Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Audit Log/ Mixed Tenancy

Copper Contributor

Question about how Audit Logs work with mixed E5/E3 tenancies. 

 

1) For events that are only supported by E5, for example MailItemsAccessed, does the Audit Log record such events only for those users that have E5 license? If that is the case, does that mean that the decision to log is made at the user-context level and not by the log; i.e., the log simply writes whatever it's told to? (I understand that MailItemsAccessed may be added to E3-level tenancies, but interested how the Log works.) 

2) Following up on that, in a mixed E5/E3 tenancy, how does retention work. Does the Log selectively purge based on user license level or does the log support the highest of all levels in the tenancy (for example, if one user is E5, does the whole Log support E5 retention or just for that user)? 

 

Thanks

Barry

4 Replies
Hello @Barry Briggs

look the website
https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts

The new MailItemsAccessed action is part of the new Audit (Premium) functionality. It's part of Exchange mailbox auditing and is enabled by default for users that are assigned an Office 365 or Microsoft 365 E5 license or for organizations with a Microsoft 365 E5 Compliance add-on subscription.

The MailItemsAccessed mailbox-auditing action covers all mail protocols: POP, IMAP, MAPI, EWS, Exchange ActiveSync, and REST. It also covers both types of accessing mail: sync and bind.....................................
Sorry, this was not my question. My question was, if you have *both* E3 *and* E5 users in a tenancy, how does event reporting and retention work in the Audit log.

Hi, @Barry Briggs,

 

Thank you for posting your question here. I understand you're looking for clarification on audit (premium) and whether or not the "E5" requirement is per user or a tenant-level requirement, to include the retention portion of the audit log.

 

For question 1, it is my understanding that you will only be able to collect logs that fall under the premium, E5 feature for users that are assigned the appropriate license. If user A is E5 licensed, they're logs should appear if you performed a tenant wide on a premium-only log, such as "Performed SharePoint Search" (SearchQueryInitiatedSharePoint), you would be able to see that User A had performed the action. User B, who does not have the premium license, would not appear in your search, even if they had performed the same action.

 

The information is the link details that the user must have the E5 license, as well as ensure the "Microsoft 365 Advanced Auditing" feature within the license is enable.

 

https://learn.microsoft.com/en-us/purview/audit-premium-setup#step-1-set-up-audit-premium-for-users

 

Fore question 2, regarding retention, the same as above applies here as well. Only users with an appropriate license may have their logs retained outside the default window.

 

Here are a couple Microsoft learn doc links that may help.

 

Manage audit log retention policies | Microsoft Learn

 

https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/m...

 

I hope this helps answer your questions, please do let me know if we were looking for different information.

Thanks Mike. These are my conclusions as well. What that implies however is that the deletion process has to understand if a given log entry was made by an E3 or E5 user, which it probably does. Thanks!