This chapter covers Microsoft 365 auditing and activity reports, a critical component of the security and compliance domain for the MS-900 exam. You will learn how the Unified Audit Log captures user and admin activities, how to search and export audit records, and how to create alert policies. Approximately 15-20% of MS-900 exam questions touch on auditing, activity reports, or related compliance features. Mastering this topic is essential for understanding how organizations monitor their Microsoft 365 environment for security threats, policy violations, and operational issues.
Jump to a section
Imagine a large retail store with hundreds of employees and thousands of daily customers. The store installs a comprehensive security camera system that records every movement in every aisle, every register transaction, and every employee badge swipe. But recording everything is useless without a way to review it. The store has a security office with a bank of monitors and a searchable database. When a manager wants to know who accessed the cash room at 2 AM last Tuesday, they log into the system, filter by location, date, and time, and instantly pull up the relevant footage. They can also run reports: how many times did the back door open after hours this month? Which employees clocked in late more than three times? The system also has real-time alerts: if a door is propped open for more than 5 minutes, the security office gets a notification. In Microsoft 365, auditing and activity reports work exactly like this: every action by users and admins is logged in the Unified Audit Log (the camera footage), you can search and filter it via the Microsoft 365 Defender portal or PowerShell (the security monitors), and you can set up alert policies to notify you of suspicious activity in near real-time (the door alarm). Just as a store without cameras has no evidence after a theft, a Microsoft 365 tenant without auditing enabled has no forensic trail after a security incident.
What is Microsoft 365 Auditing?
Microsoft 365 auditing provides a centralized record of user and administrator activities across Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power Apps, and other workloads. It is the foundation for security investigations, compliance reporting, and forensic analysis. The audit log records events such as file accesses, mailbox logins, user creation, role changes, and policy modifications. Without auditing, an organization has no visibility into who did what and when — a critical gap for any security-conscious enterprise.
How the Unified Audit Log Works
Every auditable action in Microsoft 365 generates an audit record that is sent to the Unified Audit Log (UAL). The UAL is stored in Azure Data Explorer (formerly Azure Data Lake) and is retained for a configurable period depending on the license: 90 days for E3/G3, 365 days for E5/G5, and up to 10 years with an add-on license (Microsoft 365 Extra Retention). The log contains the following fields: CreationTime, UserIds, Operation, ObjectId, Workload, ClientIP, and more. You can access the UAL through the Microsoft 365 Defender portal (under Audits), the Microsoft Purview compliance portal, or via PowerShell using the Search-UnifiedAuditLog cmdlet.
Auditing vs. Activity Reports
Activity reports are pre-built dashboards that summarize usage and adoption metrics, such as how many users activated Office, how many Teams meetings were held, or which SharePoint sites are most active. They are found in the Microsoft 365 admin center under Reports > Usage. Auditing, on the other hand, records every action at a granular level and is used for security and compliance investigations. The exam tests both, but auditing is more heavily emphasized.
Enabling Auditing
By default, auditing is turned on for all Microsoft 365 tenants created after January 2019. For older tenants, an admin must enable it manually in the Microsoft 365 Defender portal or via PowerShell. To enable auditing via PowerShell:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $trueTo verify the status:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledIf auditing is disabled, no audit records are generated, and existing records are not searchable.
Searching the Audit Log
You can search the audit log using the Microsoft 365 Defender portal (Security > Audit) or the Microsoft Purview compliance portal. You specify a date range (up to 90 days at a time), select activities (or leave blank for all), and optionally filter by users, files, or IP addresses. The search returns up to 50,000 entries per query; for more, you must use PowerShell or export to CSV. The search results show each event with the date, user, activity, item, and details. You can click on an event to see the full audit record in JSON format, including the AuditData field with all properties.
Audit Log Retention
Retention is based on the user's license, not the admin's license. For example, if a user has an E3 license, their audit records are kept for 90 days. If a user has an E5 license, records are kept for 365 days. This is a common exam trap: candidates often think retention is based on the tenant license or the admin's license, but it is per-user. The retention period starts from the date the event was recorded. After the retention period expires, the audit record is permanently deleted and cannot be recovered. To extend retention beyond 365 days, you need the Audit Log Retention for Office 365 add-on (available as part of E5 Compliance or as a standalone SKU).
Audit Log Search Queries
When you run an audit log search, you can filter by: - Activities: A list of predefined activities grouped by workload (e.g., File accessed, Mailbox login, User changed password) - Users: One or more user names - Start/End date: Up to a 90-day window - File, folder, or site: URL or path - IP address: Client IP - Workload: Exchange, SharePoint, Azure AD, etc. - Result: Success, Failure, or PartiallySucceeded - Record Type: ExchangeItem, SharePointFileOperation, AzureActiveDirectory, etc.
Exporting Audit Logs
You can export up to 50,000 records from the portal as a CSV file. For larger exports, use the Search-UnifiedAuditLog cmdlet in PowerShell with the -ResultSize parameter (up to 5000 per page) and loop through pages. Example:
$results = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ResultSize 5000
$results | Export-Csv -Path audit.csv -NoTypeInformationYou can also use the Office 365 Management Activity API for programmatic access.
Alert Policies
Alert policies allow you to automatically notify designated recipients when specific activities occur. For example, you can create an alert that triggers when a user is added to a privileged role, when a mailbox forwarding rule is created, or when a large number of file deletions occur in SharePoint. Alerts can be configured in the Microsoft 365 Defender portal under Policies & rules > Alert policy. Each alert policy has: - Name and description - Category: Threat management, Data loss prevention, Information governance, etc. - Severity: Low, Medium, High - Detection frequency: How often the system checks for matching events (default 15 minutes) - Trigger threshold: For example, 10 occurrences in 5 minutes - Recipients: Email addresses that receive the alert notification - Limit: Whether to stop sending alerts after a certain number of notifications (e.g., 10 per hour)
Activity Reports
Activity reports are found in the Microsoft 365 admin center under Reports > Usage. They provide at-a-glance summaries for: - Microsoft 365 Groups: Group creation, usage, and activity - Email activity: Send/receive counts, mailbox storage, and spam reports - Microsoft Teams: Active users, meetings, messages, and channel usage - OneDrive: Active users, storage, and file sync - SharePoint: Site usage, storage, and file activity - Yammer: User activity and engagement - Forms: Form creation and response counts - Office activations: Devices and platforms where Office is activated - Microsoft 365 Apps usage: Active users per app
These reports are based on telemetry data and are not real-time — they update every 24-48 hours. They are designed for business decision-makers, not security analysts. The exam may ask which report to use for a specific scenario, so know the categories.
Azure AD Audit Logs
Azure AD audit logs record activities related to user management, group management, application registrations, and directory changes. They are separate from the Unified Audit Log but can be accessed via the Azure AD portal or the Microsoft 365 Defender portal. Azure AD audit logs have a retention of 30 days for Azure AD Free, 30 days for Azure AD P1, and 30 days for Azure AD P2 (but you can export to Azure Storage or Log Analytics for longer retention). The exam often tests the difference: Azure AD audit logs are for directory-level events, while the Unified Audit Log covers workload-level events.
Exchange Mailbox Audit Logging
Exchange Online has its own mailbox audit log that records who accessed a mailbox, when, and what actions they performed (e.g., HardDelete, SoftDelete, Move, Create). By default, mailbox audit logging is enabled for all users. You can search mailbox audit logs using the Exchange admin center or PowerShell. This is separate from the Unified Audit Log but can be searched alongside it.
SharePoint and OneDrive Auditing
SharePoint and OneDrive auditing captures events like file view, download, upload, delete, rename, and permission changes. These events are sent to the Unified Audit Log. You can also use SharePoint's built-in audit log reports (Site Collection Audit Settings) for on-premises-style auditing, but for online, the Unified Audit Log is the primary source.
Compliance Boundaries
When searching the audit log, you can only see events that your organization owns. If you are a global admin, you can see all events. But if you have delegated admin permissions (e.g., a partner), you see only the events for the tenants you manage. This is important for multi-tenant environments.
Performance and Scale
The Unified Audit Log can handle billions of events per day across Microsoft's global infrastructure. When you run a search, the query is executed against a distributed data store and results are returned within minutes. For very large tenants, you may need to narrow your date range or use more specific filters to avoid timeouts. The 50,000 result limit is per query; if you need more, you must paginate with PowerShell or use the API.
Auditing and eDiscovery
Audit logs are a key data source for eDiscovery cases. When you create a Content Search in the Microsoft Purview compliance portal, you can search across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams. The audit log itself is not searched by Content Search; but you can use the audit log to determine who accessed or modified content that is relevant to a case.
Summary of Key Differences
Unified Audit Log: All workloads, security-focused, searchable via portal/PowerShell/API, retention per user license.
Activity Reports: Usage and adoption summaries, admin center, not real-time, for business reporting.
Azure AD Audit Logs: Directory events, 30-day retention, separate portal.
Mailbox Audit Logging: Exchange-specific, enabled by default, searchable via EAC.
Exam Tips
Know that the default audit retention is 90 days for E3 and 365 days for E5.
Remember that auditing must be enabled; it is on by default for new tenants.
Understand that alert policies can send email notifications when specific events occur.
Be able to distinguish between audit logs (security) and activity reports (usage).
Know that you can export up to 50,000 records from the portal; for more, use PowerShell.
Recognize that Azure AD audit logs have a 30-day retention regardless of license.
Remember that mailbox audit logging is enabled by default for all users.
Be aware that the audit log search date range is limited to 90 days at a time.
Enable Auditing in Tenant
Before any audit records are generated, auditing must be enabled at the tenant level. For tenants created after January 2019, auditing is enabled by default. For older tenants, a global admin must enable it via the Microsoft 365 Defender portal (under Audit) or PowerShell. To verify, use `Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled`. If it returns False, run `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`. Once enabled, all future auditable actions are logged. There is no way to backfill historical events before auditing was enabled.
User Performs Auditable Action
When a user or admin performs an action that is auditable — such as accessing a file, sending an email, changing a password, or modifying a policy — the workload (e.g., SharePoint, Exchange, Azure AD) generates an audit event. The event includes the user ID, timestamp, action type, target object, client IP, and other metadata. This event is sent to the Unified Audit Log via a secure pipeline. The event is typically available for search within 30 minutes of occurrence, though sometimes it can take up to 24 hours for some workloads.
Event Ingested into Unified Audit Log
The audit event is ingested into Azure Data Explorer, which stores the data in a highly scalable and searchable index. The event is assigned a unique ID (Id) and a RecordType (e.g., 1 for Exchange, 4 for SharePoint). The full audit record is stored in JSON format in the AuditData property. The retention clock starts ticking from the CreationTime. The event is kept for the retention period of the user who performed the action (90 days for E3, 365 days for E5, or longer with add-on). After expiration, the event is permanently deleted.
Admin Searches Audit Log
An admin navigates to the Microsoft 365 Defender portal > Audit. They specify a date range (up to 90 days), select activities or leave blank for all, and optionally filter by users, files, or IP addresses. They click Search. The query is sent to Azure Data Explorer, which returns up to 50,000 matching events. Results are displayed in a table with columns: Date, User, Activity, Item, Details. The admin can click an event to view the full JSON record. If more results are needed, they must use PowerShell or export to CSV.
Export or Investigate Results
The admin can export up to 50,000 results as a CSV file from the portal. For larger datasets, they use PowerShell with pagination: loop through pages of 5000 records using `Search-UnifiedAuditLog` with `-SessionId` and `-SessionCommand ReturnNextResults`. They can also use the Office 365 Management Activity API for programmatic access. The exported CSV can be analyzed in Excel or imported into a SIEM. Based on findings, the admin may create an alert policy to monitor similar events in the future.
Scenario 1: Insider Data Theft Investigation
A healthcare organization suspects an employee is exfiltrating patient records from SharePoint. The security team uses the Unified Audit Log to search for all file download events by that user in the past 90 days. They filter by the user's email, the specific SharePoint site URL, and the activity 'File Downloaded'. The search returns 200 events. They export to CSV and analyze the timestamps, file names, and IP addresses. They find downloads occurring at odd hours from a non-corporate IP. The evidence is used to terminate the employee and report to legal. Without auditing, the investigation would be impossible.
Scenario 2: Compliance Reporting for GDPR
A financial services company must prove to regulators that only authorized personnel accessed sensitive customer data. They configure audit log retention for 1 year using E5 licenses for all employees who handle PII. They run monthly audit log searches for 'MailboxLogin' and 'FileAccessed' events for those users. They export the results and store them in a secured Azure Storage account for long-term retention. They also set up alert policies to notify the compliance officer if any admin accesses a customer mailbox outside business hours. This automated monitoring reduces manual effort and ensures compliance.
Scenario 3: Malicious Admin Activity Detection
A global admin's account is compromised. The attacker creates a new user, adds them to the Global Administrator role, and deletes several SharePoint sites. The security team discovers the breach when users report missing data. They search the audit log for the compromised admin's activities in the past 24 hours. They see the exact times of user creation, role assignment, and site deletion. They also find that the attacker accessed the audit log itself and deleted some records (though deletion of audit records is not possible — this is a trap). They use the audit log to trace the attacker's IP and identify all affected resources. They then revoke the compromised account, restore the sites from recycle bin, and implement conditional access policies to prevent future breaches.
Common Pitfalls
Insufficient retention: Many organizations only have E3 licenses, giving them 90 days of audit history. If an incident is discovered later, logs may be gone. Solution: Use E5 or the Audit Log Retention add-on.
Overlooking mailbox audit: By default, mailbox audit logging is enabled, but some admins disable it thinking it generates too many events. This can blind them to mailbox compromises.
Not setting up alerts: Relying solely on manual searches means incidents may go undetected for weeks. Proactive alert policies are essential.
Misunderstanding scope: Audit log searches only show events for the tenant you are in. In a multi-tenant environment, you must search each tenant separately.
Exam Objective MS-900: Describe security and compliance features of Microsoft 365
This chapter maps directly to the objective 'Describe security and compliance features of Microsoft 365' under the domain 'M365 Security'. Specifically, you need to know:
The purpose of auditing and activity reports
How to enable auditing
The default retention periods (90 days E3, 365 days E5)
How to search the audit log and export results
The difference between audit logs and activity reports
Alert policies and their use
Azure AD audit logs (30-day retention)
Common Wrong Answers and Why Candidates Choose Them
'Auditing is only available with E5 licenses.' Wrong. Auditing is available with all Microsoft 365 plans, but retention differs. E3 has 90 days, E5 has 365 days. The feature itself is not gated by license; only the retention length is.
'Activity reports show real-time data.' Wrong. Activity reports update every 24-48 hours. Audit logs are near real-time (within 30 minutes).
'You can delete audit log entries.' Wrong. Audit log entries cannot be deleted by any admin. This is a common trap question.
'Audit log retention is based on the tenant's subscription.' Wrong. It is per-user based on the user's license. If a user has E3, their events are kept 90 days even if the tenant has E5.
'You can only search the audit log for the last 30 days.' Wrong. You can search up to the retention period (90 or 365 days), but the date range in one query is limited to 90 days.
Specific Numbers and Terms That Appear on the Exam
90 days: Default retention for E3/G3
365 days: Default retention for E5/G5
10 years: Maximum retention with add-on (Extra Retention)
50,000: Maximum results per portal search
5,000: Maximum results per PowerShell cmdlet call
15 minutes: Default alert policy check frequency
30 minutes: Typical delay for audit event availability
24-48 hours: Update frequency for activity reports
30 days: Azure AD audit log retention (all tiers)
Edge Cases and Exceptions
If a user has an E3 license but is later assigned an E5 license, events from before the license change are still retained for 90 days from the event date. Only new events get 365-day retention.
If a user leaves the organization and their license is removed, their audit records are retained for the original retention period based on their last license.
When you run an audit log search, you can only see events where the user's license is active at the time of search? No — retention is based on the license at the time of the event.
Some activities are not audited by default, such as 'File Viewed' in SharePoint. You may need to enable specific auditing for certain workloads.
How to Eliminate Wrong Answers
If a question asks about 'real-time' or 'up-to-the-minute' data, the answer is likely NOT activity reports. Choose audit logs.
If a question mentions 'usage' or 'adoption', the answer is activity reports.
If a question asks about retention, look for per-user license mention. If the answer says 'tenant-wide', it is wrong.
If a question says 'delete audit entries', eliminate that option immediately.
If a question asks about the maximum export from the portal, look for 50,000.
Auditing is enabled by default for tenants created after January 2019; older tenants must enable it manually.
The Unified Audit Log retains events for 90 days with E3 license and 365 days with E5 license, per user.
Activity reports provide usage summaries and update every 24-48 hours; they are not real-time.
Alert policies can send email notifications when specific auditable events occur, with configurable thresholds.
You can export up to 50,000 audit log records from the portal; for more, use PowerShell or the API.
Azure AD audit logs are separate and have a 30-day retention regardless of license.
Mailbox audit logging is enabled by default for all Exchange Online users.
Audit log entries cannot be deleted by any administrator.
The audit log search date range is limited to 90 days per query.
Activity reports cover Microsoft 365 Groups, email, Teams, OneDrive, SharePoint, Yammer, Forms, and Office activations.
These come up on the exam all the time. Here's how to tell them apart.
Unified Audit Log
Records all auditable user and admin actions across workloads.
Used for security investigations, compliance, and forensics.
Data available within 30 minutes of the event.
Retention per-user license: 90 days (E3) or 365 days (E5).
Accessed via Microsoft 365 Defender portal, PowerShell, or API.
Activity Reports
Summarizes usage and adoption metrics (e.g., active users, storage).
Used for business decision-making and adoption tracking.
Data updated every 24-48 hours (not real-time).
Retention not applicable; reports show current and 90-day trend data.
Accessed via Microsoft 365 admin center > Reports > Usage.
Mistake
Auditing is only available in Microsoft 365 E5.
Correct
Auditing is available in all Microsoft 365 plans, including Business and E3. The difference is retention length: E3 retains 90 days, E5 retains 365 days. The feature itself is not license-gated.
Mistake
Activity reports show data in real time.
Correct
Activity reports are updated every 24-48 hours. They are not real-time. For near real-time data, use audit logs or alert policies.
Mistake
Audit log retention is based on the tenant's subscription license.
Correct
Retention is per-user based on the user's assigned license. If a user has an E3 license, their audit records are kept for 90 days, even if the tenant has E5. If the user has E5, retention is 365 days.
Mistake
Admins can delete audit log entries.
Correct
No admin can delete audit log entries. This is a common exam trap. Audit logs are immutable for compliance reasons.
Mistake
You can only search the audit log for the last 30 days.
Correct
You can search up to the retention period (90 days for E3, 365 days for E5), but a single query is limited to a 90-day date range. You can run multiple queries to cover longer periods.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Audit log retention depends on the user's license. For users with E3/G3 licenses, audit records are retained for 90 days. For users with E5/G5 licenses, retention is 365 days. With the Audit Log Retention add-on (Extra Retention), you can retain logs for up to 10 years. Retention is per-user, not tenant-wide. The retention period starts from the time the event was recorded. After expiration, the record is permanently deleted.
Yes, you can search beyond 90 days if your users have E5 licenses (365 days) or the Extra Retention add-on. However, the portal search interface limits a single query to a 90-day date range. To cover a longer period, you must run multiple queries or use PowerShell to export data in chunks. For example, to search a full year, run four 90-day queries or use a script with Search-UnifiedAuditLog.
Audit logs record every auditable action (e.g., file download, mailbox login) and are used for security investigations and compliance. They are available within 30 minutes and retained per user license. Activity reports summarize usage and adoption (e.g., number of active users, storage consumed) and are updated every 24-48 hours. Activity reports are found in the Microsoft 365 admin center under Reports > Usage, while audit logs are in the Microsoft 365 Defender portal under Audit.
For tenants created after January 2019, auditing is enabled by default. For older tenants, a global admin must enable it. Go to Microsoft 365 Defender portal > Audit, and if prompted, turn on auditing. Alternatively, use PowerShell: run `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`. To verify, run `Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled`. Once enabled, all future auditable actions are logged.
An alert policy automatically sends email notifications to specified recipients when certain auditable activities occur. For example, you can create an alert when a user is added to the Global Administrator role. To create one, go to Microsoft 365 Defender portal > Policies & rules > Alert policy. Click + New alert policy. Give it a name, select a category (e.g., Threat management), choose the activity to monitor, set a threshold (e.g., 5 occurrences in 10 minutes), and enter recipient email addresses. The system checks for matching events every 15 minutes by default.
Yes, but not directly from the portal. The portal allows exporting up to 50,000 records per query. To exceed that, use PowerShell with the Search-UnifiedAuditLog cmdlet, which returns up to 5,000 records per call. You can loop through pages using SessionId. Alternatively, use the Office 365 Management Activity API for programmatic access. For very large exports, consider streaming the data to Azure Storage or a SIEM.
Mailbox audit logging records actions performed on a mailbox, such as mailbox logins, message moves, hard deletes, and soft deletes. It is enabled by default for all Exchange Online users. You can search mailbox audit logs using the Exchange admin center or PowerShell. This is separate from the Unified Audit Log, but both can be used together for comprehensive auditing.
You've just covered Microsoft 365 Auditing and Activity Reports — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?