Audit log retention involves the process of preserving, storing, managing, and eliminating audit logs over time. In Microsoft 365, the audit log record is stored for 90 days by default. However, modification of the retention period is possible to meet specified organizational needs.
A well-configured audit retention policy on Microsoft 365 aids in regulatory compliance, offers critical security insights, helps in the investigation of potential security incidents, and supports trending and reporting.
Planning Audit Log Retention Policies
During the planning phase, various factors need to be taken into consideration:
- Organizational Requirements: Understand the organization’s legal, compliance, and business requirements related to the retention of audit logs. This may involve consulting legal, compliance, security, and business departments for an in-depth understanding.
- Regulatory Requirements: Different industries or countries may have specific regulations regarding the retention period of audit logs. It is key to consider these regulations when determining the retention period.
- Data Storage Requirements: The amount of audit log data can be extensive, so assess your available storage capacity.
- Data Accessibility: Determine who needs access to the audit log data to maintain it at a secure and appropriate level.
Configuring Audit Log Retention Policies
Configuring audit log retention policies in Microsoft 365 can be accomplished through the Security and Compliance Center (SCC), or by leveraging PowerShell.
Via Security and Compliance Center (SCC)
One can utilize the SCC for configuring and managing audit log retention policies. This involves the following key steps:
- Navigate to the “Data Governance” section within SCC.
- Click on “Retention,” then “Create,” and finally “+ Create a retention policy.”
- Provide a name and description for the policy.
- Specify the settings and conditions relevant for your policy. For instance, you can choose to retain content for a specified period after last modification or deletion, or indefinitely.
- Choose the locations where the policy should get applied, such as Exchange email, SharePoint or OneDrive.
- Once reviewed, click on “Create.”
Via PowerShell
Using PowerShell commands can offer you a more granular approach to configuring these policies.
The command below shows an example of how to set an audit log retention period of 180 days:
Set-UnifiedAuditLogIngestionConfiguration -UnifiedAuditLogIngestionConfiguration $Config.StatusCode "ResourceType"
This code changes the age limit of the audit log data to 180 days.
Conclusion
Understanding how to plan and configure audit retention policies for Microsoft 365 is a crucial component of the MS-101 exam. It is essential for maintaining security, accountability, and regulatory compliance within your organization’s digital environment. Moreover, it provides navigable roadmap for organizations to follow in the case of security incidents. As you prepare for your MS-101 exam, ensure you sufficiently understand these concepts and gain practical experience in applying them.
Please refer to the official Microsoft 365 documentation and materials for a comprehensive understanding of these topics. Remember, the devil is in the details, and grasping these details will go a long way in helping you pass your certification exam.
Practice Test
True or False: In Microsoft 365, the default audit log retention policy is set to 30 days.
- Answer: False.
Explanation: The default audit log retention policy in Microsoft 365 is set to 90 days.
Which of the following features does Microsoft 365 offer for audit retention?
- a) Extend retention period
- b) Delete audit logs
- c) Restrict access to audit logs
- d) All of the above.
Answer: d) All of the above.
Explanation: Microsoft 365 offers all these features for audit retention. Administrators can extend the retention period, delete audit logs, and restrict access to audit logs as required.
The Microsoft 365 E5 Compliance add-on license includes extended audit log retention. True or False?
- Answer: True.
Explanation: This add-on license includes advanced compliance features like extended audit log retention, thus increasing the default retention period significantly.
For how long can you extend the audit log retention period in Microsoft 365 with an E5 license?
- a) 6 months
- b) 1 year
- c) 3 years
- d) Indefinitely
Answer: b) 1 year.
Explanation: An E5 license enables administrators to extend the audit log retention period up to one year.
True or False: It’s possible to delete audit logs in Microsoft 365 anytime as per business requirements.
- Answer: True.
Explanation: Yes, it’s possible to delete audit logs anytime, provided you understand the implications of doing so for future analysis or auditing requirements of the organization.
Which of the following are valid reasons to restrict access to audit logs in Microsoft 365?
- a) To protect audit log data
- b) To meet compliance requirements
- c) To prevent unauthorized changes
- d) All of the above.
Answer: d) All of the above.
Explanation: All these reasons are valid for restricting access to audit logs as it’s critical to secure them from unauthorized access or changes.
Only admins can view Microsoft 365 audit logs. True or False?
- Answer: False.
Explanation: By default, admins can view the logs, but they also have the capacity to delegate this permission to other roles as needed.
Extending the audit log retention period in Microsoft 365 incurs extra charges. True or False?
- Answer: True.
Explanation: Extended audit log retention is a premium feature and it comes with additional costs.
The audit log retention policy in Microsoft 365 should be the same for all your organizations. True or False?
- Answer: False.
Explanation: The retention policy can differ based on the specific requirements and compliance needs of each organization.
The audit log retention policy in Microsoft 365 also covers third-party applications integrated with Microsoft True or False?
- Answer: False.
Explanation: The policy only governs the retention of audit logs in Microsoft 365 itself and won’t cover third-party applications. You would need to configure this separately with the respective applications.
Interview Questions
What is the primary purpose of configuring audit retention policies in Microsoft 365?
The primary purpose of configuring audit retention policies in Microsoft 365 is to manage the lifespan of audit records. This allows handlers and administrators to specify how long an audit record should be kept before it gets deleted.
How long does Microsoft 365 retain audit data by default?
By default, Microsoft 365 retains audit data for 90 days.
Is there a maximum limit for audit log retention in Microsoft 365?
Yes, the maximum limit for audit log retention in Microsoft 365 is 1 year for E5 licenses.
Can you alter the audit log retention policy for a specific user?
No, the audit log retention policy is configured at the tenant level and it applies to all users.
What are the main steps to configure an audit retention policy in Microsoft 365?
The main steps to configure an audit retention policy in Microsoft 365 are: Navigate to the Compliance Center -> Audit -> Settings -> Audit log retention -> Choose the desired retention period.
Can you extend audit log retention beyond 365 days?
No, the maximum retention period for audit logs in Microsoft 365 is 365 days.
Is it possible to recover audit logs that have been deleted due to a retention policy?
No, once an audit log has been deleted due to a retention policy it cannot be recovered.
How are audit logs stored in Microsoft 365?
Audit logs in Microsoft 365 are stored in the Unified Audit Log.
What type of Microsoft 365 license is required to have a 1-year audit log retention?
An E5 license is required to have a 1-year audit log retention in Microsoft 365.
What is the impact of not setting up audit log retention policies in Microsoft 365?
If no audit log retention policy is set up, audit data will automatically be deleted after 90 days.
How can an admin review or search the audit log in Microsoft 365?
An admin can review or search the audit log in Microsoft 365 through the Compliance Center.
Can individual users view their own audit log data in Microsoft 365?
No, only admins can view the audit log data in Microsoft 365.
What is the role of the Compliance Center in audit log retention?
The Compliance Center is where an administrator can configure the audit log retention policy and search for specific audit log data.
What necessitates the need for audit log retention?
The need for audit log retention arises to meet compliance requirements, to investigate incidents, and have oversight into the activities within the Microsoft 365 environment.
Can we determine the scope of activity types that the audit log collects in Microsoft 365?
Yes, the Admin can determine the scope of activity types that the audit logs collect in Microsoft 365 in the audit settings of the Security & Compliance Center. However, note that certain activities are always audited regardless of the settings.