%3CLINGO-SUB%20id%3D%22lingo-sub-1183488%22%20slang%3D%22en-US%22%3EPower%20faster%20and%20more%20effective%20forensic%20and%20compliance%20investigations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1183488%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20pleased%20to%20share%20that%20Advanced%20Audit%20for%20Microsoft%20365%20is%20now%20rolling%20out.%20The%20new%20set%20of%20capabilities%20are%20aimed%20to%20power%20faster%20and%20more%20effective%20forensic%20compliance%20investigations.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20updates%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExtending%20the%20preservation%20of%20a%20user%E2%80%99s%20audit%20activities%20from%2090%20days%20to%201%20year%3C%2FLI%3E%0A%3CLI%3EIncreasing%20bandwidth%20access%20to%20the%20Management%20Activity%20API%3C%2FLI%3E%0A%3CLI%3EAccess%20to%20crucial%20events%20for%20investigations%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ELonger-term%20retention%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECurrently%2C%20audit%20logs%20are%20retained%20for%2090%20days%20by%20default.%20With%20Advanced%20Audit%20you%20are%20now%20able%20to%20retain%20audit%20logs%20for%20more%20than%2090%20days%20and%20up%20to%201%20year%20for%20eligible%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20apply%20the%20custom%20retention%20policy%2C%20within%20the%20audit%20log%20search%2C%20you%20can%20create%20a%20new%20retention%20policy%20and%20choose%20the%20appropriate%20duration%20within%20the%20UI%20or%20through%20cmdlets.%20You%20can%20also%20add%20more%20policies%20or%20customize%20existing%20ones.%20More%20details%20are%20available%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Faudit-log-retention-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22rentention%20policy%20with%20mailitemsaccessed%20activity%20for%20alex.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F172150i70ED1FECF4E5CA9F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22rentention%20policy%20with%20mailitemsaccessed%20activity%20for%20alex.PNG%22%20alt%3D%22%5BImage%3A%20Add%20a%20new%20retention%20policy%20for%20an%20individual%20user%E2%80%99s%20audit%20log%20activities%20for%20up%20to%201%20year%5D%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3E%5BImage%3A%20Add%20a%20new%20retention%20policy%20for%20an%20individual%20user%E2%80%99s%20audit%20log%20activities%20for%20up%20to%201%20year%5D%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFaster%20access%20to%20data%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20the%20past%2C%20customers%20consuming%20logs%20through%20the%20Office%20365%20Management%20Activity%20API%20were%20limited%20by%20throttling%20limits%20at%20the%20publisher%20level%2C%20which%20means%20that%20for%20a%20publisher%20pulling%20data%20on%20behalf%20of%20multiple%20customers%2C%20the%20limit%20was%20shared%20by%20all%20those%20customers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20this%20release%2C%20we%20are%20moving%20from%20publisher-based%20to%20tenant-based%20limits%20so%20each%20tenant%20will%20get%20their%20fully%20allocated%20bandwidth%20quota%20to%20access%20their%20auditing%20data.%20The%20bandwidth%20will%20be%20determined%20by%20a%20combination%20of%20factors%20including%20the%20number%20of%20seats%20in%20the%20tenant%20and%20their%20license%20subscription.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20tenants%20will%20start%20with%20a%20baseline%20of%202%2C000%20requests%20per%20minute%20and%20will%20go%20up%20depending%20on%20their%20seat%20count%2C%20and%20E5%20customers%20with%20Advanced%20Audit%20will%20get%20more%20bandwidth%20than%20non-E5%20customers%20to%20provide%20faster%20access%20to%20data.%20Note%20that%20there%20will%20also%20be%20an%20upper%20cap%20for%20bandwidth%20to%20protect%20the%20health%20of%20the%20service.%20You%20can%20learn%20more%20from%20our%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-reference%23api-throttling%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAccess%20crucial%20events%20for%20investigations%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWith%20Advanced%20Audit%2C%20one%20of%20the%20first%20events%20we%20are%20releasing%20is%20%3CEM%3EMailItemsAccessed%3C%2FEM%3E.%20With%20this%20new%20event%2C%20access%20of%20data%20over%20mail%20protocols%2Fclients%20will%20be%20audited%20to%20help%20investigators%20better%20understand%20scope%20of%20compromise.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20%3CEM%3EMailItemsAccessed%3C%2FEM%3E%20action%20is%20exposed%20as%20a%20part%20of%20Exchange%20Mailbox%20Auditing%20and%20is%20enabled%20by%20default.%20You%20can%20learn%20more%20from%20our%20documentation%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Access%20to%20critical%20events.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F172152i9475D25734082D09%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Access%20to%20critical%20events.PNG%22%20alt%3D%22%5BImage%3A%20users%20can%20now%20see%20audit%20activity%20such%20as%20the%20MailItemsAccessed%20event%5D%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3E%5BImage%3A%20users%20can%20now%20see%20audit%20activity%20such%20as%20the%20MailItemsAccessed%20event%5D%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGet%20Started%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFor%20Microsoft%20365%20E5%20customers%2C%20Advanced%20Audit%20is%20rolling%20out%20over%20the%20next%20few%20weeks.%20You%20can%20also%20sign%20up%20for%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FM365E5ComplianceTrial%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Etrial%3C%2FA%3E%26nbsp%3Bor%20navigate%20to%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcompliance.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20365%20compliance%20center%3C%2FA%3E%26nbsp%3Bto%20get%20started%20today.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELearn%20more%20about%20what%E2%80%99s%20new%20with%20Advanced%20Audit%20and%20how%20to%20configure%20policies%20in%20your%20tenant%20in%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fadvanced-audit%23high-value-audit-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esupporting%20documentation%3C%2FA%3E.%20We%20look%20forward%20to%20hearing%20your%20feedback.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1183488%22%20slang%3D%22en-US%22%3E%3CP%3EAdvanced%20Audit%20in%20Microsoft%20365%20is%20now%20rolling%20out%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1183488%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1184858%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20faster%20and%20more%20effective%20forensic%20and%20compliance%20investigations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1184858%22%20slang%3D%22en-US%22%3E%3CP%3EE5%20only%20again%20or%20is%20it%20available%20in%20different%20plans%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1187474%22%20slang%3D%22en-US%22%3ERe%3A%20Power%20faster%20and%20more%20effective%20forensic%20and%20compliance%20investigations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1187474%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20great.%20Default%20audit%20log%20policy%20covers%20SharePoint%2C%20Exchange%2C%20AAD%20workload%20Only%20%3F.%20Most%20of%20my%20customers%20require%20all%20activities%20from%20all%20workloads%20to%20be%20retained%20for%201%20year%20for%20compliance%20requirement.%20Can%20you%20consider%20extending%20the%20default%20policy%20to%20cover%20all%20activities%20from%20all%20workloads%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We are pleased to share that Advanced Audit for Microsoft 365 is now rolling out. The new set of capabilities are aimed to power faster and more effective forensic compliance investigations.

 

These updates include:

  • Extending the preservation of a user’s audit activities from 90 days to 1 year
  • Increasing bandwidth access to the Management Activity API
  • Access to crucial events for investigations

Longer-term retention

Currently, audit logs are retained for 90 days by default. With Advanced Audit you are now able to retain audit logs for more than 90 days and up to 1 year for eligible users.

 

To apply the custom retention policy, within the audit log search, you can create a new retention policy and choose the appropriate duration within the UI or through cmdlets. You can also add more policies or customize existing ones. More details are available here.

 

[Image: Add a new retention policy for an individual user’s audit log activities for up to 1 year][Image: Add a new retention policy for an individual user’s audit log activities for up to 1 year]

 

Faster access to data

In the past, customers consuming logs through the Office 365 Management Activity API were limited by throttling limits at the publisher level, which means that for a publisher pulling data on behalf of multiple customers, the limit was shared by all those customers.

 

With this release, we are moving from publisher-based to tenant-based limits so each tenant will get their fully allocated bandwidth quota to access their auditing data. The bandwidth will be determined by a combination of factors including the number of seats in the tenant and their license subscription.

 

All tenants will start with a baseline of 2,000 requests per minute and will go up depending on their seat count, and E5 customers with Advanced Audit will get more bandwidth than non-E5 customers to provide faster access to data. Note that there will also be an upper cap for bandwidth to protect the health of the service. You can learn more from our documentation here.

 

Access crucial events for investigations

With Advanced Audit, one of the first events we are releasing is MailItemsAccessed. With this new event, access of data over mail protocols/clients will be audited to help investigators better understand scope of compromise.

 

The new MailItemsAccessed action is exposed as a part of Exchange Mailbox Auditing and is enabled by default. You can learn more from our documentation here.

 

[Image: users can now see audit activity such as the MailItemsAccessed event][Image: users can now see audit activity such as the MailItemsAccessed event]

 

Get Started

For Microsoft 365 E5 customers, Advanced Audit is rolling out over the next few weeks. You can also sign up for a trial or navigate to the Microsoft 365 compliance center to get started today. 

 

Learn more about what’s new with Advanced Audit and how to configure policies in your tenant in this supporting documentation. We look forward to hearing your feedback.

2 Comments
Contributor

E5 only again or is it available in different plans as well?

Occasional Contributor

This is great. Default audit log policy covers SharePoint, Exchange, AAD workload Only ?. Most of my customers require all activities from all workloads to be retained for 1 year for compliance requirement. Can you consider extending the default policy to cover all activities from all workloads ?