This chapter covers Advanced Audit in Microsoft 365, a powerful capability that extends basic audit logging with high-value features like longer retention, intelligent insights, and programmatic access. For the SC-900 exam, Advanced Audit falls under Compliance Solutions (Domain 4, Objective 4.4) and typically appears in 5-8% of questions. You must understand what Advanced Audit adds over standard audit, how to enable it, and the specific features it unlocks — especially audit log retention up to 10 years, bandwidth throttling adjustments, and the use of Audit Log Search in the compliance portal.
Jump to a section
Imagine a logistics company that ships sensitive packages. Every time a package is created, moved, or delivered, a clerk writes an entry in a bound ledger: timestamp, package ID, action, and clerk initials. The ledger pages are numbered sequentially and cannot be removed or inserted without visible tearing. If a manager wants to investigate a lost package, they can examine the ledger to see exactly which clerk handled it and when. The ledger is stored in a locked room, and only authorized personnel can request to view it. This is exactly how Microsoft 365 unified audit log works. Every user action across Exchange, SharePoint, Azure AD, and other services generates an audit record with a unique ID, timestamp, and details. These records are stored in a tamper-proof, append-only log in Microsoft's backend. Administrators can search the log using the compliance portal or PowerShell, but cannot modify or delete entries. Just as the shipping ledger ensures accountability, the audit log provides a forensic trail for security investigations and compliance audits. The analogy breaks down only in that the digital log can be searched and filtered instantly, whereas the physical ledger requires manual page turning.
What is Advanced Audit and Why It Exists
Microsoft 365 generates audit records for thousands of operations across Exchange Online, SharePoint Online, Azure Active Directory, Microsoft Teams, Power BI, and other workloads. By default, all Microsoft 365 tenants have basic audit logging enabled, which retains audit records for 90 days (or 180 days for Exchange mailboxes). However, many organizations — especially those in regulated industries like finance, healthcare, or government — need to retain audit data for years to satisfy compliance requirements such as SEC Rule 17a-4, HIPAA, or GDPR. Advanced Audit is a premium add-on that extends retention, provides intelligent insights, and offers programmatic access to audit data.
Advanced Audit is licensed per user via one of the following:
Microsoft 365 E5/A5/G5
Microsoft 365 E5/A5/G5 Compliance
Microsoft 365 E5/A5/G5 eDiscovery and Audit
Office 365 E5/A5/G5
Microsoft 365 E5/A5/F5/G5 Security & Compliance
Or as an add-on for E3/A3/G3 with the Microsoft 365 E5 Compliance SKU
Without Advanced Audit, the maximum retention for audit records is 90 days (standard audit). With Advanced Audit, you can retain audit records for up to 10 years, depending on the license and configuration.
How Advanced Audit Works Internally
When a user performs an action in a Microsoft 365 workload — for example, a user downloads a file from SharePoint — the service generates an audit record. This record contains: - CreationTime: UTC timestamp of the action - Operation: The action performed (e.g., FileDownloaded) - UserId: The user who performed the action - ClientIP: The IP address of the client - ItemId: The unique identifier of the object acted upon - ItemType: The type of object (e.g., File, Folder, Mailbox) - Workload: The service where the action occurred (e.g., SharePoint, Exchange) - ResultStatus: Success or Failure - Additional properties: Varies by workload (e.g., file name, size, destination)
These records are ingested into the Unified Audit Log (UAL) in the Microsoft 365 backend. The UAL is an append-only store with no modification or deletion capabilities — not even by Microsoft administrators. Records are indexed for search and automatically purged based on the retention policy.
With Advanced Audit: - Retention Policies: You can assign retention policies to audit records based on the workload or activity type. For example, you can retain all SharePoint audit records for 10 years, while Exchange admin actions are retained for 5 years. Retention is enforced by a background service that checks the age of records against the policy and deletes expired records. - Bandwidth Throttling: Standard audit logs are subject to throttling limits — up to 2,000 requests per tenant per day for the AuditLog.Search API. Advanced Audit raises this limit to 20,000 requests per day, allowing large-scale continuous export. - Intelligent Insights: Advanced Audit includes heuristic-based alerts for suspicious activities, such as unusual volume of file downloads or access from anomalous locations. - Programmatic Access: The AuditLog.Search API and the Search-UnifiedAuditLog PowerShell cmdlet can retrieve audit records with higher throughput and longer lookback windows.
Key Components, Values, Defaults, and Timers
Audit Record Retention Defaults: - Standard audit (no Advanced Audit): 90 days for all workloads except Exchange mailbox audits (180 days) - Advanced Audit with E5 license: 1 year default, can be extended to 10 years with retention policies - Licensing: Each user must have an Advanced Audit license to generate audit records that can be retained beyond 90 days. If a user does not have an Advanced Audit license, their records are still generated but retained only for 90 days.
Bandwidth Throttling: - Default limit for AuditLog.Search API: 2,000 requests per tenant per day - With Advanced Audit: 20,000 requests per tenant per day - PowerShell: Search-UnifiedAuditLog has a default page size of 100 records (max 5,000). Advanced Audit allows up to 5,000 records per page with the -ResultSize parameter.
Retention Policies: - You can create up to 100 audit retention policies per tenant - Each policy applies to specific activities (e.g., SharePoint file access, Exchange admin actions) or workloads - Retention duration can be 90 days, 1 year, 5 years, or 10 years - Policies are evaluated every 7 days to purge expired records
Intelligent Insights: - Use Cases: Detecting unusual volume of file downloads, access from anonymous IPs, or mass deletion of documents - Alerts are surfaced in the Microsoft 365 Defender portal under Incidents & Alerts - These do not require additional configuration — they are automatically enabled when Advanced Audit is licensed
Configuration and Verification Commands
To enable Advanced Audit, you must first assign licenses to users. Then, verify the license assignment using PowerShell:
Get-MsolUser -UserPrincipalName user@contoso.com | Select-Object LicensesTo check the current audit retention policy:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledTo create a custom audit retention policy for 10 years for SharePoint operations:
New-AuditConfigurationPolicy -Name "SharePoint 10-Year Retention" -Workload SharePoint -RetentionDuration 10 -RetentionType YearsTo search the audit log with Advanced Audit (higher throughput):
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ResultSize 5000 -Operations FileDownloadedTo verify Advanced Audit is enabled on the tenant:
Get-AdminAuditLogConfig | Format-List *Audit*Look for UnifiedAuditLogIngestionEnabled : True and AdvancedAuditEnabled : True.
Interaction with Related Technologies
Advanced Audit integrates with: - Microsoft 365 Compliance Center: The Audit log search interface is the primary UI for querying audit records. Advanced Audit provides additional filters and longer date ranges. - Microsoft 365 Defender: Alerts from Intelligent Insights appear in the Defender portal, correlating audit events with other security signals. - eDiscovery: Audit records are used to prove chain of custody in eDiscovery cases. Advanced Audit ensures records are retained for the duration of litigation holds. - Microsoft Graph API: The AuditLog.Query API allows programmatic access with advanced throttling limits. - Data Lifecycle Management: Retention policies for audit logs are managed alongside other retention policies in the Compliance Center.
Trap Patterns
Common exam traps: - Trap 1: "Advanced Audit extends retention to 10 years for all records by default." Reality: Default retention is 1 year; you must create a retention policy for 10-year retention. - Trap 2: "Audit records can be edited or deleted by administrators." Reality: Audit records are immutable. - Trap 3: "Advanced Audit requires an E3 license." Reality: Advanced Audit requires E5 or add-on; E3 only includes standard audit. - Trap 4: "Audit log search is limited to 90 days even with Advanced Audit." Reality: Advanced Audit allows search up to 10 years back, depending on retention policy. - Trap 5: "All users automatically get Advanced Audit benefits if the tenant has one E5 license." Reality: Each user must be licensed individually.
License Assignment for Users
First, ensure each user who needs advanced audit coverage is assigned a license that includes Advanced Audit, such as Microsoft 365 E5 or the E5 Compliance add-on. Without proper licensing, audit records from unlicensed users are retained only for 90 days, even if the tenant has Advanced Audit. Use the Microsoft 365 admin center or PowerShell to assign licenses. Verify with Get-MsolUser to confirm license type.
Enable Unified Audit Log
In most tenants, audit logging is enabled by default. If not, turn it on via the Compliance Center (Audit > Start recording user and admin activity) or PowerShell with Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true. This step is mandatory for both standard and advanced audit. Without it, no audit records are generated.
Configure Audit Retention Policies
With Advanced Audit, create retention policies to specify how long to keep audit records for different activities. For example, retain all Exchange admin actions for 5 years and SharePoint file accesses for 10 years. Use the Compliance Center (Data Lifecycle Management > Audit Retention) or PowerShell New-AuditConfigurationPolicy. Each policy can target specific operations or workloads.
Monitor Intelligent Insights
Advanced Audit automatically generates alerts for suspicious activities. Review these in Microsoft 365 Defender under Incidents & Alerts. Examples include unusual file downloads or access from anonymous IPs. No configuration is needed, but you can adjust alert sensitivity in the Defender portal. These insights help detect potential breaches early.
Search and Export Audit Logs
Use the Audit log search in Compliance Center or PowerShell to query records. With Advanced Audit, you can search up to 10 years back and export up to 20,000 records per day via API. Use filters like date range, workload, and operation. Export results as CSV for analysis. This step is critical for compliance audits and investigations.
Scenario 1: Financial Services Compliance A global investment bank must retain all user and admin activity logs for 7 years per SEC Rule 17a-4. They deploy Advanced Audit for all 10,000 employees with Microsoft 365 E5 licenses. The compliance team creates a retention policy for 10 years (to be safe) covering all workloads. They use the AuditLog.Search API to continuously export logs to a SIEM system (Splunk) for real-time monitoring. The API throttling limit of 20,000 requests per day allows them to pull incremental data every hour. Without Advanced Audit, the 90-day retention would violate regulatory requirements. One challenge they face is managing the 100-policy limit — they consolidate policies by workload rather than by individual activity. Misconfiguration example: If they forget to assign licenses to new hires, those users' audit records are purged after 90 days, creating a compliance gap.
Scenario 2: Insider Threat Investigation A technology company suspects an employee of stealing intellectual property by downloading thousands of files from SharePoint. With Advanced Audit, they use Intelligent Insights to detect the anomalous download volume. The alert triggers an investigation in Microsoft 365 Defender. The security team uses the Audit Log Search to filter by UserId and Operation (FileDownloaded) for the past 6 months, exporting 50,000 records. They analyze the data in Excel and confirm the exfiltration. Advanced Audit's 1-year default retention (extended to 5 years via policy) ensures the evidence is available. Without Advanced Audit, the 90-day retention would have already deleted the oldest records.
Scenario 3: Multi-Geo Tenant Management A multinational corporation with offices in Europe, Asia, and North America uses Microsoft 365 Multi-Geo. Advanced Audit records are stored in the geo-location where the data resides. The compliance team must ensure that audit retention policies are applied uniformly across all geos. They use PowerShell to create policies that target all locations. A common pitfall is assuming that a single retention policy applies globally — in reality, each geo's audit log is independent, and policies must be applied per geo. They also need to consider data sovereignty: audit records for European users must stay within the EU. Advanced Audit supports this by respecting data residency.
Objective Code: SC-900 Domain 4.4: Describe the capabilities of Microsoft 365 compliance solutions, including audit. The exam specifically tests your ability to distinguish between standard audit and Advanced Audit, understand licensing requirements, and know the retention durations.
Most Common Wrong Answers: 1. "Advanced Audit retains all audit records for 10 years by default." Wrong — default is 1 year; 10 years requires a retention policy. 2. "Audit logs can be deleted by administrators." Wrong — audit logs are immutable. 3. "Standard audit retains records for 180 days." Partially true — only for Exchange mailbox audits; all others are 90 days. 4. "Advanced Audit requires an E3 license." Wrong — requires E5 or add-on.
Numbers and Values to Memorize: - Standard audit retention: 90 days (Exchange mailbox: 180 days) - Advanced Audit default retention: 1 year (365 days) - Maximum retention with policy: 10 years - API throttling: 2,000 requests/day standard, 20,000 requests/day Advanced - PowerShell page size: up to 5,000 records with Advanced Audit - Maximum retention policies: 100 per tenant
Edge Cases the Exam Tests: - If a tenant has Advanced Audit but a user is not licensed, that user's audit records are retained only 90 days. - Audit records for unlicensed users are still generated but expire after 90 days. - Intelligent Insights are automatically enabled with Advanced Audit — no manual setup. - Retention policies are evaluated every 7 days for expiration.
How to Eliminate Wrong Answers: - If a question mentions "default retention" without specifying a policy, the answer is 1 year for Advanced Audit, not 10 years. - If a question asks about modifying or deleting audit records, the answer is always "cannot be modified or deleted." - For licensing questions, remember that Advanced Audit requires E5 or equivalent — never E3 alone. - For throttling questions, the standard limit is 2,000; Advanced is 20,000. - If a question mentions "Intelligent Insights," it is exclusive to Advanced Audit.
Advanced Audit extends audit log retention from 90 days to up to 10 years via custom policies.
Each user must be licensed individually for Advanced Audit; unlicensed users' records expire after 90 days.
Audit records are immutable and cannot be modified or deleted by anyone.
Intelligent Insights are automatically enabled with Advanced Audit and surface in Microsoft 365 Defender.
API throttling increases from 2,000 to 20,000 requests per day with Advanced Audit.
Retention policies can be created per workload or activity, up to 100 policies per tenant.
PowerShell cmdlet Search-UnifiedAuditLog can retrieve up to 5,000 records per page with Advanced Audit.
These come up on the exam all the time. Here's how to tell them apart.
Standard Audit
Retention: 90 days (Exchange mailbox: 180 days)
API throttling: 2,000 requests/day
No Intelligent Insights
Included with E3 and above
Max PowerShell result size: 100 records per page
Advanced Audit
Retention: 1 year default, up to 10 years with policy
API throttling: 20,000 requests/day
Intelligent Insights for anomaly detection
Requires E5 or add-on license per user
Max PowerShell result size: 5,000 records per page
Mistake
Advanced Audit is automatically enabled for all users once the tenant has an E5 license.
Correct
Each user must be individually assigned an E5 license (or equivalent) to generate audit records eligible for advanced retention. Unlicensed users' records are still created but retained only 90 days.
Mistake
With Advanced Audit, all audit records are retained for 10 years by default.
Correct
The default retention for Advanced Audit is 1 year. To retain records for up to 10 years, you must create a custom audit retention policy.
Mistake
Audit records can be deleted by compliance administrators if needed.
Correct
Audit records are immutable and cannot be modified or deleted by any administrator, including Microsoft. This ensures a tamper-proof audit trail.
Mistake
Standard audit logging retains records for 180 days for all activities.
Correct
Standard audit retains records for 90 days for most workloads. Only Exchange mailbox audit records are retained for 180 days.
Mistake
Advanced Audit requires additional configuration to enable Intelligent Insights.
Correct
Intelligent Insights are automatically enabled when Advanced Audit is licensed. No manual configuration is needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default retention period for Advanced Audit is 1 year (365 days). To retain audit records for up to 10 years, you must create a custom audit retention policy in the Compliance Center or via PowerShell. Without a policy, records expire after 1 year.
No, audit records are immutable and cannot be deleted or modified by any administrator, including Microsoft. This ensures a tamper-proof audit trail for compliance and forensic investigations.
Advanced Audit requires one of the following per user: Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5/G5 eDiscovery and Audit, Office 365 E5/A5/G5, or Microsoft 365 E5/A5/F5/G5 Security & Compliance. It can also be added as an add-on for E3/A3/G3 with the Microsoft 365 E5 Compliance SKU.
First, assign Advanced Audit licenses to users. Then, ensure unified audit logging is enabled (it is by default in most tenants). You can verify with PowerShell: Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled. Advanced Audit features become active once licenses are assigned.
Standard audit limits the AuditLog.Search API to 2,000 requests per tenant per day. Advanced Audit raises this limit to 20,000 requests per day, allowing more frequent and larger-scale exports of audit data for continuous monitoring.
Yes, Advanced Audit works with Multi-Geo. Audit records are stored in the geo-location where the data resides. Retention policies must be applied per geo, and data sovereignty is respected.
No, Intelligent Insights are exclusive to Advanced Audit. They automatically detect anomalous activities such as unusual file downloads or access from anonymous IPs and surface alerts in Microsoft 365 Defender.
You've just covered Advanced Audit in Microsoft 365 — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?