Turn auditing on or off
Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. For instructions, see the Verify the auditing status for your organization section in this article.
When auditing is turned on in the Microsoft Purview portal or the Microsoft Purview compliance portal, user and admin activity from your organization is recorded in the audit log and automatically retained for 180 days. The retention (lifetime) for audit data starts when it's added to the auditing log and is retained based on audit log retention policies and the license assigned to users.
Important
The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.
Changes to the user licensing or retention policies also change the expiration date of audit data.
Your organization may have reasons for not wanting to record and retain audit log data. In these cases, a global admin can turn off auditing in Microsoft 365 for your organization. For instructions, see the Turn off auditing section in this article.
Important
If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Microsoft Sentinel to access auditing data or logs for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the Microsoft Purview portal or compliance portal, or when you run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
You must be assigned the Audit Logs role in Exchange Online to turn auditing on or off. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.
- For step-by-step instructions on searching the audit log, see Search the audit log.
- For more information about the Microsoft 365 Management Activity API, see Get started with Microsoft 365 Management APIs.
To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
A value of True
for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False
indicates that auditing isn't turned on.
Important
Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False
, even when auditing is turned on.
If auditing isn't turned on for your organization, you can turn it on in the Microsoft Purview portal or compliance portal, or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Complete the following steps to turn on auditing:
- Sign into the Microsoft Purview portal.
- Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.
- If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
- Select the Start recording user and admin activity banner.
It may take up to 60 minutes for the change to take effect.
Run the following PowerShell command to turn on auditing.
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
A message is displayed saying that it may take up to 60 minutes for the change to take effect.
You have to use Exchange Online PowerShell to turn off auditing.
Run the following PowerShell command to turn off auditing.
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
After a while, verify that auditing is turned off (disabled). There are two ways to do this:
In Exchange Online PowerShell, run the following command:
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
The value of
False
for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned off.Go to the Audit page in the compliance portal.
If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
Changes to the auditing status in your organization are themselves audited. This means that audit records are logged when auditing is turned on or turned off. You can search the Exchange admin audit log for these audit records.
To search the Exchange admin audit log for audit records that are generated when turning auditing on or off, run the following command in Exchange Online PowerShell:
Search-UnifiedAuditLog -Operations Set-AdminAuditLogConfig
Audit records for these events contain information about when the auditing status was changed, the admin who changed it, and the IP address of the computer that was used to make the change. The following screenshots show audit records that correspond to changing the auditing status in your organization.
The value of Confirm
in the CmdletParameters property indicates that unified audit logging was turned on in the Microsoft Purview portal or compliance portal, or by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true cmdlet.
The value of Confirm
isn't included in the CmdletParameters property. This indicates that unified audit logging was turned off by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false command.
For more information about searching the Exchange admin audit log, see Search-UnifiedAuditLog.