This chapter covers Audit Log Search and Retention in Microsoft 365 — a cornerstone of security investigations, compliance, and forensic analysis. For the MS-102 exam, this topic appears in roughly 10–15% of questions under Objective 3.4, often as part of scenario-based questions that require you to configure retention, search for specific events, or troubleshoot missing logs. You will learn the underlying mechanics, default values, licensing requirements, and how to use both the Microsoft 365 Defender portal and PowerShell to manage audit data.
Jump to a section
Imagine a bank with 24/7 video surveillance covering every teller station, ATM, and vault door. Each camera records continuously, but the footage is stored in a rolling buffer — old tapes are overwritten after 90 days unless flagged for longer retention. The bank's security team can search footage by time, location, or event (e.g., 'all transactions over $10,000'). A robbery investigation might require retrieving footage from a specific camera at a specific time, but if the event happened 100 days ago, the tape has already been recycled. To avoid this, the bank can mark certain cameras for 365-day retention or archive footage to a separate long-term storage vault. Similarly, Microsoft 365 audit logs record every 'transaction' (user action) across Exchange, SharePoint, Azure AD, etc., with a default 90-day retention. For compliance or forensic investigations, admins must assign specific licenses (E5/A5/G5) or use Audit Log Retention policies to extend retention up to 10 years. The audit log search interface is like the bank's DVR playback: you filter by date range, activity type, user, or workload, and the system retrieves matching events from the appropriate storage tier — hot (fast, recent), warm (standard retention), or cold (long-term archive). Misconfiguring retention policies is like telling the bank to keep all ATM footage for 10 years but forgetting to extend the vault door cameras — you'll miss critical evidence.
What Are Audit Logs and Why Do They Exist?
Audit logs in Microsoft 365 capture a detailed record of every user and admin action across the service. Every time a user accesses a file, sends an email, changes a setting, or signs in, an audit event is generated. These logs are the foundation for:
Security incident investigations (e.g., 'Who accessed the CEO's mailbox last night?')
Compliance audits (e.g., 'Show all external sharing events in the last 90 days')
Insider risk detection (e.g., 'Did an admin delete a user account right after a termination?')
Forensic analysis (e.g., 'Trace the exact sequence of actions before a data exfiltration')
Without audit logs, you are blind to what happened in your tenant. The exam tests your ability to enable, configure, search, and retain these logs.
How Audit Logging Works Internally
When a user performs an action in any Microsoft 365 workload (Exchange Online, SharePoint Online, Azure AD, Teams, etc.), the workload's service generates an audit record. This record is structured as a JSON object containing: - CreationTime: UTC timestamp of the action - Operation: The specific action (e.g., 'UserLoggedIn', 'FileModified', 'MailboxPermissionChanged') - UserId: The user who performed the action (UPN or GUID) - ClientIP: The IP address of the client - Workload: The source service (e.g., 'Exchange', 'SharePoint', 'AzureActiveDirectory') - ObjectId: The target resource (e.g., a file URL, mailbox ID, user object) - Details: Additional properties depending on the operation
The record is first written to a hot storage tier (Azure Cosmos DB) for near-real-time availability. Within minutes, it becomes searchable via the Microsoft 365 Defender portal (under Audit > Search) or via the Search-UnifiedAuditLog PowerShell cmdlet. After the default retention period (90 days for users with appropriate licenses), the record is moved to a cold storage tier (Azure Blob Storage) where it is still available for search but may take longer to retrieve. If a longer retention policy is applied, the record is copied to a long-term archive (Azure Cool Blob or Archive tier) and remains searchable for up to 10 years.
Key Components, Defaults, and Timers
Default retention: 90 days for users with Exchange Online Plan 2, Microsoft 365 E3, or any license that includes audit logging. For E5/A5/G5 licenses, default retention is 365 days. Important: The retention period is based on the license of the user whose actions are being audited, not the admin searching the logs.
Maximum retention: 10 years with Audit Log Retention policies (requires E5/A5/G5 or add-on licenses like Microsoft 365 E5 Compliance).
Audit log search availability: Events typically appear within 30 minutes of the action, but some operations (e.g., Azure AD sign-ins) can take up to 24 hours.
Search limits: You can search up to 90 days at a time (or the retention period if shorter). For longer searches, you must break the query into multiple date ranges.
Export limits: You can export up to 50,000 records per search to a CSV file. For larger results, use PowerShell with pagination.
Configuration and Verification
To enable audit logging (it is ON by default for most tenants since 2017), verify in the Microsoft 365 Defender portal: 1. Go to Audit > Search. 2. If you see a banner saying 'Start recording user and admin activity', click Start recording. 3. This enables unified audit logging across all workloads.
To check current retention settings: 1. In Microsoft 365 Defender, go to Audit > Audit log retention policies. 2. Here you can create policies to extend retention for specific workloads or users.
Using PowerShell (Exchange Online Management module):
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# View current audit log retention policies
Get-UnifiedAuditLogRetentionPolicy | Format-List
# Create a new retention policy for 1 year for SharePoint activities
New-UnifiedAuditLogRetentionPolicy -Name "SharePoint 1 Year" -Workload SharePoint -RetentionDuration 365 -Description "Retain SharePoint audit logs for 1 year"To search audit logs:
# Search for all user logins in the last 7 days
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations UserLoggedIn -ResultSize 1000
# Export to CSV
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ResultSize 50000 | Export-Csv -Path "C:\AuditLogs.csv" -NoTypeInformationInteraction with Related Technologies
Microsoft 365 Defender: Audit logs feed into the unified investigation experience. Incidents in Defender may reference audit log events.
Compliance Center (Microsoft Purview): Audit logs are the basis for eDiscovery, Data Lifecycle Management, and Insider Risk Management.
Azure Monitor: You can stream audit logs to Azure Monitor for advanced analytics and alerting using diagnostic settings.
Microsoft Graph API: Programmatic access to audit logs via the auditLog endpoint (beta).
The exam often asks about the relationship between audit logs and eDiscovery — for example, if you need to preserve audit logs for a litigation hold, you must use an Audit Log Retention policy, not a regular eDiscovery hold (which only applies to content).
Trap Patterns on the Exam
License confusion: Many candidates think E3 gives 365-day retention. Wrong — E3 gives 90 days; E5 gives 365 days. The exam may present a scenario where an E3 user's logs are only available for 90 days, and the admin needs to investigate an event from 120 days ago. The correct answer is to assign an E5 license or create a retention policy (which requires E5).
Retention policy scope: Retention policies apply to specific workloads or users, not to the entire tenant by default. A common wrong answer is to create a global retention policy — there is no such thing. You must specify at least one workload.
Search across tenants: Audit logs are per-tenant. You cannot search another tenant's logs unless you have delegated access via cross-tenant audit log search (a separate feature).
Retention vs. hold: A retention policy keeps logs for a fixed period; a hold (like litigation hold) preserves logs indefinitely. The exam may ask which to use for a specific compliance requirement.
Enable Unified Audit Logging
Before any audit events are captured, unified audit logging must be enabled. In most tenants created after 2017, this is ON by default. To verify, go to Microsoft 365 Defender > Audit > Search. If you see a 'Start recording' banner, click it. This action enables audit logging for all workloads. Without this, no audit events are generated. On the exam, if a scenario describes missing audit logs, the first step is to check if audit logging is enabled. You can also enable it via PowerShell: `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`.
Generate Audit Events
Once enabled, every user and admin action that is auditable generates an event. For example, when a user accesses a SharePoint file, the SharePoint Online service creates an audit record with the user, file URL, operation (FileAccessed), timestamp, and client IP. Not all operations are audited by default — some require specific licensing (e.g., Mailbox audit logging for non-owner actions requires Exchange Online Plan 2 or E5). The event is sent to the unified audit log pipeline within minutes.
Ingest and Index Events
Audit events are ingested into a scalable pipeline that indexes them for fast search. The events are stored in a hot tier (Cosmos DB) for immediate querying. Indexing includes fields like CreationTime, Operation, UserId, and Workload. This step is transparent to administrators — you don't configure it. However, if you search immediately after an event, it may not appear for up to 30 minutes (sometimes 24 hours for Azure AD sign-ins). The exam may test this latency: a candidate might expect real-time results but must wait.
Search Audit Logs
Admins search audit logs using the Microsoft 365 Defender portal or PowerShell. In the portal, specify a date range (max 90 days), select operations (e.g., 'User logged in'), and optionally filter by user, workload, or IP. The search returns up to 50,000 results displayed in a table. You can export to CSV. For larger datasets, use PowerShell with pagination. The exam might ask: 'An admin needs to find events from 6 months ago but only sees 90 days. What is the issue?' The answer: default retention is 90 days; they need a retention policy.
Apply Retention Policies
To retain audit logs beyond the default (90 days for E3, 365 days for E5), create Audit Log Retention Policies. In the portal, go to Audit > Audit log retention policies > Create. You must specify a name, choose one or more workloads (e.g., Exchange, SharePoint), and set a retention duration (in days up to 3650). The policy applies to all users in the tenant for those workloads. You can also create a policy that targets specific users (e.g., for VIPs). This step is critical for compliance with regulations like GDPR or SOX. The exam tests that retention policies are workload- or user-specific, not global.
Scenario 1: Insider Data Theft Investigation
A financial firm suspects an employee downloaded sensitive client data from SharePoint before resigning. The security team needs to see all file download events for that user in the last 6 months. However, the tenant has default E3 licenses (90-day retention). The events older than 90 days are no longer searchable. To solve this, the firm must implement a proactive Audit Log Retention Policy: create a policy for SharePoint with 365-day retention for all users. In production, this is configured in the Microsoft 365 Defender portal under Audit > Audit log retention policies. The policy takes effect immediately, but only for events generated after the policy is created — it does not retroactively retain already-expired logs. Therefore, the firm also needs to ensure that future events are retained. For the current investigation, they are out of luck — the logs are gone. This highlights the importance of setting retention policies before an incident occurs. Performance considerations: retention policies do not impact search speed; they only affect storage costs. Misconfiguration: creating a policy that targets 'All workloads' but forgetting to include SharePoint would leave SharePoint logs at default retention.
Scenario 2: Compliance Audit for GDPR
A healthcare organization must demonstrate that they can produce audit logs for any user action within the last 2 years for GDPR compliance. They have E5 licenses, which give 365-day default retention, but they need 730 days. They create an Audit Log Retention Policy for all workloads with a duration of 730 days. However, they also need to ensure that logs are not deleted before the retention period ends. They must not use a litigation hold (which preserves logs indefinitely but is not time-bound). Instead, they rely on the retention policy. The compliance officer periodically exports logs to an external SIEM for long-term storage. The exam might ask: 'What is the maximum retention you can configure for audit logs?' Answer: 10 years (3650 days).
Scenario 3: Troubleshooting Missing Logs
An admin notices that some user actions are not appearing in audit log searches. Common causes in production: (1) Audit logging was not enabled for a specific workload — e.g., mailbox audit logging for non-owner actions is OFF by default in some older tenants. (2) The user's license does not include audit logging (e.g., Exchange Online Plan 1 logs mailbox actions only for admins). (3) The event is too recent — wait 30 minutes. (4) The search date range exceeds the retention period. The admin should verify enabling via PowerShell: Get-Mailbox -Identity user@contoso.com | fl AuditEnabled. If false, enable with Set-Mailbox -Identity user@contoso.com -AuditEnabled $true. The exam loves this: 'An admin cannot see mailbox audit logs for a user. What should they check first?' Answer: Whether mailbox audit logging is enabled for that user.
MS-102 Objective 3.4: Audit Log Search and Retention
The exam tests your ability to configure and manage audit log retention, search audit logs for specific events, and troubleshoot missing logs. Key objective codes:
Configure audit log retention policies
Search and export audit logs
Interpret audit log entries
Troubleshoot audit log gaps
Most Common Wrong Answers and Why Candidates Choose Them
'Assign an E3 license to extend retention to 365 days' — Many candidates confuse E3 with E5. E3 gives 90 days; E5 gives 365 days. The exam will present a scenario where logs older than 90 days are needed, and the user has E3. The correct answer is to assign an E5 license or create a retention policy (which requires E5). Wrong answer: assign E3.
'Use a litigation hold to preserve audit logs' — Litigation holds apply to content (mailboxes, sites), not audit logs. Audit logs are preserved via Audit Log Retention Policies. Candidates see 'hold' and think it applies to everything.
'Audit logs are available immediately' — The exam will test latency. A candidate might expect real-time results, but the correct answer is that events appear within 30 minutes (or up to 24 hours for Azure AD).
'Create a global retention policy' — There is no 'global' policy. You must specify workloads. A candidate might select 'All workloads' but that is an option — but the exam might phrase it as 'global' which is a trick.
Specific Numbers and Values to Memorize
- Default retention: 90 days (E3), 365 days (E5)
- Maximum retention: 10 years (3650 days)
- Search date range limit: 90 days per query
- Export limit: 50,000 records per search
- Event latency: 30 minutes (most), up to 24 hours (Azure AD)
- PowerShell cmdlets: Search-UnifiedAuditLog, Get-UnifiedAuditLogRetentionPolicy, New-UnifiedAuditLogRetentionPolicy
Edge Cases and Exceptions - Mailbox audit logging for non-owner actions is OFF by default in tenants created before 2019. You must enable it per mailbox or via organization config. - Azure AD audit logs (sign-ins) are separate from unified audit logs in some older views. The unified audit log includes Azure AD events, but you can also view them in Azure AD portal. - Retention policies do not apply retroactively. If you create a 1-year policy today, events from 6 months ago will still expire at their original 90-day mark. - Some operations (e.g., Teams messages) are only audited if you have a license that includes that workload (e.g., E5 for Teams retention).
How to Eliminate Wrong Answers - If a question asks about preserving logs beyond default, the answer must involve Audit Log Retention Policy or E5 license. Not litigation hold, not eDiscovery hold. - If a question asks why logs are missing, check: (1) Is audit logging enabled? (2) Is the workload audited? (3) Is the retention period exceeded? (4) Is there latency? (5) Is the user licensed? - If a question asks about maximum retention, the answer is 10 years (3650 days). Anything else is wrong.
Default audit log retention is 90 days for E3, 365 days for E5.
Maximum audit log retention is 10 years (3650 days) via Audit Log Retention Policy.
Audit events appear within 30 minutes (most) to 24 hours (Azure AD).
Search date range is limited to 90 days per query; export limit is 50,000 records.
Audit Log Retention Policies are workload- or user-specific, not global.
Enable unified audit logging via Microsoft 365 Defender or PowerShell.
Litigation holds do NOT preserve audit logs; use retention policies.
PowerShell cmdlets: Search-UnifiedAuditLog, Get/New-UnifiedAuditLogRetentionPolicy.
Mailbox audit logging for non-owner actions may need to be enabled separately.
Retention policies do not apply retroactively; plan ahead.
These come up on the exam all the time. Here's how to tell them apart.
Default 90-Day Retention (E3)
Applies to Microsoft 365 E3, Business Standard, and other non-E5 licenses
Audit logs are automatically deleted after 90 days
Cannot search for events older than 90 days without a retention policy
Retention policies can extend to 10 years, but require E5 license or add-on
Cost: lower storage cost, but risk of losing critical forensic data
Default 365-Day Retention (E5)
Applies to Microsoft 365 E5, A5, G5, and Compliance add-ons
Audit logs are retained for 365 days by default
Can search for events up to 365 days without additional configuration
Retention policies can extend to 10 years natively
Cost: higher storage cost, but better compliance posture
Mistake
Audit logs are retained for 365 days for all Microsoft 365 users.
Correct
Only users with E5, A5, or G5 licenses get 365-day default retention. E3 and other licenses have 90-day default retention. You can extend retention up to 10 years with Audit Log Retention Policies, but that requires E5 or add-on compliance licenses.
Mistake
Enabling audit logging in the portal is optional; audit logs are always captured.
Correct
Unified audit logging must be explicitly enabled. In tenants created before 2017, it may be OFF. You must verify and enable it via the Microsoft 365 Defender portal or PowerShell. Without enabling, no audit events are generated.
Mistake
Retention policies apply to all audit logs in the tenant automatically.
Correct
Retention policies are workload- or user-specific. You must select at least one workload (e.g., Exchange, SharePoint) when creating a policy. There is no 'global' policy that covers everything.
Mistake
Audit logs are available in real-time for searching.
Correct
Most audit events appear within 30 minutes, but some (especially Azure AD sign-ins) can take up to 24 hours. Searching immediately after an action may yield no results.
Mistake
Litigation holds preserve audit logs.
Correct
Litigation holds apply to content (mailboxes, SharePoint sites). Audit logs are preserved only through Audit Log Retention Policies or by exporting them to external storage.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default retention is 90 days for users with Microsoft 365 E3 (or equivalent) licenses, and 365 days for users with E5, A5, or G5 licenses. Retention is based on the license of the user whose actions are audited, not the admin searching. You can extend retention up to 10 years using Audit Log Retention Policies, which require E5 or add-on compliance licenses. On the exam, remember: E3 = 90 days, E5 = 365 days, and retention policies can go to 10 years.
If your tenant has default 90-day retention, you cannot search logs older than 90 days unless you have previously created an Audit Log Retention Policy that extended retention for those workloads. If you need to search older logs, you must first create a retention policy (requires E5 license) to retain future logs, but it will not recover already-expired logs. The exam may ask: 'An admin needs to investigate an event from 6 months ago. What should they do?' The correct answer is to create a retention policy for future events, but the old logs are lost.
Audit Log Retention Policy is a time-based policy that retains audit logs for a specified duration (up to 10 years). Litigation Hold is a hold on content (mailboxes, SharePoint sites) that preserves all content indefinitely. Litigation Hold does NOT apply to audit logs. The exam may present a scenario where an admin needs to preserve audit logs for a legal case; the correct action is to create an Audit Log Retention Policy, not place a litigation hold.
Common reasons: (1) Audit logging is not enabled for the specific workload (e.g., mailbox audit logging for non-owner actions may be off). (2) The event is too recent — wait up to 30 minutes (or 24 hours for Azure AD). (3) The search date range exceeds the retention period. (4) The user performing the action does not have a license that includes audit logging. (5) The operation is not audited by default (e.g., certain Teams activities require E5). Check each of these systematically.
The portal export limit is 50,000 records per search. To export more, use PowerShell with pagination. For example, use a loop with `Search-UnifiedAuditLog` and `-ResultSize 5000` and iterate through pages using the `-NextPage` parameter. Alternatively, use the Microsoft Graph API for programmatic access. The exam may test the export limit as a known constraint.
10-year retention requires an Audit Log Retention Policy, which is available with Microsoft 365 E5, A5, G5, or add-on licenses like Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit. Users with E3 licenses cannot create or benefit from retention policies unless they have an add-on. The exam often asks: 'Which license is needed for 10-year retention?' Answer: E5 or equivalent.
Mailbox audit logging for non-owner actions (e.g., delegate access) is OFF by default in tenants created before 2019. To enable it for all users, run: `Set-OrganizationConfig -AuditDisabled $false` (this enables it org-wide). Then, to enable per mailbox, use: `Set-Mailbox -Identity user -AuditEnabled $true`. For new tenants, it is ON by default. The exam may ask why certain mailbox actions are not logged; the answer is often that mailbox audit logging is not enabled.
You've just covered Audit Log Search and Retention — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?