Manage audit log retention policies (2024)

Table of Contents
In this article Default audit log retention policy Before you create an audit log retention policy Create an audit log retention policy Manage audit log retention policies in the compliance portal View policies in the dashboard Edit policies in the dashboard Delete policies in the dashboard Create and manage audit log retention policies in PowerShell Create an audit log retention policy in PowerShell View policies in PowerShell Edit policies in PowerShell Delete policies in PowerShell Default retention policy record types FAQs
  • Article

You can create and manage audit log retention policies in the Microsoft Purview portal or the Microsoft Purview compliance portal. Audit log retention policies are part of the new Microsoft Purview Audit (Premium) capabilities. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years. You can create policies based on the following criteria:

  • All activities in one or more Microsoft services
  • Specific activities in a Microsoft service performed by all users or by specific users
  • A priority level that specifies which policy takes precedence in you have multiple policies in your organization

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Default audit log retention policy

Audit (Premium) in Microsoft Purview provides a default audit log retention policy for all organizations. This policy can't be modified and retains all Exchange Online, SharePoint, OneDrive, and Microsoft Entra audit records for one year. This default policy retains audit records that contain the value of AzureActiveDirectory, Exchange, OneDrive, and SharePoint for the Workload property (which is the service in which the activity occurred). Specific workloads and record types can be changed to a different duration using a retention policy. See the Default retention policy record types section in this article for a list of record types for each workload that are included in the default policy.

Note

The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users or guest users in your organization, their corresponding audit records are retained for 180 days.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

Before you create an audit log retention policy

  • You have to be assigned the Organization Configuration role in the Microsoft Purview portal or the compliance portal to create or modify an audit retention policy.

  • You can have a maximum of 50 audit log retention policies in your organization.

  • To retain an audit log for longer than 180 days (and up to 1 year), the user who generates the audit log (by performing an audited activity) must be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. To retain audit logs for 10 years, the user who generates the audit log must also be assigned a 10-year audit log retention add-on license in addition to an E5 license.

    Note

    If the user generating the audit log doesn't meet these licensing requirements, data is retained according to the highest priority retention policy. This may be either the default retention policy for the user's license or the highest priority policy that matches the user and its record type.

    See Also
    How Audit Logs Improve Security and Compliance - TitanFileWhy Audit Logs Are ImportantGuidelines for Developing Your Data Retention Policy1191 Retention Policies and Procedures

  • All custom audit log retention policies (created by your organization) take priority over the default retention policy. For example, if you create an audit log retention policy for Exchange mailbox activity that has a retention period that's shorter than one year, audit records for Exchange mailbox activities will be retained for the shorter duration specified by the custom policy.

  • The audit item lifetime for data is determined when it's added to the auditing pipeline and is based on the licensing defaults or applicable retention policies. Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These changes don't update any previously committed items.

Create an audit log retention policy

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  • Microsoft Purview portal
  • Compliance portal

Complete the following steps to create an audit retention policy:

  1. Sign into the Microsoft Purview portal with a user account that's assigned the Organization Configuration role on the Permissions page in the compliance portal.

  2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.

  3. Select Create audit retention policy, and then complete the following fields on the flyout page:

    Manage audit log retention policies (1)

    • Policy name: The name of the audit log retention policy. This name must be unique in your organization, and it can't be changed after the policy is created.

    • Description: Optional, but helpful to provide information about the policy, such as the record type or workload, users specified in the policy, and the duration.

    • Users: Select one or more users to apply the policy to. If you leave this box blank, then the policy applies to all users. If you leave the Record type blank, then you must select a user.

    • Record type: The audit record type the policy applies to. If you leave this property blank, you must select a user in the Users box. You can select a single record type or multiple record types:

      • If you select a single record type, the Activities field is dynamically displayed. You can use the drop-down list to select activities from the selected record type to apply the policy to. If you don't choose specific activities, the policy applies to all activities of the selected record type.
      • If you select multiple record types, you don't have the ability to select activities. The policy applies to all activities of the selected record types.

    • Duration: The amount of time to retain the audit logs that meet the criteria of the policy. The available options are 7 Days, 30 Days, 6 Months, 9 Months, 1 Year, 3 Years (preview), 5 Years (preview), and 7 Years (preview). Users with the 10-year Audit Log Retention add-on license can select a 10 Years option.

      Important

      To retain audit logs for the 7 and 30 days duration options, you must have a Microsoft 365 Enterprise E5 subscription. To retain audit logs for the 3 (preview), 5 (preview), and 7 (preview) years duration options, you must be assigned to a 10-Year Audit Log Retention add-on license in addition to your Microsoft 365 Enterprise E5 subscription. For more information about Audit subscriptions and add-ons, see Auditing solutions in Microsoft Purview

      See Also
      Best Practices for Logs Retention: Meeting Regulatory and Client Requirements

    • Priority: This value determines the order in which audit log retention policies in your organization are processed. A lower value indicates a higher priority. Valid priorities are numerical values between 1 and 10000. A value of 1 is the highest priority, and a value of 10000 is the lowest priority. For example, a policy with a value of 5 takes priority over a policy with a value of 10. Any custom audit log retention policy takes priority over the default policy for your organization.

  4. Select Save to create the new audit log retention policy.

The new policy is displayed in the list on the Policies page.

Manage audit log retention policies in the compliance portal

Audit log retention policies are listed on the Audit retention policies tab (also called the dashboard). You can use the dashboard to view, edit, and delete audit retention policies.

View policies in the dashboard

Audit log retention policies are listed in the dashboard. One advantage of viewing policies in the dashboard is that you can select the Priority column to list the policies in the priority in which they're applied. As previously explained, a lower value indicates a higher priority.

Manage audit log retention policies (2)

You can also select a policy to display its settings on the flyout page.

Note

The default audit log retention policy for your organization isn't displayed in the dashboard.

Edit policies in the dashboard

To edit a policy, select it to display the flyout page. You can modify one or more setting and then save your changes.

Important

If you use the New-UnifiedAuditLogRetentionPolicy cmdlet, it's possible to create an audit log retention policy for record types or activities that aren't available in the Create audit retention policy tool in the dashboard. In this case, you won't be able to edit the policy (for example, change the retention duration or add and remove activities) from the Audit retention policies dashboard. You'll only be able to view and delete the policy in the Microsoft Purview compliance portal. To edit the policy, you'll have to use the Set-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell.>

Tip: A message is displayed at the top of the flyout page for policies that have to be edited using PowerShell.

Delete policies in the dashboard

To delete a policy, select the Delete icon and then confirm that you want to delete the policy. The policy is removed from the dashboard, but it might take up to 30 minutes for the policy to be removed from your organization.

Create and manage audit log retention policies in PowerShell

You can also use Security & Compliance PowerShell to create and manage audit log retention policies. One reason to use PowerShell is to create a policy for a record type or activity that isn't available in the UI.

Create an audit log retention policy in PowerShell

Follow these steps to create an audit log retention policy in PowerShell:

  1. .

  2. Run the following command to create an audit log retention policy:

    New-UnifiedAuditLogRetentionPolicy -Name "Microsoft Teams Audit Policy" -Description "One year retention policy for all Microsoft Teams activities" -RecordTypes MicrosoftTeams -RetentionDuration TenYears -Priority 100

    This example creates an audit log retention policy named "Microsoft Teams Audit Policy" with these settings:

    • A description of the policy.
    • Retains all Microsoft Teams activities (as defined by the RecordType parameter).
    • Retains Microsoft Teams audit logs for 10 years.
    • A priority of 100.

Here's another example of creating an audit log retention policy. This policy retains audit logs for the "User logged in" activity for six months for the user admin@contoso.onmicrosoft.com.

New-UnifiedAuditLogRetentionPolicy -Name "SixMonth retention for admin logons" -RecordTypes AzureActiveDirectoryStsLogon -Operations UserLoggedIn -UserIds admin@contoso.onmicrosoft.com -RetentionDuration SixMonths -Priority 25

For more information, see New-UnifiedAuditLogRetentionPolicy.

View policies in PowerShell

Use the Get-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell to view audit log retention policies.

Here's a sample command to display the settings for all audit log retention policies in your organization. This command sorts the policies from the highest to lowest priority.

Get-UnifiedAuditLogRetentionPolicy | Sort-Object -Property Priority -Descending | FL Priority,Name,Description,RecordTypes,Operations,UserIds,RetentionDuration

Note

The Get-UnifiedAuditLogRetentionPolicy cmdlet doesn't return the default audit log retention policy for your organization.

Edit policies in PowerShell

Use the Set-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell to edit an existing audit log retention policy.

Delete policies in PowerShell

Use the Remove-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell to delete an audit log retention policy. It might take up to 30 minutes for the policy to be removed from your organization.

Default retention policy record types

Audit records for operations in Microsoft Entra ID, Exchange Online, SharePoint, and OneDrive, are retained for one year by default. This means that audit logs for any operation with this workload are retained for one year unless a custom audit log retention policy takes precedence for a specific record type, operation, or user.

Manage audit log retention policies (2024)

FAQs

What is the best practice for audit log retention? ›

Here are five security log retention best practices:
  • Archive log data centrally. Security logs serve as evidence when you want to conduct forensic analysis. ...
  • Set the maximum security log size. ...
  • Implement a log retention policy. ...
  • Reduce event noise. ...
  • Synchronize the system clocks.

Read On
What is an audit retention policy? ›

Proper audit log retention policies are a crucial component of any effective cybersecurity strategy. They provide a comprehensive record of all activities that occur within a system, including user actions, system events, and changes to critical data.

Discover More Details
How do you manage audit logs? ›

To efficiently analyze audit logs, the logging tool must be able to parse raw log data into structured data that contains the relevant information (e.g., event name, event description, user ID, etc.). Once parsed, an audit logging tool should also make it easy to search for specific audit logs using tags.

Continue Reading
What is a log retention policy? ›

Log retention deals with how organizations store log files and for how long. Log files are generated by various systems, architecture components, and applications across environments. Each of these various types of logs serves a unique purpose: System logs: System logs are generated by the operating system.

See Details
What is the NIST recommended log retention period? ›

Different compliance frameworks have different retention period recommendations: HIPAA: 6 years. PCI DSS: 1 year. NIST: 3 years.

Find Out More
How long should audits be retained? ›

Once the auditors have completed their workpapers for a given client, they must retain that audit documentation for a certain period of time. The retention requirements of audit documentation are 5 years for nonissuers and 7 years for issuers.

Tell Me More
What is the GAAP record retention policy? ›

After one year, destroy after audit or four years, whichever occurs first. Receipts and Collection Report for Other than Cash Trust Items Retain at least four years from end of fiscal year or upon expiration of statute of limitations, whichever is later.

Show Me More
How long should logs be retained? ›

For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years. This timeframe is the log retention period.

Explore More
How long does Office 365 keep audit logs? ›

By default, Office 365 Audit Log will keep the log for 90 days. The requirement is to keep the audit log for one year. There is a power shell command for this.

Continue Reading
What are the two types of audit logs? ›

Types of Audit Logs

Application Audit Logs: These logs capture events and activities performed by applications, including database queries, transactions, and file operations. Network Audit Logs: These logs capture network events and activities, including network traffic, firewall activity, and access control lists.

Show Me More

What is the difference between audit log and syslog? ›

Auditd is a userspace component interacting with kernel auditing subsystem. And that subsystem is meant for auditing. Normal syslog/journald logging is meant for "general logging", which might also include security related events from various parts of the operating system.

Read The Full Story
Should audit logs be maintained? ›

These can be critical to identify security incidents in real time. Maintain Integrity: Protect your audit logs from unauthorized changes to maintain their integrity. One way to do this is through write-once-read-many (WORM) solutions.

See Details
What is a good retention policy? ›

Key elements of such a policy include data identification, storage methods, data formats, retention periods, disposal procedures, backup and archiving, and roles and responsibilities. Policies help avoid violations of data compliance laws, such as those stipulated by GDPR, HIPAA, FLSA, and SOX.

Get More Info Here
What is an audit log policy? ›

An audit logging and monitoring policy is a framework of guidelines and procedures that govern audit logging and monitoring processes. This policy guides the collection, analysis, and storage of activity data within an organization.

Continue Reading
How long do you keep audit logs? ›

For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years. This timeframe is the log retention period.

View More
How far back does an audit log go? ›

You can retain audit logs for up to 10 years. You can create policies based on the following criteria: All activities in one or more Microsoft services. Specific activities in a Microsoft service performed by all users or by specific users.

View Details
What are the retention requirements for audit documentation? ›

Rule 2-06 requires that accounting firms retain certain records for seven years. Retained information would be kept confidential unless or until made public during an enforcement, disciplinary or other legal or administrative proceeding.

See More
How long should audit trail history be retained for at least? ›

Companies must keep accurate transaction records, failing which can lead to penalties. Audit trails must be maintained for at least eight years, following best practices like data backups, user authentication, regular audits, and automated logging.

Learn More
Top Articles
Cronos USD (CRO-USD) Stock Price, News, Quote & History - Yahoo Finance
Supervisory Assessment: predict performance & engagement
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Energy Healing Conference Utah
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Pearson Correlation Coefficient
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Nfsd Web Portal
Selly Medaline
Latest Posts
Clone or import a pipeline - Azure Pipelines
2024 Arizona FHA Loan Limit | $530,150
Article information

Author: Terrell Hackett

Last Updated:

Views: 5793

Rating: 4.1 / 5 (52 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.