Audit Policy precedence

Chandu Atluri 0 Reputation points
2024-04-19T00:43:25.2633333+00:00

You have a Microsoft 365 E5 subscription.

A user named User1 is assigned a Microsoft 365 E5 license.

You create the following audit retention policies:

  • Audit1: Priority 10, no activity specified, applied to User1, duration 6 months
  • Audit2: Priority 20, SiteRenamed activity, no user specified, duration 90 days
  • Audit3: Priority 30, SiteRenamed activity, applied to User1, duration 10 years

User1 renames a Microsoft SharePoint Online site.

How long is the site renaming action of User1 retained in the audit log?

1 year, 6 months, 10 years, 90 days

In the practice assessment, Microsoft states that the answer is 90 days, however in the documentation I read that lower policies are interpreted as a higher precedence when evaluating audit policies.

https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal

  1. Priority: This value determines the order in which audit log retention policies in your organization are processed. A lower value indicates a higher priority. Valid priorities are numerical values between 1 and 10000. A value of 1 is the highest priority, and a value of 10000 is the lowest priority. For example, a policy with a value of 5 takes priority over a policy with a value of 10. Any custom audit log retention policy takes priority over the default policy for your organization.
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
936 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 77,426 Reputation points Microsoft Employee
    2024-04-19T03:15:08.1233333+00:00

    @Chandu Atluri - Thanks for the question and using MS Q&A platform.

    Based on the documentation you provided: Manage audit log retention policies, you are correct that lower priority values indicate higher precedence when evaluating audit policies. In this case, Audit1 has a priority of 10 and Audit3 has a priority of 30, so Audit3 would take precedence over Audit1. Since Audit3 has a duration of 10 years and applies to User1 for the SiteRenamed activity, the site renaming action of User1 would be retained in the audit log for 10 years.

    User's image

    It's always a good idea to stay up to date with any changes to retention policies to ensure that your organization is in compliance with any relevant regulations or policies.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.