“long-term audit log availability is now coming to public preview for Microsoft 365 and Office 365 E5 subscribers. This is an important update for organizations that need long-term access to audit logs for regulatory or security purposes. The audit log availability has now increased from 90 days to one year.”
This means that Office 365 audit log data is kept for different periods for different users. If an account has an Office 365 E3 license, Office 365 keeps audit data for 90 days; if an account has an Office 365 E5 license, audit data retention is extended to 365 days (Cloud App Security Keeps audit data for 180 days for all Office 365Â E3/E5 licensed users). Accounts with Office 365 E3 or Exchange Online Plan 1 licenses can also have audit records kept for 365 days if they buy the advanced compliance add-on license.
The increase in audit log retention is being rolled out gradually. Targeted release tenants will see extended retention “soon” while those who wait for features to be generally available will have to wait for the preview period to finish. In either case, Office 365 does not reach back into the past to reveal older audit records. Accounts licensed for extended retention will begin to accumulate audit records when the feature is enabled and gradually build from that point until the last 365 days is available for those accounts.
Why the Change?
Why is Microsoft making this change, and why only for the most expensive Office 365 plan? It could be that Microsoft has realized that retaining audit data for 90 days is simply not long enough for the kind of large and complex organizations who purchase E5 licenses. It could be that storage costs have come down to a point where it is economically possible for Microsoft to dedicate more storage to keep audit records for longer and that the 365-day period will soon be extended to all Office 365 users. Or it might just be yet another prompt to organizations that they should buy E5 licenses to gain extra security (among other functionality).
Years Better Than Days
But the fact is that you don’t need to upgrade all your users to have E5 licenses to get extended audit log storage. Third-party products like Quadrotech Radar for Security and Audit already offer longer retention periods for Office 365 audit data extracted from the same sources as the events ingested into the Office 365 audit log. Radar’s basic storage is for three years with the option to hold data for longer.
You might think that you would never need to hold audit data for longer than a year. And you could be right (and lucky), but in a world where litigation is rife and law cases go back over the events from several years ago, having audit data available to prove an event happened is a very good thing.
But Problems Exist
At least, having audit data available is good if the audit data is good. And since July 5, 2018, Microsoft has struggled with the truncation of the audit records ingested into the Office 365 event log for Azure Active Directory events like group and user creation, adding a user to a group, and removing users and groups. Truncation means that data is missing, a cardinal sin for any IT infrastructure.
A truncated event in the Office 365 audit log
I first reported this problem to Microsoft on September 12 after running into truncated audit records during a demo at the UK Evolve conference. A month and a half later, it’s a blessed mystery to me that Microsoft has not deployed a fix. Again, having data is goodness as long as the data are intact and valid. The Office 365 audit log has had a huge hole in it since early July that Microsoft needs to fix fast.
Chapter 21 in the Office 365 for IT Pros eBook is where you’ll find all the information you’ll ever need about the Office 365 audit log. We even tell you how to parse out the payload that holds the interesting audit data, except for those truncated records of course…
Tony, since the duration of retention depends on the license of the individual generating the audit log records – not some organisational-level compliance SKU – organizations with mixed license types will therefore experience differential retention timeframes per user. Is that how you understand this?
Yes, that is how I understand it. Retention of audit data depends on individual licensing. The assumption is made that organizations will assign appropriate licenses to users.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Have you been able to compare the Azure AD events ingested in to the O365 audit log with the events that can now be fed to Azure Log Analytics?
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-Activity-logs-in-Azure-Log-Analytics-now/ba-p/274843
Thanks, Martin
Tony, since the duration of retention depends on the license of the individual generating the audit log records – not some organisational-level compliance SKU – organizations with mixed license types will therefore experience differential retention timeframes per user. Is that how you understand this?
Yes, that is how I understand it. Retention of audit data depends on individual licensing. The assumption is made that organizations will assign appropriate licenses to users.
Hi every one, what about guest users? what would be the retention of their log activities for sharepoint online for example?
Guest activities are logged in the same way as tenant user activities. And they’re retained for 90 days (E3) or 120 days (E5).
Is this feature of 365 days released for all Office 365 plans or is it only for E5?
Just for E5.