This chapter covers audit log retention policies in Microsoft 365, a key topic under Compliance Solutions (Objective 4.4) for the SC-900 exam. Understanding how long audit logs are retained, how to extend retention, and the licensing requirements is critical because retention policies directly impact an organization's ability to meet regulatory and internal compliance obligations. Approximately 5–10% of SC-900 exam questions touch on audit log retention, often asking about default durations, retention policy configuration, and license requirements for extended retention.
Jump to a section
Imagine an office building with security cameras recording every hallway. The company policy says footage must be kept for 90 days for compliance, but the storage system automatically overwrites older footage when full. To meet the 90-day requirement, the IT team configures the system to allocate enough storage for 90 days of recordings and sets a retention rule that prevents deletion before 90 days. If the storage fills up, the system stops recording new footage until space is freed—it never deletes footage younger than 90 days. This mirrors audit log retention in Microsoft 365: you set a retention duration (e.g., 90 days or 1 year), and the system preserves logs for that period. If you try to store more logs than the allocated capacity, new logging stops rather than overwriting old logs. Just as the camera system might have different retention for different areas (e.g., 30 days for lobby, 90 days for server room), audit log retention policies can vary by workload (Exchange, SharePoint, Azure AD). The key mechanism is that retention is enforced by a timestamp-based deletion job that runs periodically—exactly like a nightly script that deletes footage older than the policy. If you need logs longer than the default, you must purchase additional storage (like buying more hard drives) or enable a specific license (e.g., E5) that grants extended retention.
What Are Audit Log Retention Policies?
Audit log retention policies in Microsoft 365 control how long unified audit logs are preserved in the Microsoft 365 compliance center. These logs record user and admin activities across Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other workloads. The retention policy determines the duration from the time the activity occurred until the log is automatically deleted. The default retention period is 180 days for most Microsoft 365 subscriptions (E3, Business Standard, etc.), but organizations with an E5 license or add-on compliance licenses can retain logs for up to 10 years (3650 days) or even indefinitely with a custom retention policy.
Why Retention Policies Matter
Organizations must retain audit logs to meet regulatory requirements such as GDPR, SOX, HIPAA, or internal data governance policies. Retention policies ensure logs are available for forensic investigations, eDiscovery, insider risk management, and compliance audits. Without proper retention, logs may be deleted before they are needed, leading to compliance violations or inability to investigate security incidents. The SC-900 exam tests your knowledge of default retention values, which workloads are audited, and how to configure retention using the Microsoft Purview compliance portal or PowerShell.
How Audit Log Retention Works Internally
When an audited action occurs, the Microsoft 365 service generates an audit record and sends it to the unified audit log. Each record includes a timestamp (CreationTime), the user who performed the action, the workload, and details about the operation. The retention policy is applied by a background process that evaluates the CreationTime of each record against the configured retention duration. Records older than the retention period are permanently deleted from the audit log store. This process runs periodically (typically every few days) to purge expired logs. The deletion is irreversible—once deleted, logs cannot be recovered unless they were exported or stored elsewhere.
Key Components and Defaults
Default retention for E3/Business Standard: 90 days (note: this was recently changed from 180 days; verify current exam objectives). However, for Azure AD Premium P1/P2, the default is 30 days.
Default retention for E5/G5: 365 days (1 year).
Extended retention options: Up to 10 years (3650 days) with an E5 license or Microsoft 365 E5 Compliance add-on. You can also configure a custom retention policy (e.g., 7 years) using the Compliance portal or PowerShell.
Retention for specific workloads: Exchange Online and SharePoint Online have separate audit log retention that may differ; the unified audit log aggregates them.
Storage limit: The unified audit log has a storage quota based on license type. For E3, the quota is 50 GB; for E5, it is 100 GB. If the quota is reached, new audit records are not generated until storage is freed (by deleting old logs or increasing quota).
Configuration and Verification
You configure audit log retention in the Microsoft Purview compliance portal under Audit > Audit retention policies. Alternatively, you can use the following PowerShell cmdlets:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true – enables unified audit logging.
Set-AdminAuditLogConfig -UnifiedAuditLogRetentionDuration 365 – sets retention to 365 days (requires appropriate license).
Get-AdminAuditLogConfig | fl UnifiedAuditLogRetentionDuration – verifies current retention.
To check the current retention duration in the portal: navigate to Audit > Retention policies and view the policy. You can also create a custom retention policy with a specific duration (in days) and assign it to specific workloads or all workloads.
Interaction with Related Technologies
Audit log retention works closely with: - eDiscovery: eDiscovery holds can preserve audit logs beyond their retention period. If a legal hold is placed on a user or site, associated audit logs are protected from deletion. - Retention labels and policies: These are for content (documents, emails) not audit logs. Audit log retention is separate. - Alert policies: Alert policies can trigger based on audit log events, but they do not affect retention. - Microsoft 365 Defender: Some security events are also recorded in the unified audit log, but Defender has its own retention for advanced hunting (30 days).
Exam-Relevant Details
The SC-900 exam specifically tests: default retention for E3 vs E5, how to extend retention, and the licensing requirement for 10-year retention.
A common trap: candidates confuse audit log retention with mailbox retention or SharePoint retention. Audit logs are metadata about activities, not content.
Another trap: thinking that enabling auditing automatically sets retention to 10 years. It does not—you must configure it.
The exam may ask: "What is the maximum retention period for audit logs with an E5 license?" Answer: 10 years (3650 days).
If asked about default retention for Azure AD audit logs: 30 days (Azure AD Premium P1/P2).
Step-by-Step Configuration Example
Sign in to Microsoft Purview compliance portal (compliance.microsoft.com) as a Compliance Administrator.
Go to Audit > Audit retention policies.
Click Add retention policy.
Enter a name and description.
Set the retention duration in days (e.g., 3650 for 10 years).
Select the workloads to apply the policy (e.g., Exchange, SharePoint, Azure AD).
Review and submit.
The policy takes effect within 24 hours. Existing logs are not retroactively affected—only new logs generated after the policy is applied will have the new retention. To change retention for existing logs, you must use a different method (e.g., export logs before they expire).
PowerShell Example
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Set unified audit log retention to 365 days
Set-AdminAuditLogConfig -UnifiedAuditLogRetentionDuration 365
# Verify
Get-AdminAuditLogConfig | Format-List Name, UnifiedAuditLogRetentionDurationImportant Notes
The UnifiedAuditLogRetentionDuration parameter accepts values from 0 to 3650 (for E5). For E3, the maximum is 365? Actually, E3 can only set up to 365 days if they have the appropriate add-on. Check current licensing.
If you set retention to 0, logs are retained indefinitely (but this is not recommended and may fill storage).
The retention policy applies to all audit records from the selected workloads. You cannot selectively retain specific types of activities.
Audit log retention is separate from the audit log search history (which is 30 days).
Troubleshooting
If you cannot set retention beyond 365 days, verify your license includes the Microsoft 365 E5 Compliance add-on. Also ensure the user configuring the policy has the Audit Log role in the compliance center.
Enable Unified Auditing
Before retention policies take effect, unified auditing must be enabled. In the Microsoft Purview compliance portal, go to Audit and click 'Start recording user and admin activity.' This activates the logging pipeline. Once enabled, all auditable actions from supported workloads are sent to the unified audit log. Without this step, no audit records are generated, and retention policies have no effect. Enabling auditing is a one-time action that may take up to 24 hours to fully activate. You can verify with PowerShell: `Get-AdminAuditLogConfig | fl UnifiedAuditLogIngestionEnabled`.
Configure Retention Duration
In the Audit retention policies section, you set the number of days to retain logs. The default is 90 days for E3 and 365 for E5. You can modify this by creating a new policy or editing the default policy. The duration must be between 0 and 3650 days (for eligible licenses). Setting it to 0 means indefinite retention, but this is rarely used due to storage constraints. The policy applies to all audit records created after the policy is saved. Existing logs keep their original retention unless you use a special override (not available in UI).
Select Workloads
You can choose which workloads the retention policy applies to, such as Exchange, SharePoint, Azure AD, Teams, etc. This allows granular control—for example, retaining SharePoint logs for 7 years but Exchange logs for only 1 year. If you select all workloads, the policy applies uniformly. Note that Azure AD audit logs have a separate default retention of 30 days, but they are also included in the unified audit log if you select Azure Active Directory. The policy overrides the workload-specific default.
Apply and Verify Policy
After saving the policy, it takes effect within 24 hours. To verify, go to Audit retention policies and check the policy details. You can also use PowerShell: `Get-AdminAuditLogConfig | fl UnifiedAuditLogRetentionDuration`. This shows the current retention duration for the unified audit log. If you have multiple policies, the most restrictive (shortest retention) may apply? Actually, policies are additive—each workload uses its policy. There is no conflict resolution. Ensure you have only one policy per workload to avoid confusion.
Monitor Storage Quota
The unified audit log has a storage quota based on license: 50 GB for E3, 100 GB for E5. If the quota is reached, new audit records are not generated until space is freed. This can cause gaps in audit coverage. To avoid this, monitor storage usage in the compliance portal (Audit > Storage usage). If approaching quota, either delete old logs (not recommended if needed for compliance) or increase quota by upgrading license. Retention policies help by automatically deleting logs, but if retention is long, storage may fill up. The system will not overwrite logs; it stops logging new activities.
Export Logs for Long-Term Archiving
If you need to retain logs beyond the maximum retention period (10 years), you must export them to an external storage (e.g., Azure Blob Storage, on-premises SIEM). Use the Export feature in the Audit log search to download CSV files. You can also use the Office 365 Management Activity API to stream logs to a custom repository. This is a common practice for organizations that require retention longer than 10 years or need to meet specific regulatory requirements. Exported logs are not subject to Microsoft's retention policies.
Scenario 1: Financial Services Firm Needing 7-Year Retention
A financial services firm is subject to SEC regulations requiring retention of all communications and activity logs for at least 7 years. They have Microsoft 365 E5 licenses, which allow up to 10 years of audit log retention. The compliance team configures a custom retention policy set to 2555 days (7 years) for all workloads. They also enable auditing for all users. The policy ensures logs are automatically deleted after 7 years, reducing storage costs. However, they must monitor storage quota—with 5000 users, the 100 GB quota may fill in less than 7 years. They mitigate this by exporting logs annually to Azure Blob Storage using the Management Activity API. The exported logs serve as a backup in case of accidental deletion. Common mistake: setting retention to 10 years without considering storage quota, leading to logging interruptions.
Scenario 2: Healthcare Organization with HIPAA Compliance
A hospital uses Microsoft 365 E3 licenses and needs to retain audit logs for 6 years per HIPAA. E3 default retention is 90 days, so they purchase the Microsoft 365 E5 Compliance add-on to enable up to 10 years retention. They configure a custom retention policy for 2190 days (6 years). They also enable auditing for all healthcare workers. The compliance team runs monthly reports to verify that audit logs are being generated and retained. They also set up alerts for when storage usage exceeds 80% of the quota (50 GB for E3). When the quota is nearly full, they export old logs to an on-premises archive. A pitfall: they initially set retention on Exchange and SharePoint but forgot Azure AD, which has separate audit logs. They later discovered that Azure AD logs were only retained for 30 days, causing a gap in user activity records. They corrected this by selecting Azure Active Directory in the retention policy.
Scenario 3: Multinational Corporation with Varying Regional Requirements
A global company has subsidiaries in the EU (GDPR requires 3 years) and the US (SOX requires 5 years). They use Microsoft 365 E5 licenses. They create two custom retention policies: one for EU users with 1095 days (3 years) and one for US users with 1825 days (5 years). However, audit log retention policies cannot be scoped by user geography—they apply to workloads globally. To achieve regional compliance, they use separate tenants for each region (not ideal). Alternatively, they export logs for EU users to a separate storage and delete them after 3 years using a custom script. This is complex and error-prone. The exam does not test multi-geo scenarios in depth, but it highlights that retention policies are tenant-wide for each workload. For SC-900, remember that you cannot set different retention for different users in the same tenant—only different workloads.
What SC-900 Tests on Audit Log Retention Policies
The SC-900 exam objective 4.4 covers "Describe the compliance capabilities in Microsoft 365." Within that, audit log retention is a specific sub-topic. You need to know:
The default retention periods for different licenses (E3: 90 days, E5: 365 days, Azure AD: 30 days).
The maximum retention period with E5 or add-on (10 years).
How to configure retention via the compliance portal.
That auditing must be enabled first.
The relationship between retention and storage quota.
That retention policies do not apply retroactively.
Common Wrong Answers and Traps
"Default retention is 180 days for all licenses." – This was true before 2023, but Microsoft changed it to 90 days for E3. The exam may still test the old value; check the latest exam guide. Always look for the most current information.
"You can retain audit logs indefinitely without any license." – False. Indefinite retention requires setting the duration to 0, but this is only available with E5 or add-on. Without proper license, the maximum is 365 days.
"Retention policies apply to all existing logs." – False. They only affect logs created after the policy is saved. Existing logs keep their original retention.
"Audit log retention is the same as retention labels." – False. Retention labels are for content (documents, emails), not for audit logs. They are separate features.
"Enabling auditing automatically sets 10-year retention." – False. Enabling auditing only starts logging; you must configure retention separately.
Specific Numbers to Memorize
E3/Business Standard default audit retention: 90 days (or 180 days if older exam version).
E5/G5 default: 365 days.
Maximum retention with E5: 10 years (3650 days).
Azure AD audit log default: 30 days.
Storage quota: 50 GB for E3, 100 GB for E5.
Edge Cases and Exceptions
If you have an E3 license and purchase the Microsoft 365 E5 Compliance add-on, you can retain logs up to 10 years.
The unified audit log includes Exchange, SharePoint, Azure AD, etc., but Azure AD audit logs have a separate default of 30 days even within the unified log if not overridden.
Audit log retention policies cannot be applied to specific users; they apply to all users in the selected workload.
If you set retention to 0, logs are kept indefinitely, but this is not recommended as it will eventually fill the storage quota and stop logging.
How to Eliminate Wrong Answers
When you see a question about audit log retention, first identify the license (E3 vs E5). If the question mentions "default," the answer is 90 days for E3. If it mentions "maximum," the answer is 10 years only if E5 or add-on is mentioned. If the question says "extend retention," the answer likely involves the E5 Compliance add-on. If the question involves Azure AD, the default is 30 days. Eliminate any answer that suggests retention applies retroactively or that retention labels are the same as audit log retention. Also eliminate answers that say auditing must be enabled after setting retention (order: enable auditing first).
Default audit log retention for Microsoft 365 E3 is 90 days; for E5 it is 365 days.
Maximum audit log retention is 10 years (3650 days) with E5 or E5 Compliance add-on.
Audit log retention policies apply only to logs created after the policy is configured — not retroactively.
Azure AD audit logs have a separate default retention of 30 days.
Unified audit log storage quota is 50 GB for E3 and 100 GB for E5; if full, new logs are not generated.
Auditing must be enabled before retention policies take effect.
Retention policies are workload-scoped (Exchange, SharePoint, Azure AD, etc.), not user-scoped.
To retain logs beyond 10 years, export them to external storage using the Management Activity API.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft 365 E3
Default audit log retention: 90 days
Maximum retention: 365 days (with add-on)
Storage quota: 50 GB
Cannot set retention beyond 365 days without add-on
Cost: lower per-user license fee
Microsoft 365 E5
Default audit log retention: 365 days
Maximum retention: 10 years (3650 days) included
Storage quota: 100 GB
Can configure custom retention up to 10 years out-of-the-box
Cost: higher per-user license fee but includes advanced compliance features
Mistake
Audit log retention is the same as mailbox retention.
Correct
Audit logs record activities (who did what, when), while mailbox retention preserves email content. They are separate features with different policies and defaults. Mailbox retention uses retention tags, while audit retention uses audit log retention policies.
Mistake
Setting a retention policy automatically retains existing logs for the new duration.
Correct
Retention policies only apply to logs generated after the policy is saved. Existing logs retain their original retention based on the policy in effect at the time of creation. To retain existing logs, you must export them before they expire.
Mistake
Any Microsoft 365 license allows up to 10 years of audit log retention.
Correct
Only Microsoft 365 E5, G5, or the Microsoft 365 E5 Compliance add-on support up to 10 years. E3 and Business Standard are limited to 90 days default (or 365 days with add-on).
Mistake
Audit log retention policies can be applied to individual users.
Correct
Retention policies are workload-scoped, not user-scoped. You can select workloads (Exchange, SharePoint, etc.), but the policy applies to all users in that workload. You cannot set different retention for specific users within the same workload.
Mistake
If the audit log storage quota is full, the oldest logs are automatically deleted.
Correct
The system does NOT delete logs to free space. Instead, it stops generating new audit records until space is freed by automatic deletion (based on retention) or manual intervention. This can cause gaps in audit coverage.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default audit log retention period for Microsoft 365 E3 (and Business Standard) is 90 days. This was changed from 180 days in 2023. For E5, the default is 365 days. Always check the latest Microsoft documentation for the most current values, as they can change.
To extend retention beyond 90 days in E3, you need to purchase the Microsoft 365 E5 Compliance add-on or upgrade to E5. With the add-on, you can set retention up to 365 days (or 10 years if the add-on includes advanced auditing). Without the add-on, E3 is limited to the default 90 days.
When the unified audit log storage quota is full (50 GB for E3, 100 GB for E5), new audit records are not generated. The system does not delete old logs to free space; it stops logging until space is freed by automatic retention-based deletion or manual action. This can lead to gaps in audit coverage.
No, audit log retention policies are workload-scoped, not user-scoped. You can select specific workloads (e.g., Exchange, SharePoint) to apply different retention, but the policy applies to all users within that workload. To achieve user-specific retention, you would need to export logs and manage them externally.
No, enabling auditing only starts the recording of audited activities. It does not change the default retention period. You must separately configure retention policies to extend retention. The default retention after enabling auditing is 90 days for E3 and 365 days for E5.
Audit log retention controls how long activity records (who did what) are kept. Retention labels are used to preserve or delete content (emails, documents) based on classification. They are separate features with different configurations and purposes. Audit log retention does not affect content retention.
You can verify the current retention duration in the Microsoft Purview compliance portal under Audit > Retention policies. Alternatively, use PowerShell: `Get-AdminAuditLogConfig | fl UnifiedAuditLogRetentionDuration`. This returns the retention in days (e.g., 365).
You've just covered Audit Log Retention Policies — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?