DEMO: Create and Configure an Audit Log Retention Policy
Start course

This course explores how to implement and manage auditing and eDiscovery in Microsoft 365. We'll start by covering Content Search and other search and investigation tools that are used to perform content searches, and how to export content search results.

You'll also learn about auditing management, before moving on to Core eDiscovery and how to search content using the Security & Compliance Admin Center. You’ll also learn how to configure Core eDiscovery and how to create cases. Finally, we'll cover Advanced eDiscovery, and you’ll learn what Advanced eDiscovery is, how to set it up, and how to create and manage Advanced eDiscovery cases.

Learning Objectives

  • Learn about Content Search and other search and investigation tools that are used to perform content searches
  • Export Content Search results
  • Learn how to configure audit log retention and audit policy
  • Learn what Core eDiscovery is and how to search content using the Security & Compliance Admin Center
  • Configure Core eDiscovery and how to create cases
  • Get an overview of Advanced eDiscovery and learn how to create and manage Advanced eDiscovery cases

Intended Audience

This course is intended for those who wish to learn how to use and manage auditing and eDiscovery in Microsoft 365.


To get the most out of this course, you should already have some basic experience of working with Microsoft 365.


Hello, and welcome back. What we're gonna do here in this brief demonstration is walk through the process of creating an audit log retention policy. Now on the screen here I'm logged into my Microsoft 365 Admin Center, and I'm logged in as the global admin. To create an audit log retention policy. I need to go into compliance here. So we'll scroll down into compliance, now from compliance center what we do is go into audits.

Now you'll notice here in the left navigation pane we don't see audit even listed. If we click show all what this does is open up all of the different options under solutions for us. And we can see here audit becomes an option. So we'll go ahead and select audit.

Now from the audit page here we can search pre-existing audits or we can go ahead and create a new audit retention policy. So we'll go ahead and do that. And now from here, we can see we don't have any existing retention policies defined yet. So we'll go ahead and create the audit retention policy here.

Now, when we create an audit retention policy we have to provide some information. We need to provide a name for the policy, an optional description. We need to tell the policy which users and which record types it should apply to. We need to specify the duration that the data is kept and then we need to specify a priority for the policy. Now the policy name needs to be unique within my organization. And once I name this policy I can't change that name after the fact. So I'll just call this Retention1.

The description is optional and typically you would use a description just to provide more information about the policy. I am not going to worry about a description here so we'll leave this alone. And then in the user's box here, we can either specify specific users that we want this policy to apply to, or we can leave the box blank to force the policy to apply to all users. For example, if I search the box for admin we can see my admin accounts turn up. For this policy here we'll just allow it to apply to all users. And then in the record type dropdown here what we can do is specify the audit record type that this policy should apply to.

If we scroll down, we can see all kinds of record types that we can add to this policy. What we'll do for this exercise here is just select Azure Active Directory. Now once I select Azure Active Directory we are presented with a dropdown for activities. Now, the note here tells us that if we don't select specific activities the policy will apply to all activities for this selected record type in this case it would be Azure Active Directory.

If we select the dropdown here we can see we can audit user administration activities. We can audit AD group administration activities application administration activities all kinds of different administration activities. We can select one or more or all If that's what we're after. For this exercise we'll just select added, deleted, and reset user password.

So now what this policy will do is look for information regarding users added users deleted and password resets within the Azure Active Directory record type. And that'll will be applied to all users. And then down here we have the duration and duration is simply the amount of time that we want to retain the audit logs that meet the criteria of the policy we're defining here. So we'll just select 90 days.

And then lastly here we have a priority. The priority determines the order in which audit log retention policies get processed a higher number, indicates a higher priority. So for example, if we give this policy a value of 10 that means this policy would take priority over another policy with a value of say five. Now we don't have any other retention policies in our organization right now so it's really a moot point, but for this exercise, I'll just set it to 10 and we'll go ahead and save the policy. And with that, we have Retention1 created.

If we select the policy, you'll notice like I said Retention1 is no longer editable. I can't change the policy name. We can go ahead and modify the settings within the policy but we can't rename it. So we'll cancel that. And there you have it. That's how you create an audit retention policy using the compliance center.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.