Skip to Content
ReportsMonitoringAudit ActivityUnified Audit Log

Unified Audit Log

Access the Microsoft 365 unified audit log for comprehensive activity tracking across all workloads. Search and filter audit events from Exchange, SharePoint, Entra ID, Teams, and more.

Overview

The Unified Audit Log provides a single consolidated view of activity events across all Microsoft 365 services. This is the authoritative source for compliance auditing, incident investigation, and change tracking across your managed tenants.

Log Columns

ColumnDescription
Date/TimeWhen the activity occurred
UserUser who performed the activity
ActivitySpecific operation performed
WorkloadMicrosoft 365 service (Exchange, SharePoint, etc.)
ObjectThe item that was affected
ResultSuccess or Failure
IP AddressSource IP of the activity
TenantWhich managed tenant the activity occurred in

Supported Workloads

  • Exchange Online — Mailbox access, admin operations, mail flow
  • SharePoint Online — File access, sharing, site administration
  • OneDrive for Business — File operations, sharing, sync events
  • Microsoft Teams — Team/channel operations, meeting events
  • Entra ID — User management, role changes, app registrations
  • Compliance Center — eDiscovery, retention, DLP events
  • Power Platform — Power Apps, Power Automate operations

Search Capabilities

Search the audit log using:

  • Free text search — Search across all fields
  • Activity type — Filter by specific operations
  • User — Find all activities by a specific user
  • Date range — Narrow results to a specific time window
  • IP address — Find all activities from a specific source

Filters

  • Date Range — Last 24 hours, 7 days, 30 days, 90 days, or custom
  • Workload — Exchange, SharePoint, Teams, Entra ID, etc.
  • Activity — Specific operation types
  • User — Filter by user principal name
  • Tenant — Filter by managed tenant
  • Result — Success, Failure

Retention

Audit log retention depends on the license level:

  • E3/Business Premium — 180 days
  • E5 — 365 days (1 year)
  • E5 with Advanced Audit — Up to 10 years

Compliance Use Cases

  1. Investigate unauthorized access to sensitive data
  2. Track administrative changes for change management
  3. Support eDiscovery and legal hold requests
  4. Monitor data exfiltration attempts
  5. Meet regulatory audit requirements

API Reference

  • GET /api/monitoring/audit/unified — Search unified audit log
  • GET /api/monitoring/audit/unified/activities — List available activity types
  • POST /api/monitoring/audit/unified/export — Export audit log data
Last updated on
Sign-In LogsUser Activity Report