LOG-01: Enable Unified Audit Logging
Overview
This guide walks you through enabling the Unified Audit Log in Microsoft Purview and confirming that Entra ID sign-in logs are active. Audit logging must be turned on before any retention policies, alerting, or SIEM export can produce useful results. Enabling the Unified Audit Log requires no premium license; it is available on every Microsoft 365 tier. Extended retention beyond the default period requires E5 or the Audit Premium add-on, but that is a separate concern from enabling logging.
Control ID: LOG-01 Category: Logging Severity: High License Required: None (enabling Unified Audit Logging works on any Microsoft 365 tier; E5 or Audit Premium is only required for extended retention beyond the default period)
Why This Matters
The Unified Audit Log is the foundation of all Microsoft 365 security visibility. Without it enabled:
- Security investigations cannot trace attacker activity after a breach
- Compliance requirements cannot be met (SOC 2, HIPAA, GDPR, and others require verifiable audit trails)
- Alerting and SIEM export have no data to act on
- Forensic analysis is impossible when logs were never collected
Enabling audit logging is a zero-cost action available on every Microsoft 365 tier. It should be the first logging control any organization activates.
Prerequisites
Required Roles
You need one of the following roles:
- Global Administrator
- Compliance Administrator
- Organization Management (in Compliance Portal)
Required Licenses
| Action | License Required |
|---|---|
| Enable Unified Audit Log | None (any Microsoft 365 tier) |
| Enable Entra ID sign-in logs | None (any tier) |
| Default log retention (90 days for most plans) | None |
| Extended retention up to 1 year | Microsoft 365 E5, E5 Compliance, or Audit Premium add-on |
| Extended retention up to 10 years | Microsoft 365 E5, E5 Compliance, or Audit Premium add-on |
Important: A premium license is NOT required to enable audit logging. E5 and Audit Premium only extend how long logs are kept; the logs themselves are collected on all tiers once the audit log is enabled.
Pre-Configuration Requirements
Before enabling:
- Confirm audit log is off - Many new tenants have it off by default; check the Audit section in Microsoft Purview
- Define retention requirements - Document how long your compliance framework requires logs to be kept
- Understand log types - Know which activities you need to retain
Time Estimate
| Task | Duration |
|---|---|
| Requirements gathering | 30 minutes |
| Policy creation | 15-20 minutes |
| Verification | 10 minutes |
| Total | 1 hour |
Step-by-Step Instructions
Step 1: Verify Current Audit Status
- Sign in to the Microsoft Purview compliance portal
- Navigate to Solutions > Audit
- If prompted, click Start recording user and admin activity
- Verify the audit status shows as On
Note: Unified audit logging must be enabled before configuring retention policies.
Step 2: Understand Audit Log Categories
Before creating retention policies, understand what activities are logged:
| Category | Examples | Importance |
|---|---|---|
| Exchange | Email access, mailbox modifications, mail flow rules | High |
| SharePoint | File access, sharing, site modifications | High |
| Azure AD | Sign-ins, password changes, role assignments | Critical |
| Microsoft Teams | Channel creation, meeting recordings, app installs | Medium |
| Power Platform | Power Apps, Power Automate flows | Medium |
| Security & Compliance | DLP matches, eDiscovery, alerts | Critical |
Step 3: Access Audit Log Retention Policies
- Navigate to Microsoft Purview compliance portal
- Go to Solutions > Audit
- Click on the Audit retention policies tab
- Click + Create an audit retention policy
Step 4: Create a Retention Policy for High-Priority Logs
Create a policy for the most critical audit records:
- Name: Enter
Critical Security Logs - 10 Years - Description:
Retains high-priority security and compliance audit records for 10 years - Click Next
Configure Record Types
-
Under Record types, select:
- Azure AD - All Azure AD activities
- Exchange Admin - Exchange administrative actions
- Azure AD - Risky sign-ins - Sign-in risk events
- SecurityComplianceCenter - Security & compliance activities
- ThreatIntelligence - Threat intelligence events
-
Click Next
Configure Retention Duration
- Priority: Set to
1(highest priority for overlapping policies) - Retention duration: Select
10 years(or your required period) - Click Next
Review and Create
- Review your settings
- Click Create policy
Step 5: Create Additional Retention Policies
Create policies for other log categories based on your requirements:
Policy 2: Administrative Actions (7 Years)
- Click + Create an audit retention policy
- Name:
Administrative Actions - 7 Years - Record types: Select:
- Exchange Admin
- SharePoint Admin
- Microsoft Teams Admin
- Power Platform Admin Center
- Priority:
2 - Retention duration:
7 years - Create the policy
Policy 3: User Activity (2 Years)
- Click + Create an audit retention policy
- Name:
User Activity - 2 Years - Record types: Select:
- Exchange
- SharePointFileOperation
- MicrosoftTeams
- OneDrive
- Priority:
3 - Retention duration:
2 years - Create the policy
Policy 4: Default Catch-All (1 Year)
- Click + Create an audit retention policy
- Name:
Default Retention - 1 Year - Record types: Select All or leave blank to catch remaining types
- Priority:
10(lowest priority) - Retention duration:
1 year - Create the policy
Step 6: Configure User-Specific Retention (Optional)
For specific high-risk users (executives, IT admins), create targeted policies:
- Click + Create an audit retention policy
- Name:
Executive User Logs - 10 Years - Record types: Select all relevant types
- Under Users, add specific high-risk users
- Priority:
1 - Retention duration:
10 years - Create the policy
Step 7: Verify Policy Application
- Navigate to Audit > Audit retention policies
- Confirm all policies show status as Active
- Verify priority ordering is correct (lower number = higher priority)
Test Policy Coverage
- Go to Audit > Search
- Run a test search for recent activities
- Verify results appear correctly
Verification Checklist
After enabling unified audit logging:
- Unified Audit Log status shows On in Microsoft Purview
- Sign-in logs are enabled in Entra ID (visible under Monitoring and health)
- Default retention (90 days for E3, 1 year for E5) is active
- Retention policies are created for all required log categories (if extended retention is needed)
- Critical security logs have the longest retention (7-10 years for E5 tenants)
- Policy priorities are correctly ordered (no conflicts)
- Test audit search returns expected results
- Retention periods meet compliance requirements
- Policy changes are documented in change management system
Retention Requirements by Compliance Framework
| Framework | Minimum Retention | Recommended |
|---|---|---|
| SOC 2 Type II | 1 year | 3 years |
| HIPAA | 6 years | 7 years |
| PCI DSS | 1 year | 3 years |
| GDPR | Based on purpose | 3-7 years |
| NIST 800-53 | 3 years (varies) | 7 years |
| ISO 27001 | Based on risk assessment | 3-7 years |
| SEC Rule 17a-4 | 6 years | 7 years |
| FINRA | 6 years | 7 years |
| FedRAMP | 3 years | 7 years |
Troubleshooting
Issue: Cannot Create Retention Policies Beyond 1 Year
Cause: Insufficient licensing.
Solution:
- Verify users have Microsoft 365 E5, E5 Compliance, or Audit Premium licenses
- Check license assignment in Microsoft 365 admin center
- Wait up to 24 hours after license assignment for features to activate
Issue: Audit Logging Not Enabled
Cause: Unified audit logging was never enabled or was disabled.
Solution:
- Navigate to Audit in compliance portal
- Click Start recording user and admin activity
- Wait 24-48 hours for logs to begin appearing
Issue: Policies Not Applying
Cause: Priority conflicts or policy misconfiguration.
Solution:
- Review policy priority order (lower number = higher priority)
- Ensure policies are in Active status
- Check that record types don't overlap unexpectedly
- Verify user scope is correct
Issue: Historical Logs Missing
Cause: Logs were purged before policy was created.
Solution:
- Retention policies only apply going forward
- Previously purged logs cannot be recovered
- Implement policies immediately to protect current logs
Issue: Cannot Find Specific Activity Types
Cause: Some activities require specific licenses or settings.
Solution:
- Verify the activity type is included in your license
- Some activities require additional configuration:
- Mailbox auditing may need to be enabled per-mailbox
- SharePoint external sharing logging requires admin configuration
- Teams private channel logs may have separate settings
Cost Considerations
License Requirements for Extended Retention
| License | Per User/Month | Features |
|---|---|---|
| Microsoft 365 E5 | ~$57 | 10-year retention, advanced audit |
| E5 Compliance Add-on | ~$12 | 10-year retention, advanced audit |
| Audit (Premium) Add-on | ~$10 | 10-year retention only |
Storage Considerations
- Audit logs are stored in Microsoft's infrastructure
- No additional storage costs for extended retention
- Export to external SIEM may incur egress costs
Optimization Tips
- Selective licensing: Only assign E5/Audit Premium to users requiring extended retention
- Tiered retention: Use shorter retention for low-risk activities
- Export critical logs: Consider exporting to Azure Log Analytics for advanced analysis
Related Controls
- LOG-02: Sign-In Log Export - Export logs to external SIEM
- LOG-03: Security Alerts - Configure alerting for audit events
- LOG-04: Privileged Operation Alerts - Alert on admin actions
- GOV-04: Incident Response - Use audit logs during investigations