Tutorial / Cram Notes

Microsoft 365 has default retention policies for various auditing logs. These policies determine how long the logs are kept before they are automatically deleted. However, organizations often have specific requirements that may necessitate longer or shorter retention periods. Administrators can configure custom retention policies through the Security & Compliance Center or by using PowerShell.

Default Retention Periods

The following table outlines the default retention periods for different types of audit logs in Microsoft 365:

Audit Log Type Default Retention Period
Exchange Online 90 days
SharePoint Online and OneDrive 90 days
Azure Active Directory 30 days
Microsoft Teams 90 days
Dynamics 365 90 days

Note: These retention periods are subject to change, and organizations should verify the current defaults in the Microsoft 365 compliance documentation.

Custom Audit Retention Policies

To meet specific compliance or business needs, you may need to create custom retention policies. The process of setting up these policies will typically involve the following steps:

  1. Identify the Requirements:
    • Determine the minimum retention period required for audit logs based on regulatory compliance, internal policies, or other considerations.
  2. Configure Retention Policies:
    • Navigate to the Microsoft 365 compliance center.
    • Access the “Audit” section and then go to “Audit retention policies.”
    • Create a new custom retention policy by specifying the information such as workloads (e.g., Exchange, SharePoint), users, and the duration of the retention period.
    • Use PowerShell to create or modify retention policies if needed, especially for granular configurations.
  3. Review and Apply Policies:
    • Review the settings of the custom policies to ensure they align with the identified retention requirements.
    • Apply the policies, and they will take effect for any new audit logs generated from that point on.

Examples of Custom Retention Policy Configuration

Example 1: Retaining Logs for a Specific User

Let’s say a company needs to retain audit logs for a specific high-profile user for one year due to a unique compliance requirement. The custom policy would be configured to retain logs for 365 days for actions performed by that user across all workloads.

Example 2: Extended Retention for SharePoint Files

A legal firm may require keeping logs of all access and changes to documents stored in SharePoint due to litigation concerns for up to five years. Here, a policy would be created to retain SharePoint and OneDrive audit logs for 1825 days.

Monitoring and Reviewing Audit Logs

With the policies in place, it’s important to periodically review and monitor the audit logs retained per the new policies:

  • Use the audit log search in the compliance center to review activities.
  • Ensure that the retention policies are indeed retaining logs for the specified duration.
  • Make sure that the storage impact of longer retention periods is accounted for.
  • Consider automating alerts for specific audit events that may require immediate action.

Conclusion

Configuring audit retention policies in Microsoft 365 allows organizations to have greater control over their data governance requirements and ensure that they can meet legal, regulatory, or specific business needs. By leveraging the Microsoft 365 compliance center and PowerShell, administrators can create policies tailored to their organization’s unique requirements, adjusting the retention periods, and auditing specific workloads or users.

It is imperative for administrators to stay informed about the latest changes to Microsoft’s audit log capabilities and to adjust their audit retention policies accordingly. Regularly validating and updating these policies where needed is a key practice in maintaining a compliant and secure Microsoft 365 environment.

Practice Test with Explanation

True or False: The default retention period for audit logs in Microsoft 365 is 90 days.

  • (A) True
  • (B) False

Answer: (A) True

Explanation: By default, Microsoft 365 retains audit logs for 90 days.

Which of the following licenses is required to increase audit log retention beyond 90 days?

  • (A) Microsoft 365 E3
  • (B) Microsoft 365 E5
  • (C) Office 365 E1
  • (D) Office 365 E3

Answer: (B) Microsoft 365 E5

Explanation: Audit log retention beyond 90 days requires a Microsoft 365 E5 license.

True or False: Audit log retention policies can be applied per user or per organization in Microsoft

  • (A) True
  • (B) False

Answer: (B) False

Explanation: Audit log retention policies are applied at the organization level within Microsoft 365, not per user.

How long can you retain audit logs with an advanced audit retention policy?

  • (A) Up to 1 year
  • (B) Up to 5 years
  • (C) Up to 10 years
  • (D) Indefinitely

Answer: (C) Up to 10 years

Explanation: Advanced audit retention policies can retain logs for up to 10 years.

True or False: You need to use the Security & Compliance Center to configure audit retention policies in Microsoft

  • (A) True
  • (B) False

Answer: (A) True

Explanation: The Security & Compliance Center is where you configure audit retention policies in Microsoft

Which PowerShell cmdlet is used to configure audit log retention policies?

  • (A) Set-RetentionPolicy
  • (B) Set-AuditPolicy
  • (C) Set-AuditRetentionPolicy
  • (D) New-RetentionCompliancePolicy

Answer: (C) Set-AuditRetentionPolicy

Explanation: The Set-AuditRetentionPolicy PowerShell cmdlet is used to configure audit log retention policies.

Which event types can you specify when you create an audit retention policy? (Select multiple)

  • (A) User logins
  • (B) Mailbox access
  • (C) File deletion
  • (D) All of the above

Answer: (D) All of the above

Explanation: When creating an audit retention policy, you can specify various event types such as user logins, mailbox access, and file deletion.

True or False: Audit retention policies in Microsoft 365 are retroactive, applying to old logs as well as new ones.

  • (A) True
  • (B) False

Answer: (B) False

Explanation: Audit retention policies apply to events that occur after the policy is applied; they are not retroactive.

Can you exempt specific users from an audit retention policy in Microsoft 365?

  • (A) Yes, you can configure exemptions.
  • (B) No, all users must comply with the policy.

Answer: (A) Yes, you can configure exemptions.

Explanation: Exemptions for specific users can be configured in audit retention policies.

True or False: Audit logs are retained indefinitely by default if there is no retention policy set.

  • (A) True
  • (B) False

Answer: (B) False

Explanation: If no retention policy is set, audit logs are not retained indefinitely; they will be retained for the system default duration, which is typically 90 days.

What compliance license provides the ability to search audit logs for compliance investigations in Microsoft 365?

  • (A) Office 365 E1
  • (B) Microsoft 365 A3
  • (C) Microsoft 365 E3
  • (D) Microsoft 365 E5 Compliance

Answer: (D) Microsoft 365 E5 Compliance

Explanation: The Microsoft 365 E5 Compliance license provides the ability to search audit logs for compliance investigations.

How often should you review your organization’s audit retention policies to ensure compliance with legal and regulatory requirements?

  • (A) Monthly
  • (B) Quarterly
  • (C) Biannually
  • (D) It depends on the specific compliance requirements

Answer: (D) It depends on the specific compliance requirements

Explanation: The frequency at which you should review audit retention policies varies depending on the legal and regulatory requirements that apply to your organization.

Interview Questions

What is audit logging in Microsoft 365?

Audit logging in Microsoft 365 allows administrators to review activity logs that capture details about users, admin activities, user sign-ins, and more.

How can I turn on audit log search in Microsoft 365?

To turn on audit log search, go to the Microsoft 365 compliance center and navigate to “Audit log search” in the left-hand navigation menu. Click “Start recording user and admin activities” to begin recording audit logs.

What is the recommended best practice for implementing tenant-wide security in Office 365?

The recommended best practice for implementing tenant-wide security in Office 365 is to configure a baseline policy in the Microsoft 365 compliance center that includes security settings such as multi-factor authentication, password policies, and device management.

What is mailbox auditing in Microsoft 365?

Mailbox auditing in Microsoft 365 allows administrators to track activity in user mailboxes, such as when messages are accessed, moved, or deleted.

How can I enable mailbox auditing in Microsoft 365?

To enable mailbox auditing in Microsoft 365, you can use the Exchange admin center or PowerShell to configure mailbox audit logging settings.

What types of activities are logged in mailbox audit logs?

Mailbox audit logs capture details about various mailbox activities, including messages sent or received, messages moved to another folder, messages deleted or modified, and mailbox access by the owner or another user.

How can I view audit logs in Microsoft 365?

You can view audit logs in the Microsoft 365 compliance center by navigating to “Audit log search” in the left-hand navigation menu, or by using PowerShell cmdlets to search for audit log data.

What is retention period for audit logs in Microsoft 365?

The retention period for audit logs in Microsoft 365 is 90 days by default, but this can be extended to 365 days using the “Audit log retention” setting in the Microsoft 365 compliance center.

Can I export audit log data from Microsoft 365?

Yes, you can export audit log data from Microsoft 365 by using the “Export to CSV” option in the audit log search results page.

What is a diagnostic setting in Azure AD?

A diagnostic setting in Azure AD is a configuration that allows administrators to collect data from various Azure AD services and export it to a destination such as Azure Log Analytics or Azure Storage.

What types of reports are available in Azure AD?

There are several types of reports available in Azure AD, including sign-in activity reports, user activity reports, and audit logs.

What is the purpose of monitoring in Azure AD?

The purpose of monitoring in Azure AD is to ensure that the directory and associated services are operating as expected, and to identify and resolve any issues or anomalies.

Can I customize audit logs in Microsoft 365?

Yes, you can customize audit logs in Microsoft 365 by using the “Audit log retention” and “Audit log search” settings in the Microsoft 365 compliance center.

What is the difference between mailbox auditing and mailbox auditing for administrative actions in Microsoft 365?

Mailbox auditing in Microsoft 365 captures activity performed by mailbox owners, while mailbox auditing for administrative actions captures activity performed by administrators or delegates.

How can I monitor activity in Microsoft 365 groups?

You can monitor activity in Microsoft 365 groups by using audit logs or activity reports in the Microsoft 365 compliance center, or by using third-party tools that provide additional visibility into group activity.

0 0 votes
Article Rating
Subscribe
Notify of
guest
20 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Dan Henderson
7 months ago

Great insights on configuring audit retention policies for Microsoft 365. This is extremely helpful for my MS-101 exam prep!

اميرعلي حسینی

For the audit log retention, is there a specific duration recommended for different industries?

Kay Wille
8 months ago

Does the E3 license support advanced audit log features in Microsoft 365?

Thomas Fowler
2 years ago

Appreciate the blog post! Very informative.

Gavin Sanders
6 months ago

What’s the default retention period for audit logs in Microsoft 365?

Nixon Zhang
2 years ago

The article missed some key points about audit log trimming. It could be more detailed.

Topias Toro
1 year ago

How do we access the audit logs in Microsoft 365? Is it through the Security & Compliance Center?

Radovan Vasić
1 year ago

Thanks for sharing this detailed guide!

20
0
Would love your thoughts, please comment.x
()
x