Microsoft Purview Audit: Unified Audit Log for Small Businesses in Berlin
When a security incident occurs, the first question is always: what happened, when, and to which accounts and data? Without a centralized audit log, answering that question in a Microsoft 365 environment means manually correlating fragmented records from Exchange, SharePoint, Teams, and Entra ID — a process that takes days and frequently leaves gaps. Microsoft Purview Audit (the Unified Audit Log) solves this by capturing every significant user and administrator action across the Microsoft 365 suite into a single, searchable record.
What Is Microsoft Purview Audit?
Microsoft Purview Audit is the unified activity logging layer for Microsoft 365. It captures user and admin activities across Exchange Online, SharePoint, OneDrive, Teams, Entra ID, Power Platform, Defender, and other Microsoft 365 services. Every audit event includes who performed the action, what action was taken, on which resource, from which IP address and location, and when. The result is a comprehensive activity trail suitable for security investigations, compliance audits, and forensic analysis.
Purview Audit comes in two tiers: Audit (Standard) — included in most Microsoft 365 plans — and Audit (Premium), which extends retention to up to ten years and adds intelligent insights and higher-bandwidth API access.
What Gets Logged
The Unified Audit Log captures a broad set of activities relevant to Berlin SMBs:
Exchange Online: Email sends, receives, moves, and deletions. Mailbox permission changes. Forwarding rule creation and modification — a critical detection point for business email compromise, where attackers create inbox rules to forward copies of emails to external addresses without the user’s knowledge.
SharePoint and OneDrive: File access, creation, modification, deletion, and sharing. External sharing events. Permission inheritance changes. These events are central to investigating data exfiltration incidents.
Microsoft Teams: Channel creation and deletion, message deletion, membership changes, and meeting recordings. For organizations relying on Teams for internal communication, Teams audit events provide the activity trail for compliance and incident investigations.
Entra ID: User creation, deletion, and modification. Role assignments and removals. Password changes and resets. MFA configuration changes. Application consent grants. These identity events are critical for detecting unauthorized privilege escalation or account compromise.
Admin activities: All Tenant and service configuration changes are logged — new conditional access policies, modifications to security settings, eDiscovery case creation, DLP policy changes.
Retention: Standard vs. Premium
Audit (Standard) retains audit logs for 90 days for users with most Microsoft 365 licenses, and 180 days for users with Microsoft 365 E3 or Business Premium licenses. Audit (Premium) extends retention to one year by default and allows up to ten years with the Microsoft 365 Audit Log Retention add-on.
For Berlin SMBs, the 180-day retention under Business Premium is sufficient for most security incident investigations — the vast majority of breaches are detected within weeks, not months. Regulatory requirements for certain industries (financial services, healthcare, legal) may mandate longer retention, in which case Audit Premium or log export to external storage should be evaluated.
Searching and Investigating Audit Logs
The Purview compliance portal provides a graphical audit log search interface: select activity types, date range, users, and resource types, and retrieve matching events. Results can be exported to CSV for further analysis in Excel or imported into SIEM platforms.
For programmatic access, the Management Activity API and Office 365 Management APIs allow querying audit events at scale — relevant for organizations integrating Microsoft 365 audit data into Microsoft Sentinel or third-party SIEM solutions. The API enables real-time streaming of audit events, making it practical to build continuous monitoring pipelines that alert on specific high-risk activities.
High-Value Audit Queries for Berlin SMBs
Specific audit searches that deliver immediate security value: forwarding rule creation (detect BEC post-compromise persistence), bulk file access (detect data exfiltration patterns), external sharing events (understand what data has left the organization), admin role assignment changes (detect unauthorized privilege escalation), MFA method registration (detect account takeover preparation), and application consent grants (detect OAuth phishing attacks).
These searches should be executed as part of any security incident investigation and can be scheduled as regular health checks — monthly review of admin role changes and bulk file access events, for example — even in organizations without a dedicated SOC.
Integration with Microsoft Sentinel
For Berlin SMBs running Microsoft Sentinel, the Microsoft 365 data connector ingests Unified Audit Log events directly into the Sentinel workspace. This enables KQL-based correlation between audit events and other security signals: an Entra ID Protection high-risk sign-in followed by mailbox rule creation and bulk file download in SharePoint — a classic account compromise followed by data exfiltration pattern — is automatically surfaced as a correlated incident in Sentinel.
Integration with Microsoft Purview Information Protection
Sensitivity label activity is captured in the Unified Audit Log: which users applied, modified, or removed sensitivity labels on which documents, and when. For Berlin SMBs that have deployed Microsoft Purview Information Protection with sensitivity labels, the audit log provides the compliance trail demonstrating that labeling policies are being applied and adhered to — critical evidence for GDPR accountability obligations and industry-specific regulatory requirements.
DLP Policy Match Events
When a Microsoft Purview Data Loss Prevention policy triggers — a user attempts to share a document containing personal data externally, for example — the DLP policy match event is captured in the Unified Audit Log. This creates an auditable record of policy enforcement: which policy was triggered, which user triggered it, which content matched, and what action was taken (block, override, notify). For Berlin SMBs demonstrating GDPR compliance to auditors, this audit trail is a concrete compliance artifact.
Conclusion
Microsoft Purview Audit is the foundational forensic and compliance capability that every Berlin SMB using Microsoft 365 should have properly configured. Audit logging is enabled by default for most Microsoft 365 tenants, but the key actions are verifying that logging is active, understanding the retention period under your current license, and establishing a baseline of what normal activity looks like before an incident occurs. When something does go wrong — and in any organization of meaningful size, it eventually will — a populated Unified Audit Log is the difference between a two-hour investigation and a two-week reconstruction effort.
Related Articles
- Microsoft Sentinel: Ingest Microsoft 365 Unified Audit Log events into Sentinel — correlate Exchange forwarding rule creation, bulk file downloads, and admin changes with identity and endpoint signals for automated incident detection
- Microsoft Purview Information Protection: Sensitivity label activity is captured in the Unified Audit Log — create an auditable compliance trail showing which documents were labeled, by whom, and when for GDPR accountability and regulatory reporting
- Microsoft Purview Data Loss Prevention: DLP policy match events are recorded in the Unified Audit Log — document every blocked share attempt, user override, and policy trigger for compliance audits and data governance reporting