Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on the Microsoft 365 audit log. It's intended to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
The Microsoft 365 audit log is a unified logging service that captures events from multiple services and applications across the Microsoft 365 platform. It provides a single location for viewing audit data for Microsoft 365 services such as Exchange Online, SharePoint, OneDrive, Microsoft Teams, Power BI, and more.
The audit log can be used to track user and administrator activity in your organization, including activities relating to sensitivity labeling. For information regarding the Microsoft Purview and Data Loss Prevention (DLP) events that are captured in the audit log, see Microsoft Purview audit log activities via Microsoft 365 Management.
The audit log is important for Microsoft Purview deployments as:
- The audit log retains decisions around who applied labels to items.
- The audit log retains information around label changes, including label change justifications.
- The audit log provides information regarding incoming and outgoing items.
- The audit log provides visibility into events for longer time periods than other reporting locations where Microsoft 365 activities are visible (for example, events are visible in activity explorer for 30 days).
Audit log retention requirements
The need for extended retention is covered under the following ISM requirement:
| Requirement | Detail |
|---|---|
| ISM-1988 (March 2025) | Event logs are retained in a searchable manner for at least 12 months. |
The default length of time that audit log data is retained for is tied to the Microsoft 365 licensing level. Organizations with E3 licenses have audit log retention for 90 days. Organizations with E5 licensing have one year retention for Microsoft Entra, Exchange Online, OneDrive, and SharePoint. Therefore, organizations with E5 licensing are able to meet ISM-1998.
ISM-1989 is also relevant to Microsoft 365 audit logging:
| Requirement | Detail |
|---|---|
| ISM-1989 (March 2025) | Event logs are retained as per minimum retention requirements for various classes of records as set out by the National Archives of Australia's Administrative Functions Disposal Authority Express (AFDA Express) Version 2 publication. |
AFDA Express requirements can be accessed at AFDA Express Version 2 – Technology & Information Management.
AFDA Express states that:
The Information Security Manual notes that as event logs are integral to event monitoring activities they should be retained for the life of systems, or potentially longer, where it's practical for an agency to do so and appropriate to the agency’s risk management framework for information systems.
AFDA Express class number 62625 might also be relevant to Microsoft 365 log retention:
| Requirement | Detail | Disposal action |
|---|---|---|
| AFDA Express class 62625 | Records documenting routine operational administrative tasks supporting the (business) function and technology and information management activities | Destroy 7 years after action completed |
Organizations should carefully consider their log retention requirements and decide whether a mechanism to further retain Microsoft 365 audit logging is required.
Audit log retention policies can be used to extend retention of audit information for a set of activities. This can include administrative functions. Audit policies can be configured to retain audit information for up to 10 years.
Long-term retention of audit information requires Audit (Premium) licenses. For more information on audit log retention, see auditing solutions in Microsoft Purview.
SIEM Integration
Security Information and Event Management systems (SIEMs) are designed to help organization to detect, analyze, and respond to security threats before they harm business operations. SIEMs ingest log information and provide analysis of events. SIEMs are used to increase velocity of threat detection, support security incident, event management, and compliance.
Microsoft Sentinel is a scalable, cloud-native SIEM that delivers an intelligent and comprehensive solution for SIEM and security orchestration, automation, and response (SOAR). This means Microsoft Purview events ingested into Microsoft Sentinel (or an equivalent SIEM), are easily analyzed and can produce advanced reports..
For more information on how Microsoft Sentinel can be configured to ingest Microsoft 365 audit log data, see How to use Office 365 Audit Data with Microsoft Sentinel..