Audit Log/ Mixed Tenancy

Hi, Barry Briggs,

Thank you for posting your question here. I understand you're looking for clarification on audit (premium) and whether or not the "E5" requirement is per user or a tenant-level requirement, to include the retention portion of the audit log.

For question 1, it is my understanding that you will only be able to collect logs that fall under the premium, E5 feature for users that are assigned the appropriate license. If user A is E5 licensed, they're logs should appear if you performed a tenant wide on a premium-only log, such as "Performed SharePoint Search" (SearchQueryInitiatedSharePoint), you would be able to see that User A had performed the action. User B, who does not have the premium license, would not appear in your search, even if they had performed the same action.

The information is the link details that the user must have the E5 license, as well as ensure the "Microsoft 365 Advanced Auditing" feature within the license is enable.

https://learn.microsoft.com/en-us/purview/audit-premium-setup#step-1-set-up-audit-premium-for-users

Fore question 2, regarding retention, the same as above applies here as well. Only users with an appropriate license may have their logs retained outside the default window.

Here are a couple Microsoft learn doc links that may help.

Manage audit log retention policies | Microsoft Learn

https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-audit-premium

I hope this helps answer your questions, please do let me know if we were looking for different information.