LOG-01: Enable Unified Audit Logging

Overview

This guide walks you through enabling the Unified Audit Log in Microsoft Purview and confirming that Entra ID sign-in logs are active. Audit logging must be turned on before any retention policies, alerting, or SIEM export can produce useful results. Enabling the Unified Audit Log requires no premium license; it is available on every Microsoft 365 tier. Extended retention beyond the default period requires E5 or the Audit Premium add-on, but that is a separate concern from enabling logging.

Control ID: LOG-01 Category: Logging Severity: High License Required: None (enabling Unified Audit Logging works on any Microsoft 365 tier; E5 or Audit Premium is only required for extended retention beyond the default period)

Why This Matters

The Unified Audit Log is the foundation of all Microsoft 365 security visibility. Without it enabled:

  • Security investigations cannot trace attacker activity after a breach
  • Compliance requirements cannot be met (SOC 2, HIPAA, GDPR, and others require verifiable audit trails)
  • Alerting and SIEM export have no data to act on
  • Forensic analysis is impossible when logs were never collected

Enabling audit logging is a zero-cost action available on every Microsoft 365 tier. It should be the first logging control any organization activates.


Prerequisites

Required Roles

You need one of the following roles:

  • Global Administrator
  • Compliance Administrator
  • Organization Management (in Compliance Portal)

Required Licenses

ActionLicense Required
Enable Unified Audit LogNone (any Microsoft 365 tier)
Enable Entra ID sign-in logsNone (any tier)
Default log retention (90 days for most plans)None
Extended retention up to 1 yearMicrosoft 365 E5, E5 Compliance, or Audit Premium add-on
Extended retention up to 10 yearsMicrosoft 365 E5, E5 Compliance, or Audit Premium add-on

Important: A premium license is NOT required to enable audit logging. E5 and Audit Premium only extend how long logs are kept; the logs themselves are collected on all tiers once the audit log is enabled.

Pre-Configuration Requirements

Before enabling:

  1. Confirm audit log is off - Many new tenants have it off by default; check the Audit section in Microsoft Purview
  2. Define retention requirements - Document how long your compliance framework requires logs to be kept
  3. Understand log types - Know which activities you need to retain

Time Estimate

TaskDuration
Requirements gathering30 minutes
Policy creation15-20 minutes
Verification10 minutes
Total1 hour

Step-by-Step Instructions

Step 1: Verify Current Audit Status

  1. Sign in to the Microsoft Purview compliance portal
  2. Navigate to Solutions > Audit
  3. If prompted, click Start recording user and admin activity
  4. Verify the audit status shows as On

Note: Unified audit logging must be enabled before configuring retention policies.

Step 2: Understand Audit Log Categories

Before creating retention policies, understand what activities are logged:

CategoryExamplesImportance
ExchangeEmail access, mailbox modifications, mail flow rulesHigh
SharePointFile access, sharing, site modificationsHigh
Azure ADSign-ins, password changes, role assignmentsCritical
Microsoft TeamsChannel creation, meeting recordings, app installsMedium
Power PlatformPower Apps, Power Automate flowsMedium
Security & ComplianceDLP matches, eDiscovery, alertsCritical

Step 3: Access Audit Log Retention Policies

  1. Navigate to Microsoft Purview compliance portal
  2. Go to Solutions > Audit
  3. Click on the Audit retention policies tab
  4. Click + Create an audit retention policy

Step 4: Create a Retention Policy for High-Priority Logs

Create a policy for the most critical audit records:

  1. Name: Enter Critical Security Logs - 10 Years
  2. Description: Retains high-priority security and compliance audit records for 10 years
  3. Click Next

Configure Record Types

  1. Under Record types, select:

    • Azure AD - All Azure AD activities
    • Exchange Admin - Exchange administrative actions
    • Azure AD - Risky sign-ins - Sign-in risk events
    • SecurityComplianceCenter - Security & compliance activities
    • ThreatIntelligence - Threat intelligence events
  2. Click Next

Configure Retention Duration

  1. Priority: Set to 1 (highest priority for overlapping policies)
  2. Retention duration: Select 10 years (or your required period)
  3. Click Next

Review and Create

  1. Review your settings
  2. Click Create policy

Step 5: Create Additional Retention Policies

Create policies for other log categories based on your requirements:

Policy 2: Administrative Actions (7 Years)

  1. Click + Create an audit retention policy
  2. Name: Administrative Actions - 7 Years
  3. Record types: Select:
    • Exchange Admin
    • SharePoint Admin
    • Microsoft Teams Admin
    • Power Platform Admin Center
  4. Priority: 2
  5. Retention duration: 7 years
  6. Create the policy

Policy 3: User Activity (2 Years)

  1. Click + Create an audit retention policy
  2. Name: User Activity - 2 Years
  3. Record types: Select:
    • Exchange
    • SharePointFileOperation
    • MicrosoftTeams
    • OneDrive
  4. Priority: 3
  5. Retention duration: 2 years
  6. Create the policy

Policy 4: Default Catch-All (1 Year)

  1. Click + Create an audit retention policy
  2. Name: Default Retention - 1 Year
  3. Record types: Select All or leave blank to catch remaining types
  4. Priority: 10 (lowest priority)
  5. Retention duration: 1 year
  6. Create the policy

Step 6: Configure User-Specific Retention (Optional)

For specific high-risk users (executives, IT admins), create targeted policies:

  1. Click + Create an audit retention policy
  2. Name: Executive User Logs - 10 Years
  3. Record types: Select all relevant types
  4. Under Users, add specific high-risk users
  5. Priority: 1
  6. Retention duration: 10 years
  7. Create the policy

Step 7: Verify Policy Application

  1. Navigate to Audit > Audit retention policies
  2. Confirm all policies show status as Active
  3. Verify priority ordering is correct (lower number = higher priority)

Test Policy Coverage

  1. Go to Audit > Search
  2. Run a test search for recent activities
  3. Verify results appear correctly

Verification Checklist

After enabling unified audit logging:

  • Unified Audit Log status shows On in Microsoft Purview
  • Sign-in logs are enabled in Entra ID (visible under Monitoring and health)
  • Default retention (90 days for E3, 1 year for E5) is active
  • Retention policies are created for all required log categories (if extended retention is needed)
  • Critical security logs have the longest retention (7-10 years for E5 tenants)
  • Policy priorities are correctly ordered (no conflicts)
  • Test audit search returns expected results
  • Retention periods meet compliance requirements
  • Policy changes are documented in change management system

Retention Requirements by Compliance Framework

FrameworkMinimum RetentionRecommended
SOC 2 Type II1 year3 years
HIPAA6 years7 years
PCI DSS1 year3 years
GDPRBased on purpose3-7 years
NIST 800-533 years (varies)7 years
ISO 27001Based on risk assessment3-7 years
SEC Rule 17a-46 years7 years
FINRA6 years7 years
FedRAMP3 years7 years

Troubleshooting

Issue: Cannot Create Retention Policies Beyond 1 Year

Cause: Insufficient licensing.

Solution:

  1. Verify users have Microsoft 365 E5, E5 Compliance, or Audit Premium licenses
  2. Check license assignment in Microsoft 365 admin center
  3. Wait up to 24 hours after license assignment for features to activate

Issue: Audit Logging Not Enabled

Cause: Unified audit logging was never enabled or was disabled.

Solution:

  1. Navigate to Audit in compliance portal
  2. Click Start recording user and admin activity
  3. Wait 24-48 hours for logs to begin appearing

Issue: Policies Not Applying

Cause: Priority conflicts or policy misconfiguration.

Solution:

  1. Review policy priority order (lower number = higher priority)
  2. Ensure policies are in Active status
  3. Check that record types don't overlap unexpectedly
  4. Verify user scope is correct

Issue: Historical Logs Missing

Cause: Logs were purged before policy was created.

Solution:

  • Retention policies only apply going forward
  • Previously purged logs cannot be recovered
  • Implement policies immediately to protect current logs

Issue: Cannot Find Specific Activity Types

Cause: Some activities require specific licenses or settings.

Solution:

  1. Verify the activity type is included in your license
  2. Some activities require additional configuration:
    • Mailbox auditing may need to be enabled per-mailbox
    • SharePoint external sharing logging requires admin configuration
    • Teams private channel logs may have separate settings

Cost Considerations

License Requirements for Extended Retention

LicensePer User/MonthFeatures
Microsoft 365 E5~$5710-year retention, advanced audit
E5 Compliance Add-on~$1210-year retention, advanced audit
Audit (Premium) Add-on~$1010-year retention only

Storage Considerations

  • Audit logs are stored in Microsoft's infrastructure
  • No additional storage costs for extended retention
  • Export to external SIEM may incur egress costs

Optimization Tips

  1. Selective licensing: Only assign E5/Audit Premium to users requiring extended retention
  2. Tiered retention: Use shorter retention for low-risk activities
  3. Export critical logs: Consider exporting to Azure Log Analytics for advanced analysis

Related Controls

  • LOG-02: Sign-In Log Export - Export logs to external SIEM
  • LOG-03: Security Alerts - Configure alerting for audit events
  • LOG-04: Privileged Operation Alerts - Alert on admin actions
  • GOV-04: Incident Response - Use audit logs during investigations

Additional Resources