Auditing your Microsoft 365 security settings is an essential step in maintaining compliance, protecting sensitive data, and ensuring that both user and admin activity is appropriately tracked and managed. Whether you’re an IT administrator or a business leader overseeing digital transformation, understanding how to properly review and configure audit records can make a significant difference in your organization’s security posture.
Microsoft 365 offers robust auditing tools through the Security and Compliance Center, including features like unified audit logging and retention policies. However, many organizations overlook the need to verify that auditing is enabled—especially after changes to user account permissions or administrative access. For example, if your tenant shows a message like “access to this page requires authorization” or issues arise when signing in the Exchange Admin Center, these could indicate problems with audit configuration or role assignments.
Using tools like Exchange Online PowerShell, administrators can confirm whether users have been assigned the audit logs role and review commands to turn off auditing where necessary. It’s also critical to understand the retention period for audit logs—some are only retained for 90 days unless extended through advanced configurations. Failing to configure audit log retention appropriately may result in gaps that hinder investigations during a security audit or regulatory review.
This article will walk you through a step-by-step process for conducting a Microsoft 365 security settings audit. We’ll also point to best practices for managing data, interpreting what each property indicates that auditing is active, and how to leverage 365 admin tools to maintain control over your environment. For more context on strengthening your IT infrastructure and security strategy, consider exploring related topics like cloud security best practices and access control management previously covered on our site.
Verify Unified Audit Logging is Enabled
The first and most crucial step in auditing your Microsoft 365 security settings is to ensure that unified audit logging is enabled for your organization. Unified audit logging consolidates various logs across Microsoft 365 services—like Exchange Online, SharePoint, and Teams—into a single searchable database within the Security and Compliance Center. Without it, critical audit records related to user and admin activity may never be captured.
To verify this setting, 365 admin users can either navigate through the Security and Compliance portal or use Exchange Online PowerShell. For example, you can run the command Get-AdminAuditLogConfig to check the status of unified audit logging. If the output shows that logging is not enabled, it’s important to enable it immediately using Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true.
Keep in mind, if unified audit logging is disabled, no audit records will be retained, and your organization may lose visibility into events that are vital for both internal investigations and external compliance. Additionally, if you encounter messages like “access to this page requires authorization” when trying to access audit settings, it could mean your user account lacks the necessary permissions or hasn’t been assigned the audit logs role.
Review Audit Log Retention Policies
Once unified audit logging is enabled, the next step is to review how long audit records are being kept. By default, many Microsoft 365 audit logs are retained for 90 days, which may not meet your organization’s regulatory or security requirements. Certain subscription levels, such as Microsoft 365 E5, offer extended retention, but it’s up to the admin to configure and verify these settings.
Use the Microsoft 365 compliance center or PowerShell to check the retention period for audit data. It’s also important to know that specific workloads—like Exchange Online—may have separate settings that impact how long logs are stored. Ensuring proper audit log retention allows you to investigate suspicious behavior or respond to security incidents long after they occur.
If your retention settings are too short, you risk losing critical audit records before they’re ever reviewed. Additionally, review whether anyone has attempted to turn off auditing using PowerShell or altered retention periods without approval. Monitoring these actions can help maintain accountability and support future compliance audits.
Confirm Role Assignments for Audit Access
To maintain proper oversight and control, it’s essential to verify that the right individuals have been assigned the appropriate audit roles. In Microsoft 365, access to audit records is managed through role-based permissions. Specifically, ensure that your security team or designated administrators are assigned the audit logs role within the Microsoft 365 compliance center.
Without this role, users won’t be able to view or search audit logs and may encounter errors like “access to this page requires authorization” when attempting to review activity. Use the 365-admin center or PowerShell to check who has been assigned the audit logs role and ensure that only authorized personnel have this level of access.
Improper or excessive role assignments can introduce risk by allowing too many users access to sensitive activity data. Reviewing and tightening these permissions supports both internal security practices and external compliance requirements—especially when preparing for a security audit or internal risk assessment.
Monitor User and Admin Activity
Monitoring both user and admin activity is a critical part of any Microsoft 365 security audit. Once unified audit logging is active and audit roles are properly assigned, reviewing this activity on a regular basis helps you detect abnormal behavior, policy violations, or potential security threats before they escalate.
Use the Microsoft 365 compliance center or Exchange Online PowerShell to track high-risk actions such as privilege escalations, mailbox access by non-owners, external file sharing, and admin configuration changes. These events are commonly associated with data breaches or insider misuse and should be reviewed closely. Pay attention to whether any users have attempted to turn off auditing, made changes to retention policies, or accessed areas they shouldn’t.
Additionally, verifying user and admin activity supports legal and compliance obligations by providing a full picture of who did what, when, and from where. This visibility not only strengthens your ability to manage data but also prepares your organization for audits, incident response, and forensic investigations. By staying on top of activity trends, you reinforce both technical and administrative layers of your security audit strategy.
Validate Retention Settings and Data Integrity
Beyond just confirming that audit logging is enabled, it’s important to validate that your retention settings align with your organization’s compliance needs. Many businesses operate under the assumption that logs are stored indefinitely, but in reality, unless properly configured, audit data may only be retained for 90 days by default.
Use the compliance center to review the retention period for audit logs across different Microsoft 365 services. Ensure that policies are in place to retain critical audit records for the duration required by your industry or internal governance. If your business has specific data retention mandates—such as for legal hold or regulatory reporting—these settings should be reviewed and tested regularly.
Also, confirm that the property indicates that auditing is active for all relevant services, and that changes to these configurations are documented. Unexpected modifications to audit settings or missing data could point to mismanagement or malicious activity. Proactively managing retention ensures that the right data is available when needed and that your security and compliance posture remains strong.
Conclusion
Auditing your Microsoft 365 security settings isn’t just a one-time task—it’s an ongoing responsibility that directly impacts your organization’s ability to detect threats, manage data, and maintain compliance. From enabling unified audit logging and verifying role assignments to monitoring user activity and reviewing retention policies, each step plays a vital role in your broader security audit strategy.
Misconfigured settings, such as improperly assigned audit logs role access or a retention period for audit that’s too short, can leave gaps that weaken your defenses. Leveraging tools like Exchange Online PowerShell, the 365-admin center, and the Security and Compliance portal allows you to stay informed, identify risks early, and ensure key audit records are being retained for 90 days or longer, as required.
Regular reviews of your environment—especially checking for issues like access to this page requires authorization or inactive logging indicators—help reinforce accountability and readiness. By taking a structured approach to auditing, you position your organization to respond quickly to threats, meet regulatory obligations, and keep sensitive information secure across your Microsoft 365 environment.
