Set up Microsoft Purview Audit (Premium)

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement.

If your organization has a subscription and end-user licensing that supports Audit (Premium), perform the following steps to set up and use the additional capabilities in Audit (Premium).

Workflow to set up Audit (Premium).

Step 1: Set up Audit (Premium) for users

Audit (Premium) features such as the ability to log crucial events such as MailItemsAccessed and Send require an appropriate E5 license assigned to users. Additionally, the Advanced Auditing app/service plan must be enabled for those users. To verify that the Advanced Auditing app is assigned to users, perform the following steps for each user:

  1. In the Microsoft 365 admin center, go to Users > Active users, and select a user.

  2. On the user properties flyout page, click Licenses and apps.

  3. In the Licenses section, verify that the user is assigned an E5 license or is assigned an appropriate add-on license. For a list of licenses that support Audit (Premium), see Audit (Premium) licensing requirements.

  4. Expand the Apps section, and verify that the Microsoft 365 Advanced Auditing checkbox is selected.

  5. If the checkbox isn't selected, select it, and then click Save changes.

    The logging of audit records for MailItemsAccessed and Send will begin within 24 hours. You have to perform Step 3 to start logging of two other Audit (Premium) events: SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint.

Also, if you've customized the mailbox actions that are logged on user mailboxes or shared mailboxes, any new Audit (Premium) events released by Microsoft won't be automatically audited on those mailboxes. For information about changing the mailbox actions that are audited for each logon type, see the "Change or restore mailbox actions logged by default" section in Manage mailbox auditing.

Step 2: Enable Audit (Premium) events

You have to enable two Audit (Premium) events (SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint) to be logged when users perform searches in Exchange Online and SharePoint Online. To enable these two events to be audited for users, run the following command (for each user) in Exchange Online PowerShell:

Set-Mailbox <user> -AuditOwner @{Add="SearchQueryInitiated"}

In a multi-geo environment, you must run the previous Set-Mailbox command in the forest where the user's mailbox is located. To identify the user's mailbox location, run the following command:

Get-Mailbox <user identity> | FL MailboxLocations

If the command to enable the auditing of search queries was previously run in a forest that's different than the one the user's mailbox is located in, then you must remove the SearchQueryInitiated value from the user's mailbox by running Set-Mailbox -AuditOwner @{Remove="SearchQueryInitiated"} and then add it to the user's mailbox in the forest where the user's mailbox is located.

Step 3: Set up audit retention policies

In additional to the default policy that retains Exchange, SharePoint, and Azure AD audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams. For more information, see Manage audit log retention policies.

Step 4: Search for Audit (Premium) events

Now that you have Audit (Premium) set up for your organization, you can search for crucial Audit (Premium) events and other activities when conducting forensic investigations. After completing Step 1 and Step 2, you can search the audit log for Audit (Premium) events and other activities during forensic investigations of compromised accounts and other types of security or compliance investigations. For more information about conducting a forensics investigation of compromised user accounts by using the MailItemsAccessed Audit (Premium) event, see Use Audit (Premium) to investigate compromised accounts.