Texas A&M UniversityWork In Progress
Infrastructure & Devices
Endpoint ManagementCloud & Compute
Productivity & Collaboration
Microsoft 365Google Workspace
Security & Identity
IdentityCloud SecurityData Protection
Networking & Telecom
Core NetworkingTelecommunications
Development
Developer Tools
Arts & SciencesBush SchoolBusiness SupportCollege of ArchitectureCollege of EducationCollege of EngineeringExecutive SupportFacilitiesGalvestonHealthLawMays Business SchoolPerformance, Visualization & Fine ArtsStudent AffairsTransportationUniversity LibrariesVeterinary Medicine

Microsoft Purview Audit provides comprehensive activity logging across Microsoft 365 for security investigations and compliance.

purviewauditcomplianceloggingforensics

Audit

Microsoft Purview Audit is your organization's activity recorder for Microsoft 365. Every user action, admin change, and system event is captured in the Unified Audit Log—providing the visibility you need for security investigations, compliance reporting, and forensic analysis.

What is Audit?

Audit captures activity across all Microsoft 365 workloads:

WorkloadExamples of Logged Activities
Exchange OnlineEmails sent, mailbox access, delegate actions
SharePoint/OneDriveFile views, downloads, shares, permission changes
TeamsChannel creation, meeting joins, message deletes
Entra IDSign-ins, password changes, group modifications
PurviewLabel applications, DLP matches, eDiscovery actions

Audit vs. Audit (Premium)

CapabilityAudit (Standard)Audit (Premium)
Log Retention180 days1 year (up to 10 years)
MailItemsAccessedForensic mailbox auditing
Search APIBasicHigh-bandwidth access
Intelligent InsightsCrucial event identification
LicenseE3/A3E5/A5
Why Premium Matters

MailItemsAccessed events are essential for breach investigations. Without Premium, you can see who logged in but not what emails they read. This is critical for determining data exposure in security incidents.

Key Use Cases

Security Investigations

Trace user activity during suspected account compromise. See exactly what files were accessed, emails read, and actions taken.

Compliance Reporting

Generate audit reports for regulatory requirements. Demonstrate who accessed sensitive data and when.

️ Insider Threat Detection

Feed audit data to Insider Risk Management for behavioral analytics and anomaly detection.

Provide activity evidence for eDiscovery cases. Audit logs complement content preservation.

ResourceDescription
Microsoft Purview AuditSearch the audit log
Audit Log ActivitiesComplete activity reference
Implementation GuideEnterprise deployment guide