  64. Sway
  65. SyntheticProbe
  66. TeamsHealthcare
  67. ThreatFinder
  68. ThreatIntelligence
  69. ThreatIntelligenceAtpContent
  70. ThreatIntelligenceUrl
  71. WorkplaceAnalytics
  72. Yammer

In my case I ran:

New-UnifiedAuditLogRetentionPolicy -Name “Log Retention Policy” -Description “One year retention policy for all activities” -RecordTypes AeD,AirInvestigation,ApplicationAudit,AzureActiveDirectory,AzureActiveDirectoryAccountLogon,AzureActiveDirectoryStsLogon,CRM,Campaign,ComplianceDLPExchange,ComplianceDLPSharePoint,ComplianceDLPSharePointClassification,ComplianceSupervisionExchange,CustomerKeyServiceEncryption,DLPEndpoint,DataCenterSecurityCmdlet,DataGovernance,DataInsightsRestApiAudit,Discovery,ExchangeAdmin,ExchangeAggregatedOperation,ExchangeItem,ExchangeItemAggregated,ExchangeItemGroup,HRSignal,HygieneEvent,InformationBarrierPolicyApplication,InformationWorkerProtection,Kaizala,LabelExplorer,MIPLabel,MailSubmission,MicrosoftFlow,MicrosoftForms,MicrosoftStream,MicrosoftTeams,MicrosoftTeamsAdmin,MicrosoftTeamsAnalytics,MicrosoftTeamsDevice,MicrosoftTeamsShifts,MipAutoLabelExchangeItem,MipAutoLabelSharePointItem,MipAutoLabelSharePointPolicyLocation,OfficeNative,OneDrive,PowerAppsApp,PowerAppsPlan,PowerBIAudit,Project,Quarantine,SecurityComplianceAlerts,SecurityComplianceCenterEOPCmdlet,SecurityComplianceInsights,SharePoint,SharePointCommentOperation,SharePointContentTypeOperation,SharePointFieldOperation,SharePointFileOperation,SharePointListItemOperation,SharePointListOperation,SharePointSharingOperation,SkypeForBusinessCmdlets,SkypeForBusinessPSTNUsage,SkypeForBusinessUsersBlocked,Sway,SyntheticProbe,TeamsHealthcare,ThreatFinder,ThreatIntelligence,ThreatIntelligenceAtpContent,ThreatIntelligenceUrl,WorkplaceAnalytics,Yammer -RetentionDuration TwelveMonths -Priority 100

to set them all for my E5 environment, and thus retain all this logging information for at least 12 months!

image

You can read more about all this in the Microsoft documentation here:

Manage audit log retention policies

Remember however, for this to work:

“To retain an audit log for longer than 90 days, the user who generated the audit log must be assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance add-on license.”

***** 9 April 2020 Update

It appears Microsoft has now changed the parameters you can specify to:

ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation,
OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet,
ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation,
AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked,      SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer,      SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow,  AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project,  SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp,  PowerAppsPlan, ThreatIntelligenceAtpContent, LabelContentExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication,   SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation,  MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection,  Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit,  ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem,     MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, MipAutoLabelExchangeItem, CortanaBriefing,
Search, WDATPAlerts, MDATPAudit