Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Tools
  3. Audit Log Retention Reference

SharePoint Audit Log Retention: What Admins Need to Know

Retention period by licence tier - quick reference. Scroll down for event categories, access methods, and frequently asked questions.

Microsoft 365 plan or licence Default retention Extended maximum
Business Basic / Standard / Premium 90 days 90 days
F1 / F3 (Frontline Worker) 90 days 90 days
E3 / A3 / G3 90 days 90 days
E5 / A5 / G5 (Purview Audit Premium included) 1 year 10 years via retention policy
E5 Compliance add-on (applied to E3 users) 1 year 10 years via retention policy
Microsoft Purview Audit (Premium) standalone 1 year 10 years via retention policy
Note: Extended retention applies per-user, not per-tenant. In a mixed-licence environment, audit events generated by E3 or unlicensed accounts revert to the 90-day default, even when the tenant has E5 seats assigned to other users.

What Is the Microsoft 365 Unified Audit Log?

The Unified Audit Log (UAL) is a centralised activity log shared across Microsoft 365 workloads including SharePoint Online, Exchange Online, Microsoft Teams, OneDrive for Business, and Entra ID. All SharePoint audit events are written to the UAL. Microsoft retired the classic SharePoint-specific audit reports that once lived under Site Settings, and the UAL is now the sole audit trail for SharePoint Online activity.

The UAL is hosted and managed by Microsoft. You cannot adjust the retention period through SharePoint or the Microsoft 365 admin centre; retention is governed by the Purview Audit (Standard vs. Premium) tier assigned to each user who generates the event.

SharePoint Events Captured in the Audit Log

Standard events (all plans)

The following categories of SharePoint events are captured automatically at no additional cost on any Microsoft 365 plan:

Event category Examples recorded
File operations Accessed, modified, deleted, moved, copied, previewed, uploaded, downloaded, recycled, restored from recycle bin
Sharing and permissions Sharing link created or removed, invitation sent, permission level changed, unique permissions broken or reset, external sharing blocked
Site and list management Site collection created or deleted, list or library created or deleted, content type added or removed, column added or deleted
Recycling bin Item moved to recycle bin, item permanently deleted, item restored, second-stage recycle bin emptied
Sensitivity and compliance Sensitivity label applied, changed, or removed; DLP policy match; retention label applied; hold placed on site

Premium events (E5 / Purview Audit Premium only)

Microsoft Purview Audit (Premium) adds two event categories not available on standard plans:

Premium event What it records Why it matters
MailItemsAccessed (Exchange) Every access to email items, not just sends/receives Critical for forensic investigation of compromised accounts reading sensitive email
SharePoint search queries The exact search terms a user entered within SharePoint Useful for investigating whether a user actively searched for sensitive documents before an incident

Accessing and Exporting SharePoint Audit Logs

Microsoft Purview compliance portal

The recommended starting point for ad-hoc investigation. Navigate to purview.microsoft.com, select Audit, then filter by workload (SharePoint, SharePoint file and page activities, or SharePoint sharing and access request activities). Set a date range, optionally restrict to specific users or sites, and run the search. Export results to CSV directly from the portal.

Allow 30 minutes to 24 hours for new events to become searchable. High-volume tenants sometimes experience longer indexing delays for less common event types.

PowerShell

The Search-UnifiedAuditLog cmdlet in the Exchange Online Management module returns audit records programmatically. Commonly used parameters:

  • -RecordType SharePoint: file, folder, and site events
  • -RecordType SharePointSharingOperations: sharing and permission events
  • -Operations FileDeleted,FileRecycled: filter to specific operations
  • -UserIds user@contoso.com: restrict results to a single account
  • -ResultSize 5000: maximum records per call; use -SessionId with -SessionCommand ReturnNextPreQueryResults for pagination

Microsoft Graph and Management Activity API

The Office 365 Management Activity API is designed for streaming high-volume audit events into a SIEM or data lake. The Microsoft Graph /auditLogs endpoint suits targeted queries in custom applications. Both require an app registration in Entra ID with the ActivityFeed.Read or equivalent permission scope.

Frequently Asked Questions

How long are SharePoint audit logs kept by default?

SharePoint audit logs are stored in the Microsoft 365 Unified Audit Log and kept for 90 days by default. Microsoft 365 E5 or Microsoft Purview Audit (Premium) licences extend retention to one year per assigned user. A Purview audit log retention policy can push that to 10 years.

Does SharePoint Online have its own audit log?

No. SharePoint Online no longer has a standalone audit log interface. Microsoft retired the classic SharePoint audit reports and now routes all SharePoint events into the Microsoft 365 Unified Audit Log, searchable via the Microsoft Purview compliance portal.

How do I export SharePoint audit logs to CSV?

In the Microsoft Purview compliance portal, open Audit, set the date range and workload filter to SharePoint, run the search, then click Export. Results download as a CSV file. For scripted exports, use the Search-UnifiedAuditLog PowerShell cmdlet with the -RecordType SharePoint parameter.

For a broader reference on SharePoint Online operational limits, see the SharePoint Online limits reference. To audit and bulk-manage shared links and unique permissions across your tenant, see how to audit SharePoint shared links.

Try ShareMaster free for 14 days