Share tips from the IT field
Microsoft training
Photo by Maarten van den Heuvel / Unsplash
Microsoft 365 audit logs are now retained for 365 days for all tenants (with PowerShell)

Microsoft 365 audit logs are now retained for 365 days for all tenants (with PowerShell)

Published on 08 Feb 2022
Bastien Perez
Bastien Perez

Clap

The Microsoft 365 audit log is the best place to identify user and admin actions (like track admin roles changes).

By default, standard retention is limited to 90 days (180 days since October 17, 2023), except for tenants with Office 365 E5 or Microsoft 365 E5 licenses who can configure the retention period (https://learn.microsoft.com/en-us/purview/audit-premium).
This 90/180-day limit is extended to 365 days if you use PowerShell Search-UnifiedAuditLog. The GUI retains the 90/180-day limit.

But, since summer 2021 (no exact date), the logs are now retained for 365 days.

Note that this only for search with PowerShell Search-UnifiedAuditLog. The web interface are still the 90 days limitation on non E5 tenants.

After some tests on several tenants (M365 Business, Office 365 E3), all now have access to 365 days of history even if the AdminAuditLogAgeLimit is still 90 days. You can find your current age limit with:

Connect-ExchangeOnline
(Get-AdminAuditLogConfig).AdminAuditLogAgeLimit
90.00:00:00

I don’t find any documentation with this information, so I don’t know if it’s a non documented feature or something else… But Microsoft docs still show 90 days/180 days (still valid in 2023):

https://learn.microsoft.com/en-us/purview/audit-log-enable-disable
Microsoft 365

Comments

banner-Bastien Perez
Bastien Perez

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France