How to Enable the Microsoft 365 Unified Audit Log (Complete Setup Guide)
Enable the Microsoft 365 Unified Audit Log in 10 minutes — with the right retention, the right roles, and the verification steps so you actually know it's working. Covers PowerShell, Defender portal, and the most common pitfalls.
What the Unified Audit Log actually captures #
The Microsoft 365 Unified Audit Log is the single source of truth for "who did what" across your tenant: Exchange, SharePoint, OneDrive, Teams, Entra ID, Power BI, and Defender. Without it, post-incident investigation, insider-risk detection, and most compliance frameworks (CIS, NIST 800-53, ISO 27001, SOC 2) are simply non-starters.
It is enabled by default on tenants created after January 2023 — but the default retention is only 180 days, and older tenants may have it disabled entirely. Verify your tenant's state before assuming you have the logs you need.
Required roles
You need either Audit Logs or View-Only Audit Logs role in Exchange Online, plus Compliance Administrator or Global Administrator to enable the log for the first time.
Method 1: Enable via Microsoft Defender portal #
1. Open the Audit search
Sign in to security.microsoft.com ↗. In the left navigation: Audit. If the log is disabled, you will see a banner: "Start recording user and admin activity."
2. Click "Start recording user and admin activity"
That single click enables the unified audit log. Allow up to 60 minutes before events start appearing in searches — Microsoft warns "up to 24 hours" but in practice it is faster.
3. Verify with a test search
Run a search for the last hour with no filters. If you see any events at all, the log is functioning. If you see nothing after 24 hours, you have a problem — see the troubleshooting section below.
Method 2: Enable via PowerShell #
PowerShell is the right approach for scripted onboarding or multi-tenant environments (MSPs especially).
# Connect to Exchange Online Connect-ExchangeOnline -UserPrincipalName admin@contoso.com # Check current state Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled # Enable if disabled Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true # Verify mailbox auditing is on (should be true by default since 2019) Get-OrganizationConfig | Format-List AuditDisabled
Retention: the part everyone gets wrong #
Default audit log retention depends on your license:
- E3 / Business Premium — 180 days.
- E5 — 365 days, with the ability to extend to 10 years via Audit (Premium) retention policies.
For most regulatory frameworks (SOC 2, ISO 27001), 180 days is borderline. If you might face a breach investigation that goes back further than six months, you need to either extend retention with E5 + Audit (Premium) or stream the logs to an external store. Keeping the canonical copy in M365 and archiving to a long-retention store for forensic purposes is a common approach.
Don't forget mailbox auditing #
The unified audit log captures admin actions and most service-level events, but per-mailbox events (mail accessed, deleted, sent on behalf of) are governed by mailbox auditing, which is a separate setting. Mailbox auditing has been on by default since 2019, but if your tenant predates that, verify with:
Get-Mailbox -ResultSize Unlimited |
Select-Object UserPrincipalName, AuditEnabled |
Where-Object { $_.AuditEnabled -eq $false }Common pitfalls #
- "Audit search returns no results." Wait 24 hours. If still empty, verify
UnifiedAuditLogIngestionEnabledis$truevia PowerShell — the portal occasionally shows the setting as enabled when ingestion is actually paused. - "I see admin events but no mailbox events." Mailbox auditing is disabled at the org level. Check
Get-OrganizationConfig | Select AuditDisabled. - "Events stop appearing after a date in 2023." Microsoft renamed several event types when the Defender XDR consolidation rolled out. Saved searches that filter by old event names need updating.
- "Retention says 180 days but we need 7 years for HIPAA."E3/Business Premium cannot retain audit logs beyond 180 days. You need E5 + Audit (Premium), or a third-party log archive.
From "enabled" to "useful" #
Enabling the audit log is the easy part. Turning it into something a security team actually uses requires alerting on the right events (mass downloads, forwarding rule creation, role assignment changes), retention that matches your legal requirements, and a search interface that doesn't time out at 10k events.
ConfigCobra continuously monitors the events that map to CIS controls and flags drift the moment a critical setting changes — so you do not have to write KQL queries against the audit log to know when something broke. See how it works on your tenant.
Related #
- Microsoft 365 Security Baseline Checklist (13 controls) — the audit log is item 8 on this list.
- The CIS Microsoft 365 Benchmark v5.0.0 guide — for the full audit-and-logging control family.