Managing Search & Investigation
This course explores how to implement and manage auditing and eDiscovery in Microsoft 365. We'll start by covering Content Search and other search and investigation tools that are used to perform content searches, and how to export content search results.
You'll also learn about auditing management, before moving on to Core eDiscovery and how to search content using the Security & Compliance Admin Center. You’ll also learn how to configure Core eDiscovery and how to create cases. Finally, we'll cover Advanced eDiscovery, and you’ll learn what Advanced eDiscovery is, how to set it up, and how to create and manage Advanced eDiscovery cases.
- Learn about Content Search and other search and investigation tools that are used to perform content searches
- Export Content Search results
- Learn how to configure audit log retention and audit policy
- Learn what Core eDiscovery is and how to search content using the Security & Compliance Admin Center
- Configure Core eDiscovery and how to create cases
- Get an overview of Advanced eDiscovery and learn how to create and manage Advanced eDiscovery cases
This course is intended for those who wish to learn how to use and manage auditing and eDiscovery in Microsoft 365.
To get the most out of this course, you should already have some basic experience of working with Microsoft 365.
Hello, and welcome to audit log retention!
Audit log retention policies are used to specify how long audit logs in your organization should be retained. They are part of the Advanced Audit capabilities that Microsoft 365 offers, and they are created and managed using the Security & Compliance Center.
Audit logs can be retained for up to 10 years, and the audit log policies you create can be based on a few different criteria. For example, you can create audit log policies that are based on the Microsoft 365 activities for a specific user, or based on Microsoft 365 activities for all users. Priority levels can be used to determine which policy takes precedence in cases where you have multiple policies in place.
While you can configure custom audit log retention policies to fit your needs, the Microsoft 365 Advanced Audit feature provides a default audit log retention policy right out of the box. This default audit log policy, which cannot be modified, retains all Exchange data, all SharePoint data, and all Azure Active Directory audit records for a year.
I should mention, however, that the default audit log retention policy only applies to the audit records for users who have been assigned an Office 365 license, a Microsoft 365 E5 license, a Microsoft 365 E5 Compliance license, or an E5 eDiscovery and Audit add-on license. Audit records for guest users and users without an E5 license are retained for 90 days.
Before you can create or modify audit retention policies, you need to have been assigned the Organization Configuration role in the Security & Compliance Center. It’s also important to note that the max number of audit log retention policies that is allowed within an organization is 50.
It’s also important to remember that a custom audit log retention policy will always take precedence over the default retention policy for the organization.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.