Microsoft Purview · Audit

Audit Manager

Search, manage, and configure audit log settings and retention policies for compliance monitoring.

Scope: Organization-wide audit log access and configuration

Permissions

  • Audit Search - Search and export unified audit logs
  • Retention Policies - Configure audit log retention policies
  • Custom Retention - Create custom audit log retention policies for specific users or activities
  • Premium Features - Access audit (Premium) features including long-term retention
  • Mailbox Auditing - Configure mailbox auditing settings
  • Search Jobs - Manage audit log search jobs

Common use cases

  • Investigating security incidents and breaches
  • Compliance monitoring and reporting
  • Forensic analysis of user activities
  • Meeting regulatory audit requirements (SOX, HIPAA, GDPR)
  • Tracking administrative changes to tenant

Best practices

  • Configure audit log retention before incidents occur
  • Use custom retention policies for high-risk users (admins, executives)
  • Regularly export critical audit logs for offline storage
  • Document audit search queries and rationale
  • Coordinate with security team on incident response procedures
  • Set up alerts for critical audit events
  • Maintain audit evidence chain of custody for legal proceedings

Security considerations

  • Audit logs contain sensitive information about user activities
  • Can reveal details of security incidents and investigations
  • Export activities should be monitored and controlled
  • Ensure audit log integrity is maintained
  • Audit logs themselves should be protected from tampering
  • Consider privacy implications when reviewing user activities

Common questions

When should I assign the Audit Manager role?

Assign Audit Manager when you need to: Investigating security incidents and breaches; Compliance monitoring and reporting; Forensic analysis of user activities; Meeting regulatory audit requirements (SOX, HIPAA, GDPR); and Tracking administrative changes to tenant. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Audit Manager role do?

The Audit Manager role grants permissions including: Audit Search - Search and export unified audit logs; Retention Policies - Configure audit log retention policies; Custom Retention - Create custom audit log retention policies for specific users or activities; Premium Features - Access audit (Premium) features including long-term retention; Mailbox Auditing - Configure mailbox auditing settings; and Search Jobs - Manage audit log search jobs. See the Permissions section above for the full list.

What are the security risks of the Audit Manager role?

Key considerations when assigning Audit Manager: Audit logs contain sensitive information about user activities; Can reveal details of security incidents and investigations; Export activities should be monitored and controlled; and Ensure audit log integrity is maintained. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →