Allow Exchange Admin Auditing retention to be increased past 90 days
The commands Set-AdminAuditLogConfig -AdminAuditLogAgeLimit do not work on 365. We have a requirement to keep all admin logs for 3 years but this cannot be performed.
At this point, the Office 365 service only allows for the retention of audit entries for 90 days. Can you provide us more information regarding your requirement to keep logs for 3 years. Is this a legal obligation? Please provide details around the specific audit entries you would like to retain for an extended period of time.
Fabrizio Alberti commented
It looks like a joke. After about 3 years, still in "Tell us more"? Gdpr and some regulations require at least 180 days and still 90 days. Microsoft must become more reactive in some circumstances like this and provide for each type of license what the laws provide.
90 days is not nearly enough when you are investigating why one or another thing happened on the tenant. For example I saw a newly created global admin account, but could not find who or why did this because it was past 90 days.
Admin - Please change Status from 'TELL US MORE' to 'WORKING ON IT'
O365 Audit logs are now available beyond 90 days for E5 customers. This feature is in Preview. More details here - https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance#before-you-begin
"The one-year retention period for audit records for E5 organizations (or E3 organizations that have Advanced Compliance add-on licenses) is currently available only as part of a private preview program. To enroll in this preview program, please file a request with Microsoft Support and include the following as the description of what you need help with: "Long-term Office 365 audit log private preview".
We are often asked for details form logs beyond the current remit of 90 days. Whilst we could do some back handed things like using Splunk (which takes a lot of effort and isn't 100% reliable as you are taking the data out of one place and putting it somewhere else and therefore you lose the validity and reliability) but this should be available for all by default. This is an ongoing service but the logs are often required some time after the original event occurred.
As another has mentioned -this is Office 365 and not Office90! :)
Deepesh Mali commented
No option to change the -AdminAuditLogAgeLimit to 365 days . we have got O365 E5 licensing and as per this article https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance
O365 E5 audit logs are retained for 1 year ; but cant see the option to change and even in search and compliance the logs go back to only 90 days
Michael Burke commented
Can we get an update on this request? Log retention is part of almost every IT function. Let's open up retention to a much larger time frame.
how long can you log information for?
This is Office 365, not Office 90.
Nilang Shah commented
I agree by the previous comments by Scott! if you provided a choice - 90 days standard at no cost, and above 90 days will have a cost against your tenant storage allocation - which would be fine by us as well and reduce the cost and complexity dramatically which comes with 3rd party solutions.
There are a plethora of government regulations which require retention of data for periods much longer than 90 days. Honestly, I can't think of a single legal requirement that, if applicable to logs, would be any period of time measured in the "days." More like, the "years."
The workaround mentioned by Scott is obviously feasible, but definitely shouldn't be the only way available.
I can help with the above, as we are facing the issue with SharePoint Online and OneDrive for Business. We have a legal requirement (we are a legal firm) to hold Audit data for an unlimited period of time.
We have no issue in this being counted against our storage within the tenant, but to resolve this we are having to look at costly third party solutions to export the logs using an API and hold them in an on-premise SQL DB.
It would be much easier if you provided a choice - 90 days standard at no cost, and above 90 days will have a cost against your tenant storage allocation - which would be fine by us!
You mean something like this?
So this article is wrong? on step 4.
I tried with support and even if its set to 365 days via powershell it only lets you search for the last 90 days like the admin above states. But why!!!!! Why does the article say you can increase it to 180.
As noted by the admin, the default is 90 days. However, if you have a requirement you can use the Office 365 Management API and ingest the data into your own database, or CASB/SIEM application. This will allow you to meet your legal retention requirements for auditing. to get started with the management API, see the Following Link:
We also have the need to extend or even reduce this number, its part of a Regulator requirement when working in the Financial sector in the UK. Can this be opened up for 365?