Overview

The Microsoft 365 audit log is the best place to identify user and admin actions (like track admin roles changes).

By default, standard retention is limited to 90 days (180 days since October 17, 2023), except for tenants with Office 365 E5 or Microsoft 365 E5 licenses who can configure the retention period (https://learn.microsoft.com/en-us/purview/audit-premium).

Retention Limits with PowerShell

But, since summer 2021 (no exact date), the logs are now retained for 365 days.

Note that this only for search with PowerShell Search-UnifiedAuditLog. The web interface are still the 90 days limitation on non E5 tenants.

After testing several tenants (M365 Business, Office 365 E3), all now provide access to 365 days of history.

Example

Below is an example with a Microsoft 365 Business Premium tenant retrieving items from 365 days ago:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-365) -EndDate (Get-Date).AddDays(-364)

AdminAuditLogAgeLimit value

If you check AdminAuditLogAgeLimitit , it's still set to 90 days.

Connect-ExchangeOnline
(Get-AdminAuditLogConfig).AdminAuditLogAgeLimit
90.00:00:00

However, if you check AdminAuditLogAgeLimit, it still shows 90 days, so verifying that value isn’t very helpful.

I don’t find any documentation with this information, so I don’t know if it’s a non documented feature or something else… But Microsoft docs still show 90 days/180 days (still valid in 2025):

https://learn.microsoft.com/en-us/purview/audit-log-enable-disable
Microsoft 365
Previous Post Get the Microsoft 365 admin roles and track the changes [updated january 2025]
Next Post Augmentation des audits logs à 365 jours dans Microsoft 365

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France