Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. For instructions, see the Verify the auditing status for your organization section in this article.
When auditing is turned on in the Microsoft Purview portal or the Microsoft Purview compliance portal, user and admin activity from your organization is recorded in the audit log and automatically retained for 180 days. The retention (lifetime) for audit data starts when it's added to the auditing log and is retained based on audit log retention policies and the license assigned to users.
Important
The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.
Changes to the user licensing or retention policies also change the expiration date of audit data.
Your organization may have reasons for not wanting to record and retain audit log data. In these cases, a global admin can turn off auditing in Microsoft 365 for your organization. For instructions, see the Turn off auditing section in this article.
Important
If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Microsoft Sentinel to access auditing data or logs for your organization. Turning off auditing by following the steps in this article means that no results are returned when you search the audit log using the Microsoft Purview portal or compliance portal, or when you run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Before you turn auditing on or off
You must be assigned the Audit Logs role in Exchange Online to turn auditing on or off. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.
For step-by-step instructions on searching the audit log, see Search the audit log.
A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing isn't turned on.
Important
Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.
Turn on auditing
If auditing isn't turned on for your organization, you can turn it on in the Microsoft Purview portal or compliance portal, or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
The value of False for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned off.
Go to the Audit page in the compliance portal.
If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
Audit records when auditing status is changed
Changes to the auditing status in your organization are themselves audited. This means that audit records are logged when auditing is turned on or turned off. You can search the Exchange admin audit log for these audit records.
To search the Exchange admin audit log for audit records that are generated when turning auditing on or off, run the following command in Exchange Online PowerShell:
Audit records for these events contain information about when the auditing status was changed, the admin who changed it, and the IP address of the computer that was used to make the change. The following screenshots show audit records that correspond to changing the auditing status in your organization.
Audit record for turning on auditing
The value of Confirm in the CmdletParameters property indicates that unified audit logging was turned on in the Microsoft Purview portal or compliance portal, or by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true cmdlet.
Audit record for turning off auditing
The value of Confirm isn't included in the CmdletParameters property. This indicates that unified audit logging was turned off by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false command.
For more information about searching the Exchange admin audit log, see Search-UnifiedAuditLog.