Turn on audit logs in Microsoft Purview – Part 4 – Cloud Build

Reading Time: 2 minutes

In this blog post I’ll go through a step by step guide to enabling auditing in Microsoft Purview.

If missed the previous parts, here they are:

Part 1: Introduction to Microsoft Purview
Part 2: Microsoft Purview Portal
Part 3 – Microsoft Purview Roles and Scopes

Auditing is important in Microsoft Purview because many of its features, like Data Loss Prevention (DLP), Insider Risk Management, and Information Protection, rely on audit logs to function effectively. For example, if a user removes a sensitivity label from a document or shares a file externally, that action is recorded in the audit log. These logs then feed into alerts, reports, and risk scoring systems that help security and compliance teams respond quickly and appropriately when there is an issue.

Enabling auditing early ensures that historical data is captured from the start, which is essential for building a complete picture of user behavior and data movement. It also helps organisations meet regulatory requirements, which often require detailed activity tracking and audit trails. In short, auditing lays the groundwork for a secure, compliant, and well governed environment, making it a must do step before diving into the full capabilities of Microsoft Purview.

When auditing is enabled via the Microsoft Purview portal, user and administrator activities across your organisation are captured in the audit log and automatically retained for 180 days. The retention period begins as soon as the data is logged and is governed by your organisation’s audit log retention policies and the user license type. (Refer to the comparison table below for details.)

Source: Microsoft Learn

If auditing is currently disabled, you can activate it either through the Microsoft Purview portal or via Exchange Online PowerShell. Please note: once enabled, it may take several hours before audit log search results become available.

1. Access the Microsoft Purview portal at purview.microsoft.com

2. Click the Start recording user and admin activity banner. If this is not visible, you have most likely already enabled auditing.

3. Click yes when promoted with the message below

Complete organizational setup
To complete this task, we’ll need to complete the setup process for your organization. ​Would you like to do this now?​

Note: It could take up to 60 minutes for the change to take effect once enabled.

Continue to part 5 where I enable device onboarding in Microsoft Purview

Link: Part 5: Microsoft Purview Device Onboarding