Manage audit log retention policies (2024)

Table of Contents
In this article Default audit log retention policy Before you create an audit log retention policy Create an audit log retention policy Manage audit log retention policies in the compliance portal View policies in the dashboard Edit policies in the dashboard Delete policies in the dashboard Create and manage audit log retention policies in PowerShell Create an audit log retention policy in PowerShell View policies in PowerShell Edit policies in PowerShell Delete policies in PowerShell Default retention policy record types FAQs
  • Article

You can create and manage audit log retention policies in the Microsoft Purview portal or the Microsoft Purview compliance portal. Audit log retention policies are part of the new Microsoft Purview Audit (Premium) capabilities. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years. You can create policies based on the following criteria:

  • All activities in one or more Microsoft 365 services
  • Specific activities (in a Microsoft 365 service) performed by all users or by specific users
  • A priority level that specifies which policy takes precedence in you have multiple policies in your organization

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Default audit log retention policy

Audit (Premium) in Microsoft Purview provides a default audit log retention policy for all organizations. This policy can't be modified and retains all Exchange Online, SharePoint, OneDrive, and Microsoft Entra audit records for one year. This default policy retains audit records that contain the value of AzureActiveDirectory, Exchange, OneDrive, and SharePoint for the Workload property (which is the service in which the activity occurred). Specific workloads and record types can be changed to a different duration using a retention policy. See the Default retention policy record types section in this article for a list of record types for each workload that are included in the default policy.

Note

The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users or guest users in your organization, their corresponding audit records are retained for 180 days.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

Before you create an audit log retention policy

  • You have to be assigned the Organization Configuration role in the Microsoft Purview portal or the compliance portal to create or modify an audit retention policy.

  • You can have a maximum of 50 audit log retention policies in your organization.

  • To retain an audit log for longer than 180 days (and up to 1 year), the user who generates the audit log (by performing an audited activity) must be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. To retain audit logs for 10 years, the user who generates the audit log must also be assigned a 10-year audit log retention add-on license in addition to an E5 license.

    Note

    If the user generating the audit log doesn't meet these licensing requirements, data is retained according to the highest priority retention policy. This may be either the default retention policy for the user's license or the highest priority policy that matches the user and its record type.

    See Also
    Mailbox audit logging in Exchange ServerRecover deleted messages in a user's mailbox in Exchange OnlineDeleting and recovering emails in Office 365Get-AuditLogSearch (ExchangePowerShell)

  • All custom audit log retention policies (created by your organization) take priority over the default retention policy. For example, if you create an audit log retention policy for Exchange mailbox activity that has a retention period that's shorter than one year, audit records for Exchange mailbox activities will be retained for the shorter duration specified by the custom policy.

  • The audit item lifetime for data is determined when it's added to the auditing pipeline and is based on the licensing defaults or applicable retention policies. Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These changes don't update any previously committed items.

Create an audit log retention policy

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  • Microsoft Purview portal
  • Compliance portal

Complete the following steps to create an audit retention policy:

  1. Sign into the Microsoft Purview portal with a user account that's assigned the Organization Configuration role on the Permissions page in the compliance portal.

  2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.

  3. Select Create audit retention policy, and then complete the following fields on the flyout page:

    Manage audit log retention policies (1)

    • Policy name: The name of the audit log retention policy. This name must be unique in your organization, and it can't be changed after the policy is created.

    • Description: Optional, but helpful to provide information about the policy, such as the record type or workload, users specified in the policy, and the duration.

    • Users: Select one or more users to apply the policy to. If you leave this box blank, then the policy applies to all users. If you leave the Record type blank, then you must select a user.

    • Record type: The audit record type the policy applies to. If you leave this property blank, you must select a user in the Users box. You can select a single record type or multiple record types:

      • If you select a single record type, the Activities field is dynamically displayed. You can use the drop-down list to select activities from the selected record type to apply the policy to. If you don't choose specific activities, the policy applies to all activities of the selected record type.
      • If you select multiple record types, you don't have the ability to select activities. The policy applies to all activities of the selected record types.

    • Duration: The amount of time to retain the audit logs that meet the criteria of the policy. The available options are 7 Days, 30 Days, 6 Months, 9 Months, 1 Year, 3 Years (preview), 5 Years (preview), and 7 Years (preview). Users with the 10-year Audit Log Retention add-on license can select a 10 Years option.

      Important

      To retain audit logs for the 7 and 30 days duration options, you must have a Microsoft 365 Enterprise E5 subscription. To retain audit logs for the 3 (preview), 5 (preview), and 7 (preview) years duration options, you must be assigned to a 10-Year Audit Log Retention add-on license in addition to your Microsoft 365 Enterprise E5 subscription. For more information about Audit subscriptions and add-ons, see Auditing solutions in Microsoft Purview

      See Also
      Turn auditing on or off

    • Priority: This value determines the order in which audit log retention policies in your organization are processed. A lower value indicates a higher priority. Valid priorities are numerical values between 1 and 10000. A value of 1 is the highest priority, and a value of 10000 is the lowest priority. For example, a policy with a value of 5 takes priority over a policy with a value of 10. Any custom audit log retention policy takes priority over the default policy for your organization.

  4. Select Save to create the new audit log retention policy.

The new policy is displayed in the list on the Policies page.

Manage audit log retention policies in the compliance portal

Audit log retention policies are listed on the Audit retention policies tab (also called the dashboard). You can use the dashboard to view, edit, and delete audit retention policies.

View policies in the dashboard

Audit log retention policies are listed in the dashboard. One advantage of viewing policies in the dashboard is that you can select the Priority column to list the policies in the priority in which they're applied. As previously explained, a lower value indicates a higher priority.

Manage audit log retention policies (2)

You can also select a policy to display its settings on the flyout page.

Note

The default audit log retention policy for your organization isn't displayed in the dashboard.

Edit policies in the dashboard

To edit a policy, select it to display the flyout page. You can modify one or more setting and then save your changes.

Important

If you use the New-UnifiedAuditLogRetentionPolicy cmdlet, it's possible to create an audit log retention policy for record types or activities that aren't available in the Create audit retention policy tool in the dashboard. In this case, you won't be able to edit the policy (for example, change the retention duration or add and remove activities) from the Audit retention policies dashboard. You'll only be able to view and delete the policy in the Microsoft Purview compliance portal. To edit the policy, you'll have to use the Set-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell.>

Tip: A message is displayed at the top of the flyout page for policies that have to be edited using PowerShell.

Delete policies in the dashboard

To delete a policy, select the Delete icon and then confirm that you want to delete the policy. The policy is removed from the dashboard, but it might take up to 30 minutes for the policy to be removed from your organization.

Create and manage audit log retention policies in PowerShell

You can also use Security & Compliance PowerShell to create and manage audit log retention policies. One reason to use PowerShell is to create a policy for a record type or activity that isn't available in the UI.

Create an audit log retention policy in PowerShell

Follow these steps to create an audit log retention policy in PowerShell:

  1. .

  2. Run the following command to create an audit log retention policy:

    New-UnifiedAuditLogRetentionPolicy -Name "Microsoft Teams Audit Policy" -Description "One year retention policy for all Microsoft Teams activities" -RecordTypes MicrosoftTeams -RetentionDuration TenYears -Priority 100

    This example creates an audit log retention policy named "Microsoft Teams Audit Policy" with these settings:

    • A description of the policy.
    • Retains all Microsoft Teams activities (as defined by the RecordType parameter).
    • Retains Microsoft Teams audit logs for 10 years.
    • A priority of 100.

Here's another example of creating an audit log retention policy. This policy retains audit logs for the "User logged in" activity for six months for the user [email protected].

New-UnifiedAuditLogRetentionPolicy -Name "SixMonth retention for admin logons" -RecordTypes AzureActiveDirectoryStsLogon -Operations UserLoggedIn -UserIds [email protected] -RetentionDuration SixMonths -Priority 25

For more information, see New-UnifiedAuditLogRetentionPolicy.

View policies in PowerShell

Use the Get-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell to view audit log retention policies.

Here's a sample command to display the settings for all audit log retention policies in your organization. This command sorts the policies from the highest to lowest priority.

Get-UnifiedAuditLogRetentionPolicy | Sort-Object -Property Priority -Descending | FL Priority,Name,Description,RecordTypes,Operations,UserIds,RetentionDuration

Note

The Get-UnifiedAuditLogRetentionPolicy cmdlet doesn't return the default audit log retention policy for your organization.

Edit policies in PowerShell

Use the Set-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell to edit an existing audit log retention policy.

Delete policies in PowerShell

Use the Remove-UnifiedAuditLogRetentionPolicy cmdlet in Security & Compliance PowerShell to delete an audit log retention policy. It might take up to 30 minutes for the policy to be removed from your organization.

Default retention policy record types

Audit records for operations in Microsoft Entra ID, Exchange Online, SharePoint, and OneDrive, are retained for one year by default. This means that audit logs for any operation with this workload are retained for one year unless a custom audit log retention policy takes precedence for a specific record type, operation, or user.

Manage audit log retention policies (2024)

FAQs

What is an audit retention policy? ›

Proper audit log retention policies are a crucial component of any effective cybersecurity strategy. They provide a comprehensive record of all activities that occur within a system, including user actions, system events, and changes to critical data.

Read On
What is the best practice for log retention period? ›

A common practice is to establish a minimum log retention period, such as 180 days. This provides a baseline for retaining logs and ensures that critical information is available for analysis and investigation when needed.

Discover More Details
What is an example of a log retention policy? ›

A log retention period is the amount of time you keep logs. For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years.

Continue Reading
How to maintain audit logs? ›

As a general rule, storage of audit logs should include 90 days “hot” (meaning you can actively search/report on them with your tools) and 365 days “cold” (meaning log data you have backed up or archived for long-term storage). Store logs in an encrypted format. See our post on Encryption Policies for more information.

See Details
What is the purpose of a retention policy? ›

Data retention policies concern what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements.

Find Out More
What is a good retention policy? ›

Best practice dictates that data should only be kept only as long as it's useful. That said, certain laws and regulations have specific requirements regarding data retention periods, so it's important to do your research before determining the retention period for a data retention policy.

Tell Me More
What is the basic log retention? ›

For a Basic Logs table, the value is always 8. The table's total data retention including archive period. This value can be between 4 and 730; or 1095, 1460, 1826, 2191, 2556, 2922, 3288, 3653, 4018, or 4383. Set this property to null if you don't want to archive data.

Show Me More
Should audit logs be maintained? ›

Audit logs create a historical record that's maintained independently of your system's current state. Administrators and compliance teams can use the audit logs to investigate user actions, spot suspicious activity and adhere to regulatory frameworks.

Explore More
How long should a retention period be? ›

Statutory retention period: Records should be kept as long as they are needed after the last communication concerning a subject access request. A period of a year may be advisable. For example, If there is a refusal notice, complaints normally arise within three months of the review decision.

Continue Reading
How do you write a record retention policy? ›

Follow these steps to create an effective record retention policy:
  1. Conduct an audit of your data and organize your files. ...
  2. Determine how long you're required to keep certain documents. ...
  3. Explain what and who the policy covers in the scope. ...
  4. Write the body of the policy. ...
  5. Add an appendix to define complex terms.

Show Me More

How do I assign a retention policy? ›

Set Retention Policies using the Office 365 Portal

On the landing page, click on the Mail tile. In the Inbox, expand the folder view. Right-click on a mail folder that you want to apply a retention policy to. Click "Assign policy", and select the policy you want to apply.

Read The Full Story
What three components would you include in a record retention policy? ›

Here are three major components of a successful records retention strategy:
  • A retention schedule.
  • Retention policies.
  • Records infrastructure.
  • Qualities of a successful records management system should include:

See Details
What is an audit log management process? ›

Audit logging is the process of documenting activity within the software systems used across your organization. Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity.

Get More Info Here
How long are audit logs retained? ›

You can retain audit logs for up to 10 years. You can create policies based on the following criteria: All activities in one or more Microsoft 365 services. Specific activities (in a Microsoft 365 service) performed by all users or by specific users.

Continue Reading
What is the purpose of audit logs? ›

Many organizations use audit logs to detect security breaches, aid in recovery processes, and prevent unfavorable events from reoccurring. In the case of data breaches, it's impossible to know the extent of who or what was affected by the breach without reliable logs.

View More
What is the retention policy and procedures? ›

A record retention policy states your business's process for managing documents from creation to retention or disposal. Good policies help businesses retrieve documents for easy reference. They also help employees understand how to dispose of documents properly to protect information.

View Details
What is the retention period of audit documents? ›

. 14 The auditor must retain audit documentation for seven years from the date the auditor grants permission to use the auditor's report in connection with the issuance of the company's financial statements ( report release date), unless a longer period of time is required by law.

See More
What is the retention period for audit engagement? ›

The retention period for audit engagements ordinarily is no shorter than five years from the date of the auditor's report, or, if later, the date of the group auditor's report.

Learn More
What is the 7 year retention policy? ›

SOX Retention Requirements – 7 Years

Sarbanes-Oxley Act of 2002 (SOX) was modified in 2003 to require relevant auditing and review documents to be retained for seven years after the audit or review of the financial statements is concluded.

Discover More Details
Top Articles
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
Can You Rely on Public Service Loan Forgiveness?
Enrique Espinosa Melendez Obituary
What Happened To Dr Ray On Dr Pol
Gore Videos Uncensored
1movierulzhd.fun Reviews | scam, legit or safe check | Scamadviser
Top Financial Advisors in the U.S.
Melfme
Stream UFC Videos on Watch ESPN - ESPN
A.e.a.o.n.m.s
Chastity Brainwash
Evangeline Downs Racetrack Entries
Calmspirits Clapper
Nwi Arrests Lake County
Teenleaks Discord
Find Such That The Following Matrix Is Singular.
Nick Pulos Height, Age, Net Worth, Girlfriend, Stunt Actor
Accuweather Mold Count
Ups Print Store Near Me
The Weather Channel Local Weather Forecast
Talk To Me Showtimes Near Marcus Valley Grand Cinema
Gina Wilson Angle Addition Postulate
Gen 50 Kjv
Aes Salt Lake City Showdown
4.231 Rounded To The Nearest Hundred
Taylored Services Hardeeville Sc
Bj's Tires Near Me
Math Minor Umn
Fedex Walgreens Pickup Times
Most popular Indian web series of 2022 (so far) as per IMDb: Rocket Boys, Panchayat, Mai in top 10
Tamilyogi Ponniyin Selvan
Asian Grocery Williamsburg Va
Chilangos Hillsborough Nj
Craigs List Stockton
Sun Tracker Pontoon Wiring Diagram
Best Restaurants West Bend
Alpha Labs Male Enhancement – Complete Reviews And Guide
Willkommen an der Uni Würzburg | WueStart
3367164101
Race Deepwoken
Online TikTok Voice Generator | Accurate & Realistic
Craigslist Free Cats Near Me
Diamond Desires Nyc
2000 Fortnite Symbols
28 Mm Zwart Spaanplaat Gemelamineerd (U999 ST9 Matte | RAL9005) Op Maat | Zagen Op Mm + ABS Kantenband
Frank 26 Forum
Bob Wright Yukon Accident
Saw X (2023) | Film, Trailer, Kritik
Honeybee: Classification, Morphology, Types, and Lifecycle
Supervisor-Managing Your Teams Risk – 3455 questions with correct answers
Latest Posts
Quelle banque sans frais choisir ?
Investors Education What Can You Get with Level 2 Quotes?- Webull
Article information

Author: Clemencia Bogisich Ret

Last Updated:

Views: 5568

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Clemencia Bogisich Ret

Birthday: 2001-07-17

Address: Suite 794 53887 Geri Spring, West Cristentown, KY 54855

Phone: +5934435460663

Job: Central Hospitality Director

Hobby: Yoga, Electronics, Rafting, Lockpicking, Inline skating, Puzzles, scrapbook

Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.