A Full Year of Audit Data, But Only for Some Users
A note in the September 25 post about Microsoft 365 compliance says:
“long-term audit log availability is now coming to public preview for Microsoft 365 and Office 365 E5 subscribers. This is an important update for organizations that need long-term access to audit logs for regulatory or security purposes. The audit log availability has now increased from 90 days to one year.”
This means that Office 365 audit log data is kept for different periods for different users. If an account has an Office 365 E3 license, Office 365 keeps audit data for 90 days; if an account has an Office 365 E5 license, audit data retention is extended to 365 days (Cloud App Security Keeps audit data for 180 days for all Office 365 E3/E5 licensed users). Accounts with Office 365 E3 or Exchange Online Plan 1 licenses can also have audit records kept for 365 days if they buy the advanced compliance add-on license.
The increase in audit log retention is being rolled out gradually. Targeted release tenants will see extended retention “soon” while those who wait for features to be generally available will have to wait for the preview period to finish. In either case, Office 365 does not reach back into the past to reveal older audit records. Accounts licensed for extended retention will begin to accumulate audit records when the feature is enabled and gradually build from that point until the last 365 days is available for those accounts.
Why the Change?
Why is Microsoft making this change, and why only for the most expensive Office 365 plan? It could be that Microsoft has realized that retaining audit data for 90 days is simply not long enough for the kind of large and complex organizations who purchase E5 licenses. It could be that storage costs have come down to a point where it is economically possible for Microsoft to dedicate more storage to keep audit records for longer and that the 365-day period will soon be extended to all Office 365 users. Or it might just be yet another prompt to organizations that they should buy E5 licenses to gain extra security (among other functionality).
Years Better Than Days
But the fact is that you don’t need to upgrade all your users to have E5 licenses to get extended audit log storage. Third-party products like Quadrotech Radar for Security and Audit already offer longer retention periods for Office 365 audit data extracted from the same sources as the events ingested into the Office 365 audit log. Radar’s basic storage is for three years with the option to hold data for longer.
You might think that you would never need to hold audit data for longer than a year. And you could be right (and lucky), but in a world where litigation is rife and law cases go back over the events from several years ago, having audit data available to prove an event happened is a very good thing.
But Problems Exist
At least, having audit data available is good if the audit data is good. And since July 5, 2018, Microsoft has struggled with the truncation of the audit records ingested into the Office 365 event log for Azure Active Directory events like group and user creation, adding a user to a group, and removing users and groups. Truncation means that data is missing, a cardinal sin for any IT infrastructure.
I first reported this problem to Microsoft on September 12 after running into truncated audit records during a demo at the UK Evolve conference. A month and a half later, it’s a blessed mystery to me that Microsoft has not deployed a fix. Again, having data is goodness as long as the data are intact and valid. The Office 365 audit log has had a huge hole in it since early July that Microsoft needs to fix fast.
Chapter 21 in the Office 365 for IT Pros eBook is where you’ll find all the information you’ll ever need about the Office 365 audit log. We even tell you how to parse out the payload that holds the interesting audit data, except for those truncated records of course…