Microsoft has recently announced that Microsoft Purview Audit Standard, a feature that allows organizations to search for audit records of user and admin activities across Microsoft 365 services, will be available for all Microsoft 365 customers at no additional cost. This is a significant improvement in security and compliance, as it enables organizations to monitor and investigate potential breaches, data leaks, unauthorized access, and other incidents.
Microsoft Purview Audit Standard Provides the Following Benefits:
- It is enabled by default, so there is no need to turn it on or configure it.
- It supports thousands of searchable audit events, covering various workloads such as Exchange Online, SharePoint Online, OneDrive for Business, Teams, Power Platform, Power BI, and more.
- It retains audit records for 90 days, which is sufficient for most forensic and compliance investigations.
- It can be accessed by graphical user interface (GUI), PowerShell cmdlet, or Office 365 Management Activity API.
Microsoft Purview Audit Premium: An Advanced Option for Forensic and Compliance Investigations
While Microsoft Purview Audit Standard is a great feature for all Microsoft 365 customers, some organizations may have more complex or specific needs for auditing and investigation. For those organizations, Microsoft offers Microsoft Purview Audit Premium, an advanced option that provides additional capabilities and flexibility.
Microsoft Purview Audit Premium Provides the Following Features:
- It allows organizations to create customized audit log retention policies based on the service, activity, or user. For example, an organization can retain audit records of SharePoint Online activities for one year, while retaining audit records of Teams activities for six months.
- It extends the default retention period of audit records from 90 days to one year, with the option to retain them for up to 10 years. This is useful for meeting regulatory requirements or conducting long-term investigations.
- It includes high-value and crucial events that are not available in Microsoft Purview Audit Standard. These events include mailbox access by non-owners, password reset attempts, malware detection, and more.
- It provides higher bandwidth to the Office 365 Management Activity API, which enables faster and more efficient access to audit data.
How to Take Advantage of Microsoft Purview Audit Standard
Customers can start using Microsoft Purview Audit Standard right away. To search the audit log using the GUI, one of the following roles is required: global administrator, compliance administrator, security administrator, security reader, or audit log reader. To search the audit log using PowerShell or API, one needs to have the global administrator or audit log reader role.
To Search the Audit Log Using the GUI:
- Go to https://protection.office.com/auditlogsearch
- Specify the date range, activities, users, and file or folder names that you want to search for
- Click Search
- Review the results and export them if needed
To Search the Audit Log Using PowerShell:
- Install the Exchange Online PowerShell module
- Connect to Exchange Online PowerShell
- Use the Search-UnifiedAuditLog cmdlet with the appropriate parameters
- Review the results and export them if needed
To Search the Audit Log Using API:
- Register an application in Azure Active Directory
- Obtain an access token from Azure AD
- Use the Office 365 Management Activity API with the appropriate parameters
- Review the results and export them if needed
For more details on how to search the audit log using different methods, or to better understand the benefits of Purview Audit, contact us at Virtuas.
Conclusion
Microsoft Purview Audit Standard is a new security feature that allows all Microsoft 365 customers to search for audit records of user and admin activities across Microsoft 365 services. It is enabled by default and supports thousands of searchable audit events. It can help organizations monitor and investigate potential breaches, data leaks, unauthorized access, and other incidents. Microsoft Purview Audit Premium is an advanced option that provides additional capabilities and flexibility for forensic and compliance investigations. It allows organizations to create customized audit log retention policies, extend the retention period of audit records up to 10 years, include high-value and crucial events, and access audit data faster and more efficiently. Both options can be accessed by GUI, PowerShell cmdlet, or Office 365 Management Activity API.