Microsoft Purview Audit: Advanced Audit for Small Businesses in Berlin

When a security incident occurs — a compromised account, unauthorized data access, or an insider threat — the first question is always: what happened, and when? Microsoft Purview Audit is the unified audit log for Microsoft 365, recording user and administrator activity across Exchange Online, SharePoint Online, OneDrive, Teams, Entra ID, and dozens of other Microsoft 365 services. For small businesses in Berlin, the audit log is both a security investigation tool and a compliance record that regulators, insurers, and auditors increasingly expect to see.

What Gets Logged

The Microsoft Purview audit log records hundreds of activity types across the Microsoft 365 platform. In Exchange Online, it captures email sends, reads, forwarding rule changes, delegate access, and mailbox permission modifications. In SharePoint and OneDrive, it records file accesses, downloads, sharing events, permission changes, and site collection modifications. In Teams, it logs message sends and edits, meeting creations, channel membership changes, and app installations. In Entra ID, it records sign-ins, MFA events, conditional access policy changes, user and group modifications, and privileged role assignments.

Standard audit log retention is 180 days for Microsoft 365 Business Premium users. This is adequate for responding to incidents that are discovered promptly, but insufficient for detecting threats that have operated undetected for longer periods or for meeting compliance frameworks that require longer audit retention. Advanced Audit extends retention to one year for all audit log entries, and up to ten years for specific audit data when configured with long-term retention policies.

Advanced Audit: High-Value Events

Advanced Audit introduces a set of high-value audit events that are not captured in the standard audit log. The most significant are MailItemsAccessed and Send events in Exchange Online. MailItemsAccessed records every instance where a mail item is accessed — whether by the legitimate user or through a compromised session — enabling you to establish precisely which emails an attacker read during a compromise, rather than only seeing which mailbox they authenticated to. This is critical for GDPR breach notification assessments, where you need to determine whether personal data was accessed.

Other Advanced Audit events include URL clicks logged via Safe Links (showing which phishing URLs users clicked, even if they were not blocked), SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint (recording what search terms were used in mailboxes and SharePoint, useful for detecting data exfiltration reconnaissance), and Teams message recall events. These events provide forensic depth that is unavailable in the standard audit log.

Searching the Audit Log

The Microsoft Purview compliance portal provides a graphical audit log search interface that allows you to filter by date range, user, activity type, and resource. For security investigations, you can search for all activity by a specific user account over a time period, all accesses to a specific file or site, or all changes to a specific policy or configuration object. Results are exportable to CSV for further analysis or preservation as evidence.

For more complex queries, the Office 365 Management Activity API provides programmatic access to audit data, with support for filtering, pagination, and subscription to audit events in near real-time. Organizations that forward audit data to Microsoft Sentinel can use KQL queries to correlate audit events with sign-in logs, MDE alerts, and network traffic for unified security investigations.

Audit Log Retention Policies

Microsoft Purview Advanced Audit allows you to create custom audit log retention policies that specify how long different categories of audit data are retained. You can retain Exchange Online audit records for one year by default, while retaining SharePoint and OneDrive records for 90 days, or configure 10-year retention for specific high-value event types that your compliance framework requires. Retention policies are applied at the record type and activity level, giving you precise control over storage costs and retention obligations.

For Berlin SMBs under GDPR, the audit log itself contains personal data — it records which users accessed which resources. Audit log retention policies should be set to the minimum period required by your security and compliance obligations, with policies reviewed annually against your data retention schedule. The Microsoft Purview compliance portal provides an export capability for audit data that needs to be preserved as evidence for regulatory inquiries or legal proceedings.

Licensing and Activation

Standard audit logging (180-day retention) is included in Microsoft 365 Business Premium, Microsoft 365 E3, and all higher commercial licences. Advanced Audit — with one-year retention, high-value events like MailItemsAccessed, and long-term retention policies — requires Microsoft 365 E5, Microsoft 365 E5 Compliance, or the Microsoft Purview Audit add-on licence applied per user. For small businesses on Business Premium, enabling Advanced Audit for high-risk users — executives, finance staff, administrators — while retaining standard audit for the rest is a cost-effective approach to prioritizing investigative capability where it matters most.

Audit log search is enabled by default in Microsoft 365 tenants created after 2019. For older tenants, it may need to be explicitly turned on in the Microsoft Purview compliance portal. The activation takes up to 24 hours to begin recording events, so enabling audit logging before an incident — rather than after — is the only way to ensure forensic data is available when you need it.