3.1.1 Ensure Microsoft 365 audit log search is Enabled


When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.


Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To enable Microsoft 365 audit log search:

Navigate to Microsoft Purview https://compliance.microsoft.com.

Select Audit to open the audit search.

Click Start recording user and admin activity next to the information warning at the top.

Click Yes on the dialog box to confirm.

To enable Microsoft 365 audit log search using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

See Also


Item Details


References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: microsoft_azure

Control ID: 0275ec81d280193d762097fc138eae7536b05c2afe83a85fa72c70549e54af1d