Microsoft 365 Business Premium (an SMB-focused plan) includes many core compliance features also found in Enterprise plans like Office 365 E3. However, there are key differences when compared to Enterprise E3 and especially the advanced capabilities in E5. This report compares eDiscovery, retention policies, and audit logging across these plans, with step-by-step guidance, illustrations of key concepts, real-world scenarios, best practices, and pitfalls to avoid.
| Feature Area |
Business Premium (≈ E3 Standard) |
Office 365 E3 (Standard) |
Microsoft 365 E5 (Advanced) |
| eDiscovery |
Core eDiscovery (Standard) – includes content search, export, cases, basic holds1. No Advanced eDiscovery features. |
Core eDiscovery (Standard) – same as BP (full search, hold, export)1. |
Advanced eDiscovery (Premium) – adds custodian management, analytics, etc.1 |
| Retention |
Retention Policies for Exchange, SharePoint, OneDrive, Teams – basic org or location-wide retention available3. Lacks some advanced records management. |
Retention Policies – same core retention across workloads. |
Advanced Retention – e.g. auto-classification, event-based retention, regulatory record (with E5 Compliance add-on). |
| Audit Logging |
Audit Standard: Unified audit log enabled; events retained 180 days24. No advanced log features. |
Audit Standard: same 180-day retention. |
Audit Premium: Longer retention (1 year by default)24, audit retention policies, high-value events, faster API access. |
Note: Business Premium includes Exchange Online Plan 1 (50 GB mailbox) plus archiving, and SharePoint Plan 1, whereas E3 has Exchange Plan 2 (100 GB mailbox + archive) and SharePoint Plan 2. These underlying service differences influence compliance features like holds and storage[5][5].
eDiscovery: Standard vs. Premium
eDiscovery in Microsoft 365 helps identify and collect content for legal or compliance investigations. Business Premium and Office 365 E3 support Core eDiscovery (Standard) functionality, while Microsoft 365 E5 provides Advanced eDiscovery (Premium) with enhanced capabilities.
eDiscovery (Standard) in Business Premium and E3
Scope & Capabilities: eDiscovery (Standard) allows you to create cases, search for content across Exchange Online mailboxes, SharePoint sites, OneDrive, Teams, and more, place content on hold, and export results[1]. Key features of Standard eDiscovery include:
- Content Search across mailboxes, SharePoint/OneDrive, Teams chats, Groups, etc., with keyword queries and conditions[1]. (For example, you can search all user mailboxes and Teams messages for specific keywords in a case of suspected data leakage.)
- Legal Hold (litigation hold) to preserve content in-place. In E3, you can place mailboxes or sites on hold (so content is retained even if deleted)[1]. In Business Premium, mailbox hold is supported (Exchange Plan 1 with archiving allows litigation hold on mailboxes), but SharePoint Online Plan 1 lacks In-Place Hold capability[5]. This means to preserve SharePoint/OneDrive content on Business Premium, you would use retention policies rather than legacy hold features.
- Case Management: You can create eDiscovery Cases to organize searches, holds, and exports related to a specific investigation[1]. Each case can have multiple members (managers) and holds.
- Export Results: You can export search results (emails, documents, etc.) from a case. Exports are typically in PST format for emails or as native files with a load file for documents[6]. (E.g., export all emails from a custodian’s mailbox relevant to a lawsuit).
- Permissions: Role-Based Access Control allows only authorized eDiscovery Managers to access case data[1]. (Ensure users performing eDiscovery are added to the eDiscovery Manager role group in the Compliance portal[6].)
How to Use eDiscovery (Standard):
- Assign eDiscovery Permissions: In the Purview Compliance Portal (compliance.microsoft.com) under Permissions, add users to the eDiscovery Manager role group (or create a custom role group)[6]. This allows access to eDiscovery tools.
- Create a Case: Go to eDiscovery (Standard) in the Compliance portal (under “Solutions”). Click “+ Create case”, provide a name and description, and save[6]. (For example, create a case named “Project Phoenix Investigation”.)
- Add Members: Open the case, go to Case Settings > Members, and add any additional eDiscovery Managers or reviewers who should access this case.
- Place Content on Hold (if needed): In the case, navigate to the Hold tab. Create a hold, specifying content locations and conditions. For instance, to preserve an ex-employee’s mailbox and Teams chats, select their Exchange mailbox and Teams conversations[6]. This ensures content is preserved (copied to hidden folders) and cannot be permanently deleted by users.
- Search for Content: In the case, go to the Search tab. Configure a new search query – specify keywords or conditions (e.g., date ranges, authors) and choose locations (specific mailboxes, sites, Teams)[7][7]. For example, search all content in Alice’s mailbox and OneDrive for the past 1 year with keyword “Project Phoenix”.
- Review and Export: Run the search and preview results. You can select items to Preview their content. Once satisfied, click Export to download results. You’ll typically get a PST for emails or a zip of documents. Use the eDiscovery Export Tool if prompted to download large results.
Screenshot – Compliance Portal eDiscovery: Below is an illustration of the eDiscovery (Standard) interface in Microsoft Purview Compliance portal, showing a list of content searches in a case:
[7][7]
(Figure: Purview eDiscovery (Standard) case with search results listed. Investigators can create multiple searches, apply filters, and export data.)
Limitations of Standard eDiscovery: Core eDiscovery does not provide advanced analytics or review capabilities. There’s no built-in way to de-duplicate results or perform complex data analysis – the results must be reviewed manually (often outside the system, e.g. by opening PST in Outlook). Also, SharePoint Online Plan 1 limitation: Business Premium cannot use the older SharePoint “In-Place Hold” feature[5]; you must rely on retention policies for SharePoint content preservation (discussed later).
Real-World Scenario (Standard eDiscovery): A small business using Business Premium needs to respond to a legal request for all communications involving a specific client. The IT admin creates an eDiscovery (Standard) case, adds the HR manager as a viewer, places the mailboxes of the employees involved on hold, searches emails and Teams chats for the client’s name, and exports the results to provide to legal counsel. This meets the needs without additional licensing. Best Practice: Use targeted keyword searches to reduce volume, and always test search criteria on a small date range first to verify relevancy. Also, inform users (if appropriate) that their data is on legal hold to prevent accidental deletions.
eDiscovery (Premium) in E5 (Advanced eDiscovery)
Scope & Capabilities: Microsoft Purview eDiscovery (Premium) – formerly Advanced eDiscovery – is available in E5 (or as an E5 Compliance add-on) and builds on core eDiscovery with powerful data analytics and workflow tools[1][1]. Key features exclusive to eDiscovery (Premium) include:
- Custodian Management: Ability to designate custodians (users of interest) and automatically collect their data sources (Exchange mailboxes, OneDrives, Teams, SharePoint sites) in a case. You can track custodian status and send legal hold notifications to custodians (with an email workflow to inform them of hold obligations)[1].
- Advanced Indexing & Search: Enhanced indexing that can OCR scan images or process non-Microsoft file types. This ensures more content is discoverable (like text in PDFs or images)[8].
- Review Sets: After searching, you can add content to a Review Set – an online review interface. Within a review set, investigators can view, search within results, tag documents, annotate, and redact data[8]. This is a big improvement over Standard, which has no review interface.
- Analytics & Filtering: eDiscovery Premium provides analytics to help cull data:
- Near-Duplicate Detection: Identify and group very similar documents to reduce review effort[8].
- Email Threading: Reconstruct email threads and identify unique versus redundant messages[8].
- Themes analysis: Discover topics or themes in the documents.
- Relevance/Predictive Coding: You can train a machine learning model (predictive coding) to rank documents by relevance. The system learns from sample taggings (relevant or non-relevant) to prioritize important items[8].
- De-duplication: When adding to review sets or exporting, the system can eliminate duplicate content, which saves review time and export size.
- Export Options: Advanced export with options like including load files for document review platforms, or exporting only unique content with metadata, etc.[8]. You can even export results directly to another review set or to external formats suitable for litigation databases.
- Non-Microsoft Data Import: Ability to ingest non-Office 365 data (from outside sources) into eDiscovery for analysis[8]. For example, you could import data from a third-party system via Data Connectors so it can be reviewed alongside Office 365 content.
With E5’s advanced eDiscovery, the entire EDRM (Electronic Discovery Reference Model) workflow can be managed within Microsoft 365 – from identification and preservation to review, analysis, and export.
Using eDiscovery (Premium): The overall workflow is similar (create case, add custodians, search, etc.) but with additional steps:
- Create an eDiscovery (Premium) Case: In Compliance portal, go to eDiscovery > Premium, click “+ Create case”, and fill in case details (name, description, etc.)[9]. Ensure the case format is “New” (the modern experience).
- Add Custodians: Inside the case, use the “Custodians” or “Data Sources” section to add people. For each custodian (user), their Exchange mailbox, OneDrive, Teams chats, etc., can be automatically mapped and searched. The system will collect and index data from these sources.
- Send Hold Notifications (Optional): If legal policy requires, use the Communications feature to send notification emails to custodians informing them of the hold and their responsibilities.
- Define Searches & Add to Review Set: Perform initial searches on custodian data (or other locations) and add the results directly into a Review Set for analysis. For example, search all custodians’ data for “Project X” and add those 5,000 items into a review set.
- Review & Tag Data: In the review set, multiple reviewers can preview documents and emails in-browser. Apply tags (e.g., Responsive, Privileged, Irrelevant) to each item[8]. Use filtering (by date, sender, tags, etc.) to systematically work through the content.
- Apply Analytics: Run the “Analyze” function to detect near-duplicates and email threads[8]. The interface will group related items, so you can, for example, review one representative from each near-duplicate group, or skip emails that are contained in longer threads.
- Train Predictive Coding (Optional): To expedite large reviews, tag a sample set of documents as Relevant/Not Relevant and train the model. The system will predict relevance for the remaining documents (assigning a relevance score). High-score items can be prioritized for review, possibly allowing you to skip low-score items after validation.
- Export Final Data: Once review is complete (or data set narrowed sufficiently), export the documents. You can export with a review tag filter (e.g., only “Responsive” items, excluding “Privileged”). The export can be in PST, or a load file format (like EDRM XML or CSV with metadata, plus native files) for use in external review platforms[8].
Diagram – Advanced eDiscovery Workflow: (The eDiscovery (Premium) process aligns with standard eDiscovery phases: collecting custodial data, processing it into a review set, filtering and analysis (near-duplicates, threads), review and tagging, then export). The diagram below (from Microsoft Purview documentation) illustrates this workflow:
[8][8]
(Figure: eDiscovery (Premium) workflow showing steps from data identification through analysis and export, based on the Electronic Discovery Reference Model.)
Real-World Scenario (Advanced eDiscovery): A large enterprise faces litigation requiring review of 50,000 emails and documents from 10 employees over 5 years. With E5’s eDiscovery Premium, the legal team adds those employees as custodians in a case. All their data is indexed; the team searches for relevant keywords and narrows to ~8,000 items. During review, they use email threading to skip redundant emails and near-duplicate detection to handle repeated copies of documents. The team tags documents as Responsive or Privileged. They then export only the responsive, non-privileged data for outside counsel. Outcome: Without E5, exporting and manually sifting through 50k items would be immensely time-consuming. Advanced eDiscovery saved time by culling data (e.g., removing ~30% duplicates) and focusing review on what matters[6][6].
Best Practices (Advanced eDiscovery): Enable and train analytics features early – for example, run the threading and near-duplicate analysis as soon as data is in the review set, so reviewers can take advantage of it. Utilize tags and saved searches to organize review batches (e.g., assign different reviewers subsets of data by date or custodian). Always coordinate with legal counsel on search terms and tagging criteria to ensure nothing is missed. Keep an eye on export size limits – large exports might need splitting or use of Azure Blob export option for extremely big data sets.
Potential Pitfalls:
- Licensing: Attempting to use Advanced eDiscovery features without proper licenses – the Premium features require that each user whose content is being analyzed has an E5 or eDiscovery & Audit add-on license[4]. If a custodian isn’t licensed, certain data (like longer audit retention or premium features) may not apply. Tip: For a one-off case, consider acquiring E5 Compliance add-ons for involved users or use Microsoft’s 90-day Purview trial[2].
- Permissions: Not assigning the eDiscovery Administrator role for large cases. Standard eDiscovery Managers might not see all content if scoped. Also, failing to give yourself access to the review set data by not being a case member. Troubleshooting: If you cannot find content that should be there, verify role group membership and that content locations are correctly added as custodians or non-custodial sources.
- Data Volume & Index Limits: Extremely large tenant data might hit index limits – e.g., if a custodian has 1 million emails, some items might be unindexed (too large, etc.). eDiscovery (Premium) will flag unindexed items; you may need to include those with broad searches (there’s an option to search unindexed items). Always check the Statistics section in a case for any unindexed item counts and include them in searches if necessary.
- Export Issues: Exports over the download size limit (around 100 GB per export in the UI) might fail. In such cases, use smaller date ranges or specific queries to break into multiple exports, or use the Azure export option. If the eDiscovery Export Tool fails to launch, ensure you’re using a compatible browser (Edge/IE for older portal, or the new Export in Purview uses a click-to-download approach).
References for eDiscovery: For further details, refer to Microsoft’s official documentation on eDiscovery solutions in Microsoft Purview[1] and the step-by-step Guide to eDiscovery in Office 365 which illustrates the process with examples[6]. Microsoft’s Tech Community blogs also provide screenshots of the new Purview eDiscovery (E3) interface and how to leverage its features[7].
Retention Policies: Mailbox, SharePoint, OneDrive, Teams
Retention policies in Microsoft 365 (part of Purview’s Data Lifecycle Management) help organizations retain information for a period or delete it when no longer needed. Both Business Premium and E3 include the ability to create and apply retention policies across Exchange email, SharePoint sites, OneDrive accounts, and Microsoft Teams content. Higher-tier licenses (E5) add advanced retention features and more automation, but the core retention capabilities are similar in Business Premium vs E3.
Capabilities in Business Premium/E3
In Business Premium (and E3), you can configure retention policies to retain data (prevent deletion) and/or delete data after a timeframe for compliance. Key points:
- Mailbox (Exchange) Retention: You can retain emails indefinitely or for a set years. For example, an “All Mailboxes – 7 year retain” policy will ensure any email younger than 7 years cannot be permanently deleted (if a user deletes it, a copy is preserved in the Recoverable Items folder)[10]. After 7 years, the email can be deleted by the policy. Business Premium supports this tenant-wide or for selected mailboxes[3][3]. If you want to retain all emails forever, you could simply not set an expiration, effectively placing mailboxes in permanent hold. (Note: Exchange Online Plan 1 in Business Premium supports Litigation Hold when an archive mailbox is enabled, allowing indefinite retention of mailbox data[5].)
- SharePoint/OneDrive Retention: You can create policies for SharePoint sites (including Teams’ underlying SharePoint for files) and OneDrive accounts. For instance, retain all SharePoint site content for 5 years. If a user deletes a file, a preservation copy goes to the hidden Preservation Hold Library of that site[10]. Business Premium’s SharePoint Plan 1 does not have the older eDiscovery in-place hold, but retention policies still function for SharePoint/OneDrive content, as they are a Purview feature independent of SharePoint plan level[3]. The main limitation is no SharePoint DLP on Plan 1 (unrelated to retention) and possibly fewer “enhanced search” capabilities, but retention coverage is available.
- Teams Retention: Teams chats and channel messages can be retained or deleted via retention policies. Historically, Teams retention required E3 or higher, but Microsoft expanded this to all paid plans in 2021. Now, Business Premium can also apply Teams retention policies. These policies actually target the data in Exchange (for chats) and SharePoint (for channel files), but Purview abstracts that. For example, you might set a policy: “Delete Teams chat messages after 2 years” for all users – this will purge chat messages older than 2 years from Teams (by deleting them from the hidden mailboxes where they reside).
- Retention vs. Litigation Hold: E3/BP can accomplish most retention needs either via retention policies or using litigation hold on mailboxes. Litigation Hold (or placing a mailbox on indefinite hold) is essentially a way to retain all mailbox content indefinitely. Business Premium users have the ability to enable a mailbox Litigation Hold or In-Place Hold for Exchange (since archiving is available, as shown by the archive storage quota being provided)[5]. However, for SharePoint/Teams, litigation hold is not a concept – you use retention policies instead. In short, retention policies are the unified way to manage retention across all workloads in modern Microsoft 365.
Setting Up a Retention Policy (Step-by-Step):
- Plan Your Policy: Determine what content and retention period. (E.g., “All financial data must be retained for 7 years.”) Identify the workloads (Exchange email, SharePoint sites for finance, etc.).
- Navigate to Retention: In the Purview Compliance Portal, go to “Data Lifecycle Management” (or “Records Management” depending on UI) > Retention Policies. Click “+ New retention policy”.
- Name and Description: Give the policy a clear name (e.g., “Corp Email 7yr Retention”) and description.
- Choose Retention Settings: Decide if you want to Retain content, Delete content, or both:
- For example, choose “Retain items for 7 years” and do not tick “delete after 7 years” if you only want to preserve (you could later clean up manually). Or choose “Retain for 7 years, then delete” to automate cleanup[10].
- If retaining, you can specify retention period starts from when content was created or last modified.
- If deleting, you can have a shortest retention first then deletion.
- Choose Locations: Select which data locations this policy applies to:
- Exchange Email: You can apply to all mailboxes or select specific users’ mailboxes (the UI allows including/excluding specific users or groups).
- SharePoint sites and OneDrive: You can choose all or specific sites. (For OneDrive, selecting users will target their OneDrive by URL or name.)
- Teams: For Teams, there are two categories – Teams chats (1:1 or group chats) and Teams channel messages. In the UI these appear as “Teams conversations” and “Teams channel messages”. You can apply to all Teams or filter by specific users or Teams as needed.
- Exchange Public Folders: (If your org uses those, retention can cover them as well.)
- (Business Premium tip: since it’s SMB, usually you’ll apply retention broadly to all content of a type, rather than managing dozens of individual policies.)
- Review and Create: Once configured, create the policy. It will start applying (may take up to 1 day to fully take effect across all content, as the system has to apply markers to existing data).
Illustration – Retention Policy Creation: Below is a screenshot of the retention policy setup wizard in Microsoft Purview:
[10][10]
(Figure: Setting retention policy options – in this example, retaining content forever and never deleting, appropriate for an “indefinite hold” policy on certain data.)
What happens behind the scenes: If you configure a policy to retain data, whenever a user edits or deletes an item that is still within the retention period, M365 will keep a copy in a secure location (Recoverable Items for mail, Preservation Hold library for SharePoint)[10]. Users generally don’t see any difference in day-to-day work; the retention happens in the background. If a policy is set to delete after X days/years, when content exceeds that age, it will be automatically removed (permanently deleted) by the system (assuming no other hold or retention policy keeps it).
Limitations in Business Premium vs E3: Business Premium and E3 both support up to unlimited number of retention policies (technically up to 1,000 policies in a tenant) and the same locations. However, SharePoint Plan 1 vs Plan 2 difference means Business Premium lacks the older “In-Place Records Management” feature and eDiscovery hold in SharePoint[5]. Practically, this means all SharePoint retention must be via retention policies (which is the modern best practice anyway). E3’s SharePoint Plan 2 would have allowed an administrator to do an eDiscovery hold on a site (via Core eDiscovery case) – but retention policy achieves the same outcome of preserving data.
Another limitation: auto-apply of retention labels based on sensitive info or queries requires E5 (this is an advanced feature outside of standard retention policies). On Business Premium/E3, you can still use retention labels but users must manually apply them or default label on locations; auto-classification of content for retention labeling is E5 only. Basic retention policies don’t require labeling and are fully supported.
Real-World Use Cases:
- Compliance Retention: A Business Premium customer in a regulated industry sets an Exchange Online retention policy of 10 years for all email to meet regulatory requirements (e.g., finance or healthcare). Even though users have 50 GB mailboxes, enabling archiving (up to 1.5 TB) ensures capacity for retained email[5]. After 10 years, older emails are purged automatically. In the event of litigation, any deleted emails from the last 10 years are available in eDiscovery searches thanks to the policy preserving them.
- Data Lifecycle Management: A company might want to delete old data to reduce risk. For example, a Teams retention policy that deletes chat messages older than 2 years – this can prevent buildup of unnecessary data and limit exposure of old sensitive info. Business Premium can implement that now that Teams retention isn’t limited to E3/E5.
- Event-specific hold: If facing a legal case, an admin might opt for a litigation hold on specific mailboxes (a feature akin to retention but applied per mailbox). In Business Premium, you can do this by either enabling a retention policy targeting just those mailboxes or using the Exchange admin center to enable Litigation Hold (since BP includes that Exchange feature). This hold will keep all items indefinitely until removed[1]. E3/E5 can do the same, though often eDiscovery cases with legal hold are used instead of blanket litigation hold.
Best Practices for Retention:
- Use Descriptive Names: Clearly name policies (include content type and duration in the name) so it’s easy to manage multiple policies.
- Avoid Conflicting Policies: Understand that if an item is subject to multiple retention policies, the most protective outcome applies – i.e., it won’t be deleted until all retention periods expire, and it will be retained if any policy says to retain[10]. This is usually good (no data loss), but be mindful: e.g., don’t accidentally leave an old test policy that retains “All SharePoint forever” active while you intended to only retain 5 years.
- Test on a Smaller Scope: If possible, test a new policy on a small set of data (e.g., one site or one mailbox) to see its effect, especially if using the delete function. Once confident, expand to all users.
- Communicate to Users if Needed: Generally retention is transparent, but if you implement a policy that, say, deletes Teams messages after 2 years, it’s wise to inform users that older chats will disappear as a matter of policy (so they aren’t surprised).
- Review Preservation Holds: Remember that retained data still counts against storage quotas (for SharePoint, the Preservation Hold library consumes site storage)[10]. Monitor storage impacts – you may need to allocate more storage if, for example, you retain all OneDrive files for all users.
- Leverage Labels for Granular Retention: Even without E5 auto-labeling, you can use retention labels in E3/BP. For instance, create a label “Record – 10yr” and publish it to sites so users can tag specific documents that should be kept 10 years. This allows item-level retention alongside broad policies.
Pitfalls and Troubleshooting:
- “Why isn’t my data deleting?”: A common issue is an admin sets a policy to delete content after X days, but content persists. This is usually because another retention policy or hold is keeping it. Use the Retention label/policy conflicts report in Compliance Center to identify conflicts. Also, remember policies don’t delete content currently under hold (eDiscovery hold wins over deletion).
- Retention Policy not applying: If a new policy seems not to work, give it time (up to 24 hours). Also check that locations were correctly configured – e.g., a user’s OneDrive might not get covered if they left the company and their account wasn’t included or if OneDrive URL wasn’t auto-added. You might need to explicitly add or exclude certain sites/users.
- Storage growth: As noted, if you retain everything, your hidden preservation hold libraries and mail Recoverable Items can grow large. Exchange Online has a 100 GB Recoverable Items quota (on Plan 2) or 30 GB (Plan 1) by default, but Business Premium’s inclusion of archiving gives 100 GB + auto-expanding archive for Recoverable Items as well[5]. Monitor mailbox sizes – a user who deletes a lot of mail but everything is retained will have that data moved to Recoverable Items, consuming the archive. The LazyAdmin comparison noted Business Premium archive “1.5 TB” which implies auto-expanding up to that limit[5]. If you see “mailbox on hold full” warnings, you may need to free up or ensure archiving is enabled.
Advanced (E5) Retention Features: While not required for basic retention, E5 adds Records Management capabilities:
- Declare items as Records (with immutability) or Regulatory Records (which even admins cannot undeclare without special process).
- Disposition Reviews: where, after retention period, content isn’t auto-deleted but flagged for a person to review and approve deletion.
- Adaptive scopes: dynamic retention targeting (e.g., “all SharePoint sites with label Finance” auto-included in a policy) — requires E5.
- Trainable classifiers: automatically detect content types (like resumes, contracts) and apply labels.
If your organization grows in compliance complexity, these E5 features might be worth evaluating (Microsoft offers trial licenses to experience them[2]).
References for Retention: Microsoft’s documentation on Retention policies and labels provides a comprehensive overview[10]. The Microsoft Q&A thread confirming retention in Business Premium is available for reassurance (Yes, Business Premium does include Exchange retention capabilities)[3]. For practical advice, see community content like the SysCloud guide on https://www.syscloud.com/blogs/microsoft-365-retention-policy-and-label. Microsoft’s release notes (May 2021) announced expanded Teams retention support to all licenses – ensuring Business Premium users can manage Teams data lifecycle just like enterprises.
Audit Logging: Access and Analysis
Microsoft 365’s Unified Audit Log records user and administrator activities across Exchange, SharePoint, OneDrive, Teams, Azure AD, and many other services[11]. It is a crucial tool for compliance audits, security investigations, and troubleshooting. The level of audit logging and retention differs by license:
- Business Premium / Office 365 E3: Include Audit (Standard) – audit logging is enabled by default and retains logs for 180 days (about 6 months)[2][4]. This was increased from 90 days effective Oct 2023 (older logs prior to that stayed at 90-day retention)[4].
- Microsoft 365 E5: Includes Audit (Premium) – which extends retention to 1 year for activities of E5-licensed users[4], and even up to 10 years with an add-on. It also provides additional log data (such as deeper mailbox access events) and the ability to create custom audit log retention policies for specific activities or users[2].
Audit Log Features by Plan
Audit (Standard) – BP/E3: Captures thousands of events – e.g., user mailbox operations (send, move, delete messages), SharePoint file access (view, download, share), Teams actions (user added, channel messages posted), admin actions (creating new user, changing a group, mailbox exports, etc.)[2][2]. All these events are searchable for 6 months. The log is unified, meaning a single search can query across all services. Administrators can access logs via:
- Purview Compliance Portal (GUI): Simple interface to search by user, activity, date range.
- PowerShell (Search-UnifiedAuditLog cmdlet): For more complex queries or automation.
- Management API / SIEM integration: To pull logs into third-party tools (Standard allows API access but at a lower bandwidth; Premium increases the API throughput)[2].
Audit (Premium) – E5: In addition to longer retention, it logs some high-value events that standard might not. For example, Mailbox read events (Record of when an email was read/opened, which can be important in forensic cases) are available only with advanced audit enabled. It also allows creating Audit log retention policies – you can specify certain activities to keep for longer or shorter within the 1-year range[2]. And as noted, E5 has a higher API throttle, which matters if pulling large volumes programmatically[2].
Note: If an org has some E5 and some E3 users, only activities performed by E5-licensed users get the 1-year retention; others default to 180 days[4][4]. (However, activities like admin actions in Exchange or SharePoint might be tied to the performer’s license.)
Accessing & Searching Audit Logs (Step-by-Step)
- Ensure Permissions: By default, global admins can search the audit log, but it’s best practice to use the Compliance Administrator or a specific Audit Reader role. In Compliance Portal, under Permissions > Roles, ensure your account is in a role group with View-Only Audit Logs or Audit Logs role[4]. (If not, you’ll get an access denied when trying to search.)
- Verify Auditing is On: For newer tenants it’s on by default. To double-check, you can run a PowerShell cmdlet or simply attempt a search. In Exchange Online PowerShell, run:
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled – it should be True[4]. If it was off (older tenants might be off), you can turn it on in the Compliance Center (there’s usually a banner or a toggle in Audit section to enable).
- Navigate to Audit in Compliance Center: Go to https://compliance.microsoft.com and select Audit from the left navigation (under Solutions). You will see the Audit log search page[11].
- Configure Search Criteria: Choose a Date range for the activity (up to last 180 days for Standard, or last year for Premium users). You can filter by:
- Users: input one or more usernames or email addresses to filter events performed by those users.
- Activities: you can select from a dropdown of operations (like “File Deleted”, “Mailbox Logged in”, “SharingSetPermission”, etc.) or leave it as “All activities” to get everything.
- File or Folder: (Optional) If looking for actions on a specific file, you can specify its name or URL.
- Site or Folder: For SharePoint/OneDrive events, you can specify the site URL to scope.
- Keyword: Some activities allow keyword filtering (for example, search terms used).
- Run Search: Click Search. The query will run – it may take several seconds, especially if broad. The results will appear in a table below with columns like Date, User, Activity, Item (target item), Detail.
- View Details: Clicking an event record will show a detailed pane with info about that action. For example, a SharePoint file download event’s detail includes the file path, user’s IP address, and other properties.
- Analyze Results: You can sort or filter results in the UI. For deeper analysis:
- Use the Export feature: above the results, click Export results. It generates a CSV file of all results in the query[11]. The CSV includes a column with a JSON blob of detailed properties (“AuditData” column). You can open in Excel and use filters, or parse the JSON for advanced analysis.
- If results exceed 50,000 (UI limit)[11], the export will still contain all events up to 50k. For more, refine the query by smaller date ranges and combine exports, or use PowerShell.
- For regular investigations, you can save time by re-using searches: the portal allows you to Save search or copy a previous search criteria[11].
- Advanced Analysis: For large datasets or repeated needs, consider:
- PowerShell:
Search-UnifiedAuditLog cmdlet can retrieve up to 50k events per call (and you can script to iterate over time slices). This is useful for pulling logs for a particular user over a whole year by automating month-by-month queries.
- Feeds to SIEM: If you have E5 (with higher API bandwidth) and a SIEM tool, set up the Office 365 Management Activity API to continuously dump audit logs, so security analysts can run complex queries (beyond the scope of this question, but worth noting as best practice for big orgs).
- Alerts: In addition to searching, you can create Alert policies (in the Compliance portal) to notify you when certain audit events occur (e.g., “Mass download from SharePoint” or “Mailbox export performed”). This proactive approach complements reactive searching.
Illustration – Audit Log Search UI:
[2][2]
(Figure: Microsoft Purview Audit Search interface – administrators can specify time range, users, activities and run queries. The results list shows each audited event, which can be exported for analysis.)
Interpreting Audit Data: Each record has fields like User, Activity (action performed), Item (object affected, e.g., file name or mailbox item), Location (service), and a detailed JSON. For example, a file deletion event’s JSON will show the exact file URL, deletion type (user deletion or system purge), correlation ID, etc. Understanding these details can be crucial during forensic investigations.
Audit Log Retention and Premium Features
As mentioned, Standard audit retains 180 days[2][4]. If you query outside that range, you won’t get results. For example, if today is June 1, 2025, Business Premium/E3 can retrieve events back to early December 2024. E5 can retrieve to June 2024. If you need longer history on a lower plan, you must have exported or stored logs externally.
Premium (E5) capabilities:
- Longer Retention: By default, one year for E5-user activities[4]. You can also selectively retain certain logs longer by creating an Audit Retention Policy. For instance, you might keep all Exchange mailbox audit records for 1 year, but keep Azure AD sign-in events for 6 months (default) to save space.
- Audit Log Retention Policies: This E5 feature lets you set rules like “Keep SharePoint file access records for X days”. It’s managed in the Purview portal under Audit -> Retention policies. Note that the maximum retention in Premium is 1 year, unless you have the special 10-Year Audit Log add-on for specific users[2].
- Additional Events: With Advanced Audit, certain events are logged that are not in Standard. One notable example is MailItemsAccessed (when someone opens or reads an email). This event is extremely useful in insider threat investigations (e.g., did a user read confidential emails). In Standard, such fine-grained events may not be recorded due to volume.
- Higher bandwidth: If you use the Management API, premium allows a higher throttle (so you can pull more events per minute). Useful for enterprise SIEM integration where you ingest massive logs.
- Intelligent Insights: Microsoft is introducing some insight capabilities (mentioned in docs as “anomaly detection” or similar) which come with advanced audit – for instance, detecting unusual download patterns. These are evolving features to surface interesting events automatically[2].
Real-World Scenario (Audit Log Use): An IT admin receives reports of a suspicious activity – say, a user’s OneDrive files were all deleted. With Business Premium (Audit Standard), the admin goes to Audit search, filters by that user and the activity “FileDeleted” over the past week. The log shows that at 3:00 AM on Sunday, the user’s account (or an attacker using it) deleted 500 files. The admin checks the IP address in the log details and sees an unfamiliar foreign IP. This information is critical for the security team to respond (they now know it was malicious and can restore content, block that IP, etc.). Without the audit log, they would have had little evidence. Pitfall: If more than 6 months had passed since that incident, and no export was done, the logs would be gone on a Standard plan. For high-risk scenarios, consider E5 or ensure logs are exported to a secure archive regularly.
Another example: The organization suspects a departed employee exfiltrated emails. Using audit search, they look at that user’s mailbox activities (Send, MailboxLogin, etc.) and discover the user had used eDiscovery or Content Search to export data before leaving (yes, even compliance actions are audited!). They see a “ExportResults” activity in the log by that user or an accomplice admin. This can inform legal action. (In fact, the unified audit log logs eDiscovery search and export events as well, so you have oversight on who is doing compliance searches[11].)
Best Practices (Audit Logs):
- Regular Auditing & Alerting: Don’t wait for an incident. Set up alert policies for key events (e.g., multiple failed logins, mass file deletions, mailbox permission changes). This way, you use audit data proactively.
- Export / Backup Logs: If you are on Standard audit and cannot get E5, consider scheduling a script to export important logs (for critical accounts or all admin activities) every 3 or 6 months, so you have historical data beyond 180 days. Alternatively, use a third-party tool or Azure Sentinel (now Microsoft Sentinel) to archive logs.
- Leverage Search Tools: The Compliance Center also provides pre-built “Audit Search” for common scenarios – e.g., there are guides for investigating SharePoint file deletions, or mail forwarding rules, etc. Use Microsoft’s documentation (“Search the audit log to troubleshoot common scenarios”) as a recipe book for typical investigations.
- Know your retention: Keep in mind the 180-day vs 1-year difference. If your organization has E5 only for certain users, be aware of who they are when investigating. For instance, if you search for events by an E3 user from 8 months ago, you will find none (because their events were only kept 6 months).
Pitfalls:
- Audit not enabled: Rare today, but if your tenant was created some years ago and audit log search was never enabled, you might find no results. Always ensure it’s turned on (it is on by default for newer tenants)[4].
- Permission Denied: If you get an error accessing audit search, double-check your role. This often hits auditors who aren’t Global Admins – make sure to specifically add them to the Audit roles as described earlier[4].
- Too Broad Queries: If you search “all activities, all users, 6 months” you might hit the 50k display limit and just get a huge CSV. It can be overwhelming. Try to narrow down by specific activity or user if possible. Use date slicing (one month at a time) for better focus.
- Time zone consideration: Audit search times are in UTC. Be mindful when specifying date/time ranges; convert from local time to UTC to ensure you cover the period of interest.
- Interpreting JSON: The exported AuditData JSON can be confusing. Microsoft document “Audit log activities” lists the schema for each activity type. Refer to it if you need to parse out fields (e.g., what “ResultStatus”: “True” means on a login event – it actually means success).
References for Audit Logging: Microsoft’s official page “Learn about auditing solutions in Purview” gives a comparison table of Audit Standard vs Premium[2][2]. The “Search the audit log” documentation provides stepwise instructions and notes on retention[4][4]. For a deeper dive into using PowerShell and practical tips, see the Blumira blog on Navigating M365 Audit Logs[11] or Microsoft’s TechCommunity post on searching audit logs for specific scenarios. These resources, along with Microsoft’s Audit log activities reference, will help you maximize the insights from your audit data.
Conclusion
In summary, Microsoft 365 Business Premium provides robust baseline compliance features on par with Office 365 E3, including content search/eDiscovery, retention policies across services, and audit logging for monitoring user activities. The key differences are that Enterprise E5 unlocks advanced capabilities – eDiscovery (Premium) for deep legal investigations and Audit (Premium) for extended logging and analysis, as well as more sophisticated retention and records management tools.
For many organizations, Business Premium (or E3) is sufficient: you can perform legal holds, respond to basic eDiscovery requests, enforce data retention policies, and track activities for security and compliance. However, if your organization faces frequent litigation, large-scale investigations, or strict regulatory audits, the E5 features like advanced eDiscovery analytics and one-year audit log retention can significantly improve efficiency and outcomes.
Real-World Best Practice: Often a mix of licenses is used – e.g., keep most users on Business Premium or E3, but assign a few E5 Compliance licenses to key individuals (like those likely to be involved in legal cases, or executives whose audit logs you want 1-year retention for). This way, you get targeted advanced coverage without full E5 cost.
Next Steps: Ensure you familiarize with the Compliance Center (Purview) – many improvements (like the new Content Search and eDiscovery UI) are rolling out[7]. Leverage Microsoft’s official documentation and training for each feature:
- Microsoft Learn modules on eDiscovery for step-by-step labs,
- Purview compliance documentation on configuring retention,
- Security guidances on using audit logs for incident response.
By understanding the capabilities and limitations of your SKU, you can implement governance policies effectively and upgrade strategically if/when advanced features are needed. Compliance is an ongoing process, so regularly review your organization’s settings against requirements, and utilize the rich toolset available in Microsoft 365 to stay ahead of legal and regulatory demands.
References
[1] Microsoft Purview eDiscovery solutions setup guide
[2] Learn about auditing solutions in Microsoft Purview
[3] retention policy for business premium – Microsoft Q&A
[4] Search the audit log | Microsoft Learn
[5] Microsoft 365 Business Premium vs Office 365 E3 – All Differences
[6] EDiscovery In Office 365: A Step-by-Step Guide – MS Cloud Explorers
[7] Getting started with the new Purview Content Search
[8] Microsoft 365 Compliance Licensing Comparison
[9] Create and manage an eDiscovery (Premium) case
[10] Learn about retention policies & labels to retain or delete
[11] How To Navigate Microsoft 365 Audit Logs – Blumira
CIAOPS 