This chapter covers Microsoft 365 reporting capabilities focused on security and compliance, a critical area for the MS-102 exam. You will learn how to leverage the Microsoft 365 Security & Compliance Center, audit log, alert policies, and compliance score to monitor, investigate, and report on security and compliance posture. This topic area typically accounts for 15-20% of exam questions, making it essential for achieving a passing score.
Jump to a section
Imagine a city with a centralized surveillance network monitoring every public space. Each camera (data source) sends live feeds to a central monitoring room (Microsoft 365 Security & Compliance Center). The monitoring team (security analysts) reviews alerts from motion detectors (detection rules) and can rewind footage (audit log search) to investigate incidents. They have predefined response protocols (playbooks) for different threats—like dispatching patrol (automated investigation) or locking down a zone (containment action). The city also has a public dashboard (compliance score) showing how well it meets safety standards (regulatory compliance). Just as the city cannot review every second of footage manually, the Security & Compliance Center uses automation to triage alerts, correlate events from multiple cameras (unified audit log), and generate reports for city council (compliance reports). Misconfiguring a camera's angle (data connector) or ignoring a blind spot (uncovered threat vector) leaves the city vulnerable. Similarly, in Microsoft 365, incorrect reporting settings can miss critical security events or fail compliance audits.
Overview of Microsoft 365 Security & Compliance Reporting
Microsoft 365 provides a unified reporting framework within the Microsoft 365 Security & Compliance Center (admin.microsoft.com) and the Microsoft Purview compliance portal. These tools enable organizations to monitor user activity, detect threats, investigate incidents, and demonstrate compliance with regulatory standards. The reporting capabilities are built on a common data foundation: the Unified Audit Log (UAL).
The Unified Audit Log (UAL)
The UAL is the backbone of all security and compliance reporting in Microsoft 365. It records events from Exchange Online, SharePoint Online, OneDrive for Business, Azure AD, Microsoft Teams, Power BI, and other workloads. Each audit record contains:
CreationDate: Timestamp of the event (UTC).
Operation: The action performed (e.g., 'FileDeleted', 'UserLoggedIn').
UserId: The identity of the user who performed the action.
ClientIP: The IP address from which the action originated.
Item: The object affected (e.g., file name, mailbox).
Workload: The service where the event occurred.
Details: Additional properties depending on the workload.
Audit logging must be enabled explicitly. By default, it is turned off for new tenants. Once enabled, audit records are retained for 90 days for Exchange, SharePoint, and Azure AD events if you have an E3 license; E5 licenses provide 1-year retention by default. You can also create custom retention policies using audit log retention policies in Purview.
Searching the Audit Log
You can search the audit log using: - Microsoft 365 Security & Compliance Center: Navigate to 'Audit' under 'Solutions' > 'Audit'. Use the search interface to filter by date range, activities, users, and file/site/folder. - Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell or Security & Compliance Center PowerShell.
Example PowerShell command:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations 'FileDeleted', 'FileModified' -UserIds 'user@contoso.com' -ResultSize 1000Results are returned as objects that can be exported to CSV or viewed in a grid.
Alert Policies
Alert policies allow you to automatically detect and notify administrators about specific activities. They are defined in the Security & Compliance Center under 'Alert policies'. Each policy includes:
Category: Threat management, Data loss prevention, Information governance, Mail flow, Permissions, or Others.
Activity: One or more specific operations from the UAL.
Conditions: Filters like user, IP address, or workload.
Threshold: Number of occurrences within a time window (e.g., 5 events in 10 minutes).
Severity: Low, Medium, High.
Notification: Email recipients (up to 10) and/or automated actions (e.g., start investigation).
Microsoft provides default alert policies for common scenarios like 'Malware campaign detected', 'Risky user sign-in', and 'Elevation of Exchange admin privilege'. You can also create custom policies. Alerts appear in the 'Alerts' dashboard and can trigger automated investigations.
Automated Investigation and Response (AIR)
AIR uses playbooks to automatically investigate and remediate threats. Playbooks are defined in the Security & Compliance Center under 'Automated investigation & response'. They consist of:
Triggers: Alert from an alert policy.
Actions: Steps like collecting evidence (email headers, file hashes), analyzing with threat intelligence, and taking remediation (quarantine email, disable user, block IP).
Approval: Some actions require manual approval before execution.
AIR is available with Microsoft 365 E5 or Microsoft 365 E5 Security add-on. For the exam, know that AIR can automatically investigate user compromise, malware, and phishing campaigns.
Compliance Score and Compliance Manager
Compliance Score is a dashboard in the Microsoft Purview compliance portal that measures your organization's compliance posture against regulations like GDPR, HIPAA, ISO 27001, and NIST. It assigns a score (0-100) based on the implementation of improvement actions. Each action has a point value and is linked to a specific control from a regulatory framework.
Compliance Manager is the underlying tool that allows you to:
Assign actions to users.
Track implementation status (Not started, Planned, Implemented, Tested).
Upload evidence documents.
Generate reports for auditors.
Key terms: - Improvement actions: Steps you can take to improve compliance (e.g., enable multi-factor authentication, configure DLP policies). - Controls: Regulatory requirements (e.g., 'Require MFA for all users'). - Assessments: A group of controls for a specific regulation (e.g., GDPR assessment).
Data Loss Prevention (DLP) Reports
DLP policies are configured to prevent sensitive data from being shared inappropriately. The DLP reports in the Security & Compliance Center show: - DLP policy matches: Number of times a DLP rule was triggered. - DLP false positives and overrides: Instances where users reported a false positive or overrode the policy. - Top locations: Where DLP matches occurred (Exchange, SharePoint, OneDrive, Teams).
You can filter by date and policy. Reports are available under 'Reports' > 'Data loss prevention'.
Threat Management Reports
Under 'Reports' > 'Dashboard' > 'Threat management', you can view: - Threat protection status: Number of threats detected and blocked by Exchange Online Protection (EOP), Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. - Malware detections: Trend of malware found in email, SharePoint, and OneDrive. - Phishing detections: Phishing attempts detected and blocked. - Spoof mail: Email from spoofed domains. - Compromised users: Users flagged as compromised by Azure AD Identity Protection.
Compliance Reports and Audit Log Retention
Microsoft 365 provides out-of-the-box compliance reports for standards like GDPR, HIPAA, and FedRAMP. You can also create custom reports using the Compliance Manager or by exporting audit logs to Azure Monitor for long-term retention and custom analytics. Audit log retention can be extended using audit log retention policies (up to 10 years for E5 tenants). For E3 tenants, retention is 90 days by default; you can purchase an add-on to extend to 1 year.
Role-Based Access Control (RBAC) for Reporting
To access security and compliance reports, users need appropriate permissions. The following roles are relevant: - Security Reader: Read-only access to security features. - Security Administrator: Full access to security features. - Compliance Administrator: Manage compliance features. - Compliance Data Administrator: Manage compliance data and reports. - Audit Logs: 'View-Only Audit Logs' or 'Audit Logs' role to search audit log.
Permissions are managed in the Azure AD admin center or Security & Compliance Center under 'Permissions'.
Integration with Microsoft Sentinel
For advanced security operations, audit logs can be streamed to Microsoft Sentinel (cloud-native SIEM) using the Microsoft 365 connector. This enables correlation with other data sources, custom analytics rules, and long-term retention. Sentinel is not directly tested on MS-102 but understanding the integration is beneficial.
Key Defaults and Limits
Audit log retention: 90 days (E3), 1 year (E5), up to 10 years with retention policies.
Alert policy threshold: Minimum 5 events in 10 minutes for default policies; custom thresholds can be set.
Maximum number of alert policies: 1000 per tenant.
Maximum email recipients per alert: 10.
DLP policy limit: 200 policies per tenant.
Compliance Manager assessments: Up to 100 per tenant.
Verification Commands
Check audit log status:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledSearch audit log:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations 'UserLoggedIn' -ResultSize 500List alert policies:
Get-ProtectionAlert | Format-Table Name, Severity, CategoryGet DLP reports:
Get-DlpComplianceReport -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)Enable Unified Audit Logging
By default, audit logging is disabled for new tenants. To enable it, navigate to the Microsoft 365 Security & Compliance Center > Audit > 'Start recording user and admin activity'. Alternatively, use PowerShell: `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`. This step is critical because without audit logging, no user or admin activity is recorded, making incident investigation and compliance reporting impossible. Once enabled, it takes up to 24 hours for audit data to become searchable. Verify with `Get-AdminAuditLogConfig`.
Configure Audit Log Retention Policy
After enabling audit logging, configure retention to meet compliance requirements. In the Purview compliance portal, go to Solutions > Audit > Audit retention policies. You can create a policy to retain audit logs for up to 10 years (E5 only). For E3, default 90 days; you can purchase add-on for 1 year. Specify which workloads (Exchange, SharePoint, Azure AD) and which activities to retain. This ensures audit records are available for the required period.
Create Alert Policies for Key Scenarios
Navigate to Security & Compliance Center > Alert > Alert policies. Click + New alert policy. Define a name, category (e.g., 'Threat management'), activity (e.g., 'User login from anonymous IP address'), conditions (e.g., severity high), threshold (e.g., 5 times in 10 minutes), and notification recipients. You can also enable automated investigation. Default policies exist; customize as needed. Each policy can have up to 10 email recipients.
Search Audit Log for Investigation
When an incident occurs, use Audit log search. In Security & Compliance Center > Audit, set date range, select activities (e.g., 'FileDeleted', 'MailboxLogin'), specify users or IP addresses, and click Search. Results show timestamp, user, operation, and details. Export results to CSV for further analysis. Use PowerShell for advanced filtering: `Search-UnifiedAuditLog -StartDate ... -Operations ... -UserIds ...`. You can also use the AuditLog query in Microsoft 365 Defender for more advanced hunting.
Review Compliance Score and Generate Reports
In Microsoft Purview compliance portal, go to Compliance Manager > Overview. Review your compliance score (0-100). Click on an assessment to see improvement actions. Assign actions to responsible users, upload evidence, and track implementation. Generate a report by clicking 'Reports' > 'Compliance Manager report' and selecting the assessment. Reports can be exported as PDF or CSV for auditors. Regularly review and update actions to maintain or improve score.
Scenario 1: Insider Data Theft Investigation
A financial services company suspects an employee is exfiltrating sensitive client data via OneDrive. The security team uses the Unified Audit Log to search for 'FileDownloaded' events by the user's account over the past 30 days. They filter by 'ClientIP' to see if downloads occurred outside business hours or from unusual locations. They also check 'FileDeleted' events to see if the user deleted files after downloading. The audit log shows 200 downloads of files containing 'confidential' in the name. The team exports the log to CSV and correlates with VPN logs. They then create a custom alert policy for 'Mass download by a single user' (threshold: 50 downloads in 1 hour) to detect future incidents. Misconfiguration: If audit logging was not enabled, the investigation would be blind. Also, if retention is only 90 days, older evidence may be lost.
Scenario 2: Compliance Audit for GDPR
A healthcare provider must demonstrate GDPR compliance to an auditor. They use Compliance Manager to run a GDPR assessment. The initial score is 45/100. They assign improvement actions to IT staff: enable MFA, configure DLP policies for patient data, and enable audit logging. Over six months, they implement all actions and upload evidence (screenshots, policy documents). The score rises to 92. They generate a Compliance Manager report and present it to the auditor. Common pitfalls: Not assigning owners to actions, or failing to update status after implementation. The auditor may request raw audit logs; ensure they are retained for the required period (GDPR requires 6 months to 10 years depending on data type).
Scenario 3: Automated Response to Phishing Campaign
A large enterprise uses Microsoft Defender for Office 365. An alert policy detects a phishing email sent to 50 users based on URL reputation. The alert triggers an automated investigation playbook: the system collects email headers, identifies the sender, checks if any users clicked the link, and automatically quarantines the email from all mailboxes. It also disables the sender's account if it's internal. The security team receives a notification and reviews the investigation summary. They approve the remediation actions (e.g., resetting passwords for users who clicked). Performance consideration: Automated investigations can run on up to 1000 alerts per day; excessive false positives can overwhelm the system. Tuning alert thresholds is critical.
Common Misconfigurations
Audit log not enabled: Many tenants leave it disabled, making incident response impossible.
Incorrect time zone: Audit logs are in UTC; analysts may misread timestamps.
Too many alert policies: Over 1000 policies cause performance degradation.
DLP policy without testing: False positives can block legitimate business operations.
Compliance Manager actions not updated: Score remains low despite implementation.
MS-102 Exam Objective Coverage
This topic directly maps to objective 1.2: Manage reporting and monitoring under 'Tenant Management'. Specifically, the exam tests your ability to:
Configure audit log settings (enable, retention).
Search and export audit logs.
Create and manage alert policies.
Interpret compliance score and reports.
Use DLP reports and threat management reports.
Common Wrong Answers and Why
Wrong: 'Audit logging is enabled by default for all tenants.' Reality: It is disabled by default. Candidates assume Microsoft enables it for security, but it's opt-in due to storage costs.
Wrong: 'Audit logs are retained for 1 year for E3 licenses.' Reality: E3 retains 90 days; E5 retains 1 year. Many candidates confuse retention with E5's longer retention.
Wrong: 'Alert policies can trigger automated investigation without any license.' Reality: Automated Investigation & Response requires E5 or E5 Security add-on.
Wrong: 'Compliance Score is a regulatory certification.' Reality: It is a self-assessment score, not a certification. Candidates think it equals being compliant.
Wrong: 'You can search audit logs for any event type without enabling any feature.' Reality: You must enable audit logging first; also, some events require licensing (e.g., Teams events require E5).
Specific Numbers and Terms to Memorize
Audit log retention: 90 days (E3), 1 year (E5), up to 10 years (with retention policy).
Maximum alert policies: 1000 per tenant.
Alert threshold default: 5 events in 10 minutes.
Maximum email recipients per alert: 10.
DLP policy limit: 200 per tenant.
Compliance Manager assessments: Up to 100 per tenant.
Compliance Score range: 0-100.
PowerShell cmdlets: Search-UnifiedAuditLog, Set-AdminAuditLogConfig, Get-ProtectionAlert, Get-DlpComplianceReport.
Edge Cases and Exceptions
Audit log for Teams: Only available with E5 license or E3 with add-on. Events like 'MemberAdded' are recorded.
Retention policy overrides: Custom retention policies can extend retention beyond the default, but they require appropriate licensing (E5).
Alert policy for 'Risky sign-in': Requires Azure AD Premium P2 license.
Compliance Manager: Some improvement actions require specific licenses (e.g., 'Enable auto-labeling' requires E5).
DLP reports: Only show data for policies deployed; if no DLP policies, reports are empty.
How to Eliminate Wrong Answers
Look for keywords: 'default', 'enabled by default' is usually wrong for audit logging.
Check license requirements: if a feature requires E5 and the answer says 'all tenants', it's wrong.
Remember retention: 90 days for E3, 1 year for E5. If an answer says '1 year for E3', it's wrong.
Compliance Score vs Certification: Score is not a certification; it's a tool to measure progress.
Automated investigation: requires E5; if answer says 'E3', it's wrong.
Audit logging must be explicitly enabled; it is off by default.
Default audit log retention: 90 days (E3), 1 year (E5); extendable to 10 years with retention policies (E5).
Maximum alert policies per tenant: 1000.
Automated investigation and response requires Microsoft 365 E5 or E5 Security add-on.
Compliance Score is a self-assessment tool, not a certification.
DLP policies limited to 200 per tenant.
Search-UnifiedAuditLog cmdlet is key for audit log searches.
Alert thresholds default to 5 events in 10 minutes.
Compliance Manager assessments: up to 100 per tenant.
Audit logs for Teams require E5 license.
DLP reports show matches, false positives, and overrides.
Threat management reports cover malware, phishing, spoof, and compromised users.
These come up on the exam all the time. Here's how to tell them apart.
Unified Audit Log (UAL)
Records events from Exchange, SharePoint, OneDrive, Teams, Power BI, etc.
Retained 90 days (E3) or 1 year (E5) by default.
Searchable via Security & Compliance Center or PowerShell.
Used for security investigations and compliance audits.
Requires explicit enabling.
Azure AD Sign-in Logs
Records only Azure AD sign-in events (user logins, MFA failures).
Retained 30 days for free tier, 7 days for P1, 30 days for P2.
Viewed in Azure AD portal or via Graph API.
Used for identity security and sign-in risk analysis.
Enabled by default for Azure AD P1/P2.
Mistake
Audit logging is enabled by default for all Microsoft 365 tenants.
Correct
Audit logging is disabled by default. You must explicitly enable it via Security & Compliance Center or PowerShell. Without enabling, no user or admin activities are recorded.
Mistake
All audit logs are retained for 1 year regardless of license.
Correct
Retention depends on license: E3 retains 90 days, E5 retains 1 year. You can extend up to 10 years with audit log retention policies (requires E5).
Mistake
Alert policies can automatically remediate threats without any additional licensing.
Correct
Automated investigation and response (AIR) requires Microsoft 365 E5 or E5 Security add-on. Basic alert policies only send notifications.
Mistake
Compliance Score is a guarantee of regulatory compliance.
Correct
Compliance Score is a self-assessment tool that measures progress against controls. It is not a certification or guarantee of compliance.
Mistake
You can search the audit log for all events without enabling any feature.
Correct
You must enable audit logging first. Also, some events (e.g., Teams activities) require E5 licensing to be recorded.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Go to Microsoft 365 Security & Compliance Center > Audit > 'Start recording user and admin activity'. Alternatively, use PowerShell: `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`. It can take up to 24 hours for data to appear. Verify with `Get-AdminAuditLogConfig`.
For E3 licenses: 90 days. For E5 licenses: 1 year. You can extend retention up to 10 years using audit log retention policies in Purview (requires E5). Note: Some workloads like Teams may have different defaults.
Yes. In Security & Compliance Center > Alert > Alert policies, click '+ New alert policy'. Define a name, category, activity, conditions, threshold (e.g., 5 occurrences in 10 minutes), severity, and notification recipients (up to 10). You can also enable automated investigation if licensed.
Compliance Score is the dashboard showing a percentage score (0-100) based on improvement actions. Compliance Manager is the underlying tool that allows you to manage assessments, assign actions, upload evidence, and generate reports. Compliance Score is the visual representation; Compliance Manager is the management interface.
In Security & Compliance Center > Audit, set date range, select activities (e.g., 'FileDeleted'), enter the user's email in 'Users' field, and click Search. For advanced search, use PowerShell: `Search-UnifiedAuditLog -StartDate ... -EndDate ... -Operations ... -UserIds 'user@domain.com' -ResultSize 1000`.
Automated investigation and response (AIR) requires Microsoft 365 E5 or Microsoft 365 E5 Security add-on. It is not available with E3 licenses. Basic alert policies (notification only) work with E3.
Yes. You can stream audit logs to Azure Monitor (Log Analytics workspace) using the Microsoft 365 connector. This allows long-term retention, custom queries, and integration with Microsoft Sentinel. Alternatively, you can export search results to CSV from the Security & Compliance Center.
You've just covered Microsoft 365 Reporting: Security and Compliance — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?