Microsoft Purview · Audit

Audit Manager

Search, manage, and configure audit log settings and retention policies for compliance monitoring.

Scope: Organization-wide audit log access and configuration

Permissions

  • Audit Search - Search and export unified audit logs
  • Retention Policies - Configure audit log retention policies
  • Custom Retention - Create custom audit log retention policies for specific users or activities
  • Premium Features - Access audit (Premium) features including long-term retention
  • Mailbox Auditing - Configure mailbox auditing settings
  • Search Jobs - Manage audit log search jobs

Common use cases

  • Investigating security incidents and breaches
  • Compliance monitoring and reporting
  • Forensic analysis of user activities
  • Meeting regulatory audit requirements (SOX, HIPAA, GDPR)
  • Tracking administrative changes to tenant

Best practices

  • Configure audit log retention before incidents occur
  • Use custom retention policies for high-risk users (admins, executives)
  • Regularly export critical audit logs for offline storage
  • Document audit search queries and rationale
  • Coordinate with security team on incident response procedures
  • Set up alerts for critical audit events
  • Maintain audit evidence chain of custody for legal proceedings

Security considerations

  • Audit logs contain sensitive information about user activities
  • Can reveal details of security incidents and investigations
  • Export activities should be monitored and controlled
  • Ensure audit log integrity is maintained
  • Audit logs themselves should be protected from tampering
  • Consider privacy implications when reviewing user activities

Official Microsoft Learn documentation →

Open the interactive RBACMap →