Set up Advanced Audit in Microsoft 365

If your organization has a subscription and end-user licensing that supports Advanced Audit, perform the following steps to set up and use the additional capabilities in Advanced Audit.

Workflow to set up Advanced Audit.

Step 1: Set up Advanced Audit for users

Advanced Audit features such as the ability to log crucial events such as MailItemsAccessed and Send require an appropriate E5 license assigned to users. Additionally, the Advanced Auditing app/service plan must be enabled for those users. To verify that the Advanced Auditing app is assigned to users, perform the following steps for each user:

  1. In the Microsoft 365 admin center, go to Users > Active users, and select a user.

  2. On the user properties flyout page, click Licenses and apps.

  3. In the Licenses section, verify that the user is assigned an E5 license or is assigned an appropriate add-on license. For a list of licenses that support Advanced Audit, see Advanced Audit licensing requirements.

  4. Expand the Apps section, and verify that the Microsoft 365 Advanced Auditing checkbox is selected.

  5. If the checkbox isn't selected, select it, and then click Save changes.

    The logging of audit records for MailItemsAccessed and Send will begin within 24 hours. You have to perform Step 3 to start logging of two other Advanced Audit events: SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint.

For organizations that assign licenses to groups of users by using group-based licensing, you have to turn off the licensing assignment for Microsoft 365 Advanced Auditing for the group. After you save your changes, verify that Microsoft 365 Advanced Auditing is turned off for the group. Then turn the licensing assignment for the group back on. For instructions about group-based licensing, see Assign licenses to users by group membership in Azure Active Directory.

Also, if you have customized the mailbox actions that are logged on user mailboxes or shared mailboxes, any new Advanced Audit events released by Microsoft will not be automatically audited on those mailboxes. For information about changing the mailbox actions that are audited for each logon type, see the "Change or restore mailbox actions logged by default" section in Manage mailbox auditing.

Step 2: Enable Advanced Audit events

You have to enable two Advanced Audit events (SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint) to be logged when users perform searches in Exchange Online and SharePoint Online. To enable these two events to be audited for users, run the following command (for each user) in Exchange Online PowerShell:

Set-Mailbox <user> -AuditOwner @{Add="SearchQueryInitiated"}

In a multi-geo environment, you must run the previous Set-Mailbox command in the forest where the user's mailbox is located. To identify the user's mailbox location, run the following command:

Get-Mailbox <user identity> | FL MailboxLocations

If the command to enable the auditing of search queries was previously run in a forest that's different than the one the user's mailbox is located in, then you must remove the SearchQueryInitiated value from the user's mailbox by running Set-Mailbox -AuditOwner @{Remove="SearchQueryInitiated"} and then add it to the user's mailbox in the forest where the user's mailbox is located.

Step 3: Set up audit retention policies

In additional to the default policy that retains Exchange, SharePoint, and Azure AD audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams. For more information, see Manage audit log retention policies.

Step 4: Search for Advanced Audit events

Now that you have Advanced Audit set up for your organization, you can search for crucial Advanced Audit events and other activities when conducting forensic investigations. After completing Step 1 and Step 2, you can search the audit log for Advanced Audit events and other activities during forensic investigations of compromised accounts and other types of security or compliance investigations. For more information about conducting a forensics investigation of compromised user accounts by using the MailItemsAccessed Advanced Audit event, see Use Advanced Audit to investigate compromised accounts.