Microsoft Purview · Audit
Audit Manager
Search, manage, and configure audit log settings and retention policies for compliance monitoring.
Scope: Organization-wide audit log access and configuration
Permissions
- Audit Search - Search and export unified audit logs
- Retention Policies - Configure audit log retention policies
- Custom Retention - Create custom audit log retention policies for specific users or activities
- Premium Features - Access audit (Premium) features including long-term retention
- Mailbox Auditing - Configure mailbox auditing settings
- Search Jobs - Manage audit log search jobs
Common use cases
- Investigating security incidents and breaches
- Compliance monitoring and reporting
- Forensic analysis of user activities
- Meeting regulatory audit requirements (SOX, HIPAA, GDPR)
- Tracking administrative changes to tenant
Best practices
- Configure audit log retention before incidents occur
- Use custom retention policies for high-risk users (admins, executives)
- Regularly export critical audit logs for offline storage
- Document audit search queries and rationale
- Coordinate with security team on incident response procedures
- Set up alerts for critical audit events
- Maintain audit evidence chain of custody for legal proceedings
Security considerations
- Audit logs contain sensitive information about user activities
- Can reveal details of security incidents and investigations
- Export activities should be monitored and controlled
- Ensure audit log integrity is maintained
- Audit logs themselves should be protected from tampering
- Consider privacy implications when reviewing user activities
Common questions
When should I assign the Audit Manager role?
Assign Audit Manager when you need to: Investigating security incidents and breaches; Compliance monitoring and reporting; Forensic analysis of user activities; Meeting regulatory audit requirements (SOX, HIPAA, GDPR); and Tracking administrative changes to tenant. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Audit Manager role do?
The Audit Manager role grants permissions including: Audit Search - Search and export unified audit logs; Retention Policies - Configure audit log retention policies; Custom Retention - Create custom audit log retention policies for specific users or activities; Premium Features - Access audit (Premium) features including long-term retention; Mailbox Auditing - Configure mailbox auditing settings; and Search Jobs - Manage audit log search jobs. See the Permissions section above for the full list.
What are the security risks of the Audit Manager role?
Key considerations when assigning Audit Manager: Audit logs contain sensitive information about user activities; Can reveal details of security incidents and investigations; Export activities should be monitored and controlled; and Ensure audit log integrity is maintained. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.