The Microsoft Purview compliance portal logs every file access, permission change, and sharing event across your SharePoint Online environment. Getting that data out follows a short sequence: run a search, wait for results, download a CSV. The catch is that each export is capped at 50,000 records and covers at most 90 days, which surprises admins the first time they try to pull a large dataset for a compliance review.
This guide walks through the full export process, explains how to work with the resulting file in Excel, and identifies the scenarios where the native export is not the right tool for the job.
What the SharePoint Online audit log captures
Microsoft Purview records SharePoint activity across several broad categories. Knowing which category an event falls under helps you narrow your search query rather than pulling every activity type and filtering in Excel afterward.
| Category | Example activities recorded |
|---|---|
| File and folder operations | FileAccessed, FileDownloaded, FileDeleted, FileModified, FileMoved, FolderCreated |
| Sharing and permission changes | SharingInvitationCreated, SharingLinkCreated, PermissionLevelAdded, AddedToGroup, SharingRevoked |
| Site and list administration | SiteAdminAdded, SiteCollectionAdminAdded, ListCreated, ListDeleted, ContentTypeAdded |
| Page and search events | PageViewed, PageCreated, SearchQueryPerformed, AnonymousLinkCreated |
| Recycle bin events | FileRecycled, FileRestored, RecycleBinItemsPurgedByAdministrator |
Purview records hundreds of distinct event types; the table covers the ones most SharePoint administrators query during a typical audit or incident investigation.
Permissions required to run an audit search
Audit log access lives in the Microsoft Purview compliance portal, not the SharePoint admin center. You need one of the following roles assigned in Purview:
- View-Only Audit Logs - read and export access, no ability to enable or manage auditing.
- Audit Logs - full access, including the ability to start auditing if it has not yet been enabled in the tenant.
Global Administrators and Compliance Administrators receive these roles by default. SharePoint Administrators do not, unless a Global Admin explicitly grants them a Purview role.
How to export SharePoint audit events to Excel
The steps below apply to the Microsoft Purview compliance portal using the unified audit search experience.
- Sign in to compliance.microsoft.com. Use an account with the View-Only Audit Logs or Audit Logs role assigned in Purview.
- Navigate to Audit. In the left navigation panel, expand Solutions and click Audit. If the Audit option is not visible, your account likely lacks the required Purview role.
- Set the date range. Enter a Start date and End date. One search covers at most 90 days. For investigations spanning longer periods, run multiple searches with non-overlapping windows and combine the CSV exports in Excel afterward.
- Select SharePoint activities. In the Activities field, type SharePoint or a specific event name such as FileDeleted to filter the activity list. Select the events you need. Leave the field empty to return all activity types across all Microsoft 365 workloads.
- Add optional scope filters. Enter one or more user principal names in the Users field to limit results to specific accounts. Use the File, folder, or site field to filter by URL. Both fields accept multiple entries.
- Run the search. Click Search. Purview processes the query asynchronously, showing a progress indicator. Broad queries against large tenants can take five to fifteen minutes.
- Check the result count before exporting. When the search completes, note the total records returned. If the count exceeds 50,000, narrow the date range or add filters before proceeding to avoid a silent data truncation.
- Export to CSV. Click Export, then Download all results. Purview generates a CSV file you can open directly in Excel.
Working with the exported CSV in Excel
The CSV Purview generates includes a fixed column layout. The most useful columns for SharePoint audits are:
| Column | What it contains | Common uses |
|---|---|---|
| CreationTime | UTC timestamp of the event | Filter by date range, sort chronologically |
| UserIds | UPN of the account that performed the action | Pivot by user to see who was most active, or isolate a specific account |
| Operations | Event type (FileDeleted, SharingLinkCreated, etc.) | Filter to specific event types for targeted investigation |
| ObjectId | Full URL of the file, folder, or site involved | Identify exactly which item was accessed or modified |
| SiteUrl | Base URL of the site collection | Filter all events to a single site without using URL parsing |
| AuditData | JSON blob with extended event details: IP address, user agent, target user for sharing events | Requires JSON parsing; use Power Query for large exports |
Filtering quickly without parsing AuditData
For most investigations, filtering on Operations and UserIds answers the key questions: who deleted this file, who created an external sharing link, which account removed a user from a group. Apply a column AutoFilter, select the event type you are investigating, and sort by CreationTime to read the sequence of events chronologically. This takes under two minutes on a typical 10,000-row export.
Parsing AuditData in Excel using Power Query
Select the AuditData column and load it into Power Query via Data > From Table/Range. In the query editor, add a custom column with the formula Json.Document([AuditData]) to expand the JSON into individual fields. This gives you access to IP addresses, user agents, and the target user for sharing events. The approach scales to exports with tens of thousands of rows without performance issues.
Limitations to plan around
The 50,000-record export cap
No single Purview audit export can exceed 50,000 rows. If your search returns more, the export truncates silently; there is no warning. The fix is to split the date range into shorter windows, each producing a separate CSV, then append them in Excel using Power Query's Append Queries function.
The 90-day window per search
Each search covers at most 90 days for Microsoft 365 E3 tenants and 180 days for E5. Events older than your plan's retention period are permanently unavailable. For the full retention defaults by plan, see the SharePoint audit log retention reference.
When the audit log is the wrong tool
Purview audit search is designed for compliance and security investigations involving specific events and timelines. It is not designed for routine administration tasks: generating a permission matrix for a library, listing all external users across site collections, or building a recurring sharing report. Those tasks belong in ShareMaster's Report Master, which produces structured permission and sharing reports from SharePoint directly and exports them to Excel without requiring Purview access.
Frequently Asked Questions
How long does Microsoft Purview keep SharePoint audit records?
The default retention period is 90 days for Microsoft 365 E3 licences and 180 days for E5. Microsoft Purview Audit Premium extends retention to one year or more as a paid add-on. Records beyond the retention window are permanently gone.
What is the maximum number of records I can export at once?
A single Purview audit export is capped at 50,000 rows. If your search returns more results, split the query into shorter date ranges or narrow by user or URL, then combine the resulting CSV files in Excel.
Do I need Global Admin access to export the SharePoint audit log?
No. The View-Only Audit Logs or Audit Logs role in Microsoft Purview is sufficient. Global Administrators and Compliance Administrators have these roles by default. A SharePoint Administrator alone does not have access to Purview audit search without an explicit Purview role assignment.
Can I export SharePoint permission data to Excel without using Purview?
Yes. ShareMaster's Report Master exports permission matrices, external user lists, and version data to Excel from a connected SharePoint Online tenant, with no Purview or Compliance Admin access required.