Turn auditing on or off (2024)

Table of Contents
In this article Before you turn auditing on or off Verify the auditing status for your organization Turn on auditing Use PowerShell to turn on auditing Turn off auditing Audit records when auditing status is changed Audit record for turning on auditing Audit record for turning off auditing FAQs
  • Article

Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. For instructions, see the Verify the auditing status for your organization section in this article.

When auditing is turned on in the Microsoft Purview portal or the Microsoft Purview compliance portal, user and admin activity from your organization is recorded in the audit log and automatically retained for 180 days. The retention (lifetime) for audit data starts when it's added to the auditing log and is retained based on audit log retention policies and the license assigned to users.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

Changes to the user licensing or retention policies also change the expiration date of audit data.

Your organization may have reasons for not wanting to record and retain audit log data. In these cases, a global admin can turn off auditing in Microsoft 365 for your organization. For instructions, see the Turn off auditing section in this article.

Important

See Also
Mailbox audit logging in Exchange ServerRecover deleted messages in a user's mailbox in Exchange OnlineDeleting and recovering emails in Office 365Get-AuditLogSearch (ExchangePowerShell)

If you turn off auditing in Microsoft 365, you can't use the Office 365 Management Activity API or Microsoft Sentinel to access auditing data or logs for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the Microsoft Purview portal or compliance portal, or when you run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you turn auditing on or off

You must be assigned the Audit Logs role in Exchange Online to turn auditing on or off. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.

  • For step-by-step instructions on searching the audit log, see Search the audit log.
  • For more information about the Microsoft 365 Management Activity API, see Get started with Microsoft 365 Management APIs.

Verify the auditing status for your organization

To verify that auditing is turned on for your organization, you can run the following command in Exchange Online PowerShell:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

A value of True for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned on. A value of False indicates that auditing isn't turned on.

Important

Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when auditing is turned on.

Turn on auditing

If auditing isn't turned on for your organization, you can turn it on in the Microsoft Purview portal or compliance portal, or by using Exchange Online PowerShell. It may take several hours after you turn on auditing before you can return results when you search the audit log.

See Also
Manage audit log retention policies

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  • Microsoft Purview portal
  • Compliance portal

Complete the following steps to turn on auditing:

  1. Sign into the Microsoft Purview portal.
  2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.
  3. If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
  4. Select the Start recording user and admin activity banner.

It may take up to 60 minutes for the change to take effect.

Use PowerShell to turn on auditing

  1. Connect to Exchange Online PowerShell.

  2. Run the following PowerShell command to turn on auditing.

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

    A message is displayed saying that it may take up to 60 minutes for the change to take effect.

Turn off auditing

You have to use Exchange Online PowerShell to turn off auditing.

  1. Connect to Exchange Online PowerShell.

  2. Run the following PowerShell command to turn off auditing.

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

  3. After a while, verify that auditing is turned off (disabled). There are two ways to do this:

    • In Exchange Online PowerShell, run the following command:

      Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

      The value of False for the UnifiedAuditLogIngestionEnabled property indicates that auditing is turned off.

    • Go to the Audit page in the compliance portal.

      If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.

Audit records when auditing status is changed

Changes to the auditing status in your organization are themselves audited. This means that audit records are logged when auditing is turned on or turned off. You can search the Exchange admin audit log for these audit records.

To search the Exchange admin audit log for audit records that are generated when turning auditing on or off, run the following command in Exchange Online PowerShell:

Search-AdminAuditLog -Cmdlets Set-AdminAuditLogConfig -Parameters UnifiedAuditLogIngestionEnabled

Audit records for these events contain information about when the auditing status was changed, the admin who changed it, and the IP address of the computer that was used to make the change. The following screenshots show audit records that correspond to changing the auditing status in your organization.

Audit record for turning on auditing

Turn auditing on or off (1)

The value of Confirm in the CmdletParameters property indicates that unified audit logging was turned on in the Microsoft Purview portal or compliance portal, or by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true cmdlet.

Audit record for turning off auditing

Turn auditing on or off (2)

The value of Confirm isn't included in the CmdletParameters property. This indicates that unified audit logging was turned off by running the Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false command.

For more information about searching the Exchange admin audit log, see Search-AdminAuditLog.

Turn auditing on or off (2024)

FAQs

What is an audit answer? ›

An audit is the examination of the financial report of an organisation - as presented in the annual report - by someone independent of that organisation.

Read On
What does an audit policy enable? ›

Windows audit policy defines what types of events are written to the Security logs of your Windows servers. Establishing an effective audit policy helps you spot potential security problems, ensure user accountability and provide evidence in the event of a security breach.

Discover More Details
How to check if ad auditing is enabled? ›

Go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies. It lists all audit policies in the right pane.

Continue Reading
How to check if file auditing is enabled? ›

Right-click the file or folder, and then select Properties. Click the Security tab. Click Advanced. Click the Auditing tab.

See Details
Is audit a good thing? ›

An audit is important as it provides credibility to a set of financial statements and gives the shareholders confidence that the accounts are true and fair. It can also help to improve a company's internal controls and systems.

Find Out More
What is the purpose of auditing? ›

In summary, the purpose of an audit is to provide an objective independent examination of the financial statements, which increases the value and credibility of the financial statements produced by management, thereby increase user confidence in the financial statement, reduce investor risk and consequently reduce the ...

Tell Me More
How do you activate an audit? ›

Turn on auditing
  1. Sign into the Microsoft Purview portal.
  2. Select the Audit solution card. ...
  3. If auditing isn't turned on for your organization, a banner is displayed prompting you start recording user and admin activity.
  4. Select the Start recording user and admin activity banner.
Mar 26, 2024

Show Me More
How do I enable auditing on my domain? ›

Right-click the Active Directory object that you want to audit, and then select Properties. Select the Security tab, and then select Advanced. Select the Auditing tab, and then select Add.

Explore More
What is auditing permissions? ›

Auditing permissions enables you to see the changes made to permissions over time. You can filter the permissions that you want to view. For example, you can view the permission changes on a specific data chain object, or for a particular user.

Continue Reading
What is auditing in Active Directory? ›

Active Directory (AD) auditing is the process of collecting and analyzing data about your AD objects and Group Policy. Organizations perform AD auditing to proactively improve security, promptly detect and respond to threats, and keep IT operations running smoothly.

Show Me More

What is ad account auditing? ›

Additionally, audits allow you to spot the trends and patterns that can help optimize your campaigns. Audits also help you keep your campaigns up to date. Facebook frequently updates the platform, and audits ensure you know about new ad types, updates, and changes in how ad pixels work.

Read The Full Story
What is audit log settings? ›

Audit logging is used to improve the security of the directory server. A default audit plug-in is provided with the server. Depending on the audit configuration parameters, this plug-in might log an audit entry in the default or specified audit log for each LDAP operation the server processed.

See Details
How is auditing enabled in Windows? ›

2. Enable Auditing of Specific File and Folder
  1. Select the folder that you want to audit.
  2. Right-click and click “Properties” to access its properties.
  3. Go to “Security” tab, and click “Advanced”. ...
  4. In “Advanced Security Settings…” dialog box, select “Auditing” tab. ...
  5. Click “Add”. ...
  6. Click “Select a principal” link.
Dec 21, 2023

Get More Info Here
How to check if auditing is enabled in Office 365? ›

How to configure Mailbox Auditing
  1. Sign into the Security & Compliance Center with your Office 365 Admin account.
  2. Select Search & Investigation, and then select Audit log search.
  3. Click on “Start recording user and admin activity”. ...
  4. You'll see a message advising that auditing has been enabled for your organization.

Continue Reading
How do you answer audit questions? ›

An auditor is looking for the truth. A guess, even if it is an educated guess, is not the truth. Therefore, do not guess your answer, unless you are asked to give an opinion; and then make clear that your answer is an opinion, not a statement of fact.

View More
What is an audit in simple terms? ›

Auditing is defined as the on-site verification activity, such as inspection or examination, of a process or quality system, to ensure compliance to requirements. An audit can apply to an entire organization or might be specific to a function, process, or production step.

View Details
Why did you choose audit answer? ›

Answer it directly, honestly, and succinctly. Tell a story and describe how your passion for the profession will provide tangible benefits for the employer. Example: “I have always enjoyed working with numbers and facts in pursuit of information that can be used to achieve an objective or make a decision.

See More
What is an audit question? ›

Types of Questions in Audit

These questions often begin with "What," "How," or "Why." Example: "What is the process for approving new vendors?" 2. Closed-ended questions: Closed-ended questions are used to confirm facts or elicit specific information. They often require a simple "yes" or "no" answer.

Learn More
Top Articles
Netflix Error 3-5005
Manage your child's app permissions
Staff | Lunning Funeral Chapel
Service Options | Lunning Funeral Chapel
Elogin Benefis
Mesh Tape Lowes
Taurus Monthly Horoscope: Full Forecast for October 2024
Free Taurus Horoscope October, 2023 : Easy psychics
Clemson defeats University of South Carolina in Palmetto Bowl, live recap
2015 Palmetto Bowl: Game Grades, Analysis for Clemson vs. South Carolina
minneapolis household items "fabric" - craigslist
The Interstellar Clouds Called Molecular Clouds Are _________.
Latest Posts
Bank of Unity Banking Review
The 50% Rule - Does it Work? Maybe... - Real Estate Investing .org
Article information

Author: Corie Satterfield

Last Updated:

Views: 6401

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Corie Satterfield

Birthday: 1992-08-19

Address: 850 Benjamin Bridge, Dickinsonchester, CO 68572-0542

Phone: +26813599986666

Job: Sales Manager

Hobby: Table tennis, Soapmaking, Flower arranging, amateur radio, Rock climbing, scrapbook, Horseback riding

Introduction: My name is Corie Satterfield, I am a fancy, perfect, spotless, quaint, fantastic, funny, lucky person who loves writing and wants to share my knowledge and understanding with you.