Microsoft 365 audit logs what you actually own.

Microsoft 365 audit logs live in three places. License tier, retention add ons, and Sentinel ingestion drive cost more than the security team usually realizes.

Microsoft 365 produces audit signal in many places. The official log layer is the Unified Audit Log inside Purview.

Purview Audit Standard ships with most E3 and E5 plans. Purview Audit Premium adds longer retention and richer event types.

Sentinel can ingest the Unified Audit Log as another data source. That ingest is billed in Azure, which is where most surprise cost shows up.

The three audit log surfaces

Audit data flows through three Microsoft surfaces in most enterprise tenants.

Unified Audit Log

The Unified Audit Log is the foundational layer. It captures activity across Exchange Online, SharePoint, OneDrive, Teams, Entra ID, Defender, and many other services.

• Surfaced through Purview, the Microsoft Graph Audit API, and Office 365 Management Activity API.
• Retention window depends on license tier and add on.
• Event coverage is wide but not exhaustive across every workload.

Purview Audit Standard and Premium

Purview Audit packages the Unified Audit Log with retention, search, and event types.

• Standard ships with E3, E5, and most enterprise plans.
• Premium adds longer retention up to 10 years and richer events such as MailItemsAccessed.
• Retention add ons are sold separately and stack on top of Premium.

Sentinel and audit log ingest

Sentinel ingests the Office 365 Audit Log as a data source through a built in connector.

• Ingest is metered by gigabyte per day.
• Commitment tiers and pay as you go pricing apply.
• Audit log data is typically a high signal, high volume Sentinel feed and should be governed deliberately.

Retention tiers in 2026

Retention is the most misunderstood part of the audit log stack.

Default retention windows

Microsoft has shifted retention defaults over the past two years. The numbers in legacy documentation are often out of date.

• E3 with Purview Audit Standard: 180 days of Unified Audit Log retention.
• E5 with Purview Audit Standard: 365 days.
• Purview Audit Premium: 365 days by default with paid extension up to 10 years.
• Retention is per audit record, not per user.

Retention extension

Retention can be extended through add on policies and licensed retention SKUs.

• Retention policies are scoped per workload.
• Up to 10 years is the published maximum for premium retention.
• Retention beyond 10 years is not natively supported. Use Sentinel or cold storage.

How licensing actually drives audit log cost

The buyer side challenge is that audit logging is bundled into several different licenses and add ons.

E3 estates

E3 includes Purview Audit Standard. Premium can be added per user.

• Purview Audit Premium add on per user.
• Retention add on stacks on Premium.
• Defender for Office 365 Plan 2 unlocks additional Defender audit events.

E5 estates

E5 includes Purview Audit Premium for most workloads.

• Premium is included.
• Long retention up to 10 years still needs the retention add on.
• Sentinel ingest is licensed and billed separately.

Audit log retention is a procurement decision, not just a security decision. Right size it before the next EA renewal, not after.

Governance moves that cut waste

A small set of decisions drives most of the cost. Each one is reversible.

Scope ingest, do not flood

Ingesting every audit event into Sentinel is expensive and often unnecessary.

Set a retention baseline by data class

Different data classes need different retention windows. A single 10 year retention for everything is rarely justified.

Quarterly review

Re evaluate retention, ingestion, and license mix every quarter. The technology evolves faster than annual renewals.

Common pitfalls

Most audit log overspend traces back to a small number of recurring decisions.

Paying twice for retention

Both Purview Audit Premium and Sentinel can store the same data. Many estates pay for both without intent.

Overly broad retention policies

Applying 10 year retention to every workload inflates cost without proportional value.

No ingest monitoring

Audit log ingest to Sentinel can grow quietly. Without anomaly alerts, it surfaces a quarter late on the bill.

Suggested reading

• Microsoft 365 license optimization. Cross vendor reading from the wider library.
• Microsoft software audit defense. Cross vendor reading from the wider library.
• Microsoft 365 Copilot enterprise licensing. Cross vendor reading from the wider library.

What to do next

1. List every workload that produces audit data in your tenant. Include Defender, Entra, and third party connectors.
2. Document current retention windows by workload, including any retention add ons applied.
3. Audit your Sentinel ingest by data type. Identify any audit log feed that overlaps Purview retention.
4. Set a retention baseline by data classification. High value data may need 10 years. General activity rarely does.
5. Cancel duplicate retention paths and consolidate where possible.
6. Add monthly ingest alerts in Azure cost management for Sentinel.
7. Re scope audit log add ons at the next EA renewal, not in panic mid term.
8. Engage independent advisory before agreeing to long term retention SKUs.

Frequently asked questions

How long are Microsoft 365 audit logs kept by default?

Microsoft 365 audit logs are retained for 180 days at E3 and 365 days at E5 under Purview Audit Standard in 2026. Purview Audit Premium extends retention up to 10 years with the appropriate add on.

What is the difference between Purview Audit Standard and Premium?

Standard ships with E3 and E5 and covers basic audit events with up to 365 days of retention. Premium adds high value events such as MailItemsAccessed, supports retention up to 10 years, and is included in E5.

Do I need Sentinel to retain audit logs longer than 10 years?

Yes, or another archive platform. Native Purview retention caps at 10 years. Sentinel supports archive tiers and longer retention through long term storage, but the cost model is different.

Is it more expensive to retain in Sentinel or in Purview?

It depends on volume. Purview retention is licensed per user and per workload. Sentinel retention is billed by data volume. For large estates with selective ingest, Sentinel can be cheaper. For broad retention on all users, Purview is usually cheaper.

Can I rely on E3 alone for compliance audit logging?

E3 provides 180 day Unified Audit Log retention plus Purview Audit Standard. For many regulated industries this is insufficient. The Premium add on or E5 is usually needed for adequate retention and event coverage.

What audit events are not in Purview at all?

Some Defender events, third party SaaS audit data, and infrastructure level logs are not in Purview. These typically require Defender XDR, Sentinel connectors, or third party SIEM connectors to retain.