πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 3
Domain 3 β€” Module 5 of 9 56%
21 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 3: Manage Risks, Alerts, and Activities Premium ⏱ ~13 min read

Purview Audit: Investigate & Retain

Microsoft Purview Audit logs every significant action in your M365 tenant. Understand Audit Standard vs Premium, investigate activities, and configure audit retention policies to keep records as long as regulations require.

What is Purview Audit?

β˜• Simple explanation

Think of security camera footage for your entire digital office.

Every time someone opens a file, sends an email, changes a permission, or modifies a setting β€” it gets recorded. Microsoft Purview Audit is that camera system for your Microsoft 365 tenant. When something goes wrong (a data breach, an unauthorised access, a compliance investigation), you can rewind the tape and see exactly what happened, when, and by whom.

Audit Standard gives you 180 days of footage. Audit Premium gives you up to 10 years, plus faster access and smarter search.

Microsoft Purview Audit provides a unified audit log that captures user and admin activities across all Microsoft 365 services β€” Exchange, SharePoint, OneDrive, Teams, Entra ID, Purview, Defender, and more. Audit Standard (included with E3/E5) retains logs for 180 days. Audit Premium (E5 or E5 Compliance) extends retention to 1 year by default (up to 10 years with custom retention policies), adds high-bandwidth access to the Management Activity API, and includes intelligent insights for investigating compromised accounts.

Audit Standard vs Audit Premium

Audit Premium adds longer retention, custom policies, and investigation-grade insights
FeatureAudit StandardAudit Premium
Default retention180 days1 year (365 days)
Maximum retention180 days (not configurable)Up to 10 years (via custom audit retention policies)
Custom retention policiesNoYes β€” per-service, per-activity type, per-user
High-bandwidth APIStandard throughputHigher throughput for large-volume log retrieval
Intelligent insightsNoYes β€” MailItemsAccessed, SearchQueryInitiatedExchange, SearchQueryInitiatedSharePoint
LicensingE3, E5 (included)E5, E5 Compliance, E5 eDiscovery and Audit add-on
Per-user licensing?No β€” tenant-wideYes β€” assign Audit Premium licenses to specific users for extended logging

Assigning Audit Premium licenses

Audit Premium is a per-user license. Only users with the license get:

  • Extended retention (beyond 180 days)
  • Intelligent insights (MailItemsAccessed, search queries)
  • Custom retention policy application

How to assign

  1. Microsoft 365 admin center β†’ Users β†’ Active users β†’ Select user β†’ Licenses β†’ Enable β€œMicrosoft 365 Audit (Premium)”
  2. Or assign via group-based licensing in Entra ID β€” add the license to a security group
πŸ’‘ Exam tip: per-user licensing

The exam tests that Audit Premium is per-user. Key points:

  • Only users WITH the Audit Premium license generate extended audit records
  • Admin actions are logged regardless of the admin’s license
  • If you need 10-year retention for a specific user’s mailbox activities, that user needs the license
  • Group-based licensing is the scalable assignment method

Investigating with Audit

Search the unified audit log

In Microsoft Purview portal β†’ Audit β†’ Search:

Search ParameterWhat It Filters
Date rangeStart and end date/time
ActivitiesSpecific activity types (FileAccessed, MailSend, UserLoggedIn, etc.)
UsersSpecific user(s) who performed the activity
File, folder, or siteSpecific locations where the activity occurred
Record typesFilter by service (Exchange, SharePoint, Teams, Entra ID)

Key audit activities for investigations

ActivityWhat It RecordsInvestigation Use
FileAccessedUser opened a file in SharePoint/OneDriveWho accessed sensitive documents
MailItemsAccessed (Premium)User accessed email itemsCompromised account investigation β€” was the mailbox accessed by an attacker?
FileModifiedUser edited a fileTrack changes to sensitive documents
FileCopiedUser copied a file to another locationData movement tracking
SearchQueryInitiatedExchange (Premium)User searched their mailboxWhat was the user looking for? Useful for insider threat investigations
UserLoggedInUser signed into M365Track access patterns, impossible travel
SensitivityLabelAppliedA sensitivity label was applied to an itemLabel activity monitoring
DLPRuleMatchA DLP rule was triggeredCorrelate DLP events with user actions

Custom audit retention policies

With Audit Premium, create policies that retain specific log types longer:

SettingWhat It Controls
NamePolicy name
Record typeWhich service’s logs to retain (Exchange, SharePoint, Teams, etc.)
ActivitiesSpecific activities within the service (optional β€” retain all or specific)
UsersSpecific users or all users
Duration1 year, 3 years, 5 years, 7 years, or 10 years
PriorityHigher priority policies override lower ones for the same logs
πŸ’‘ Scenario: Priya configures audit retention at Meridian

Meridian Financial must retain trading communication audit logs for 7 years (SEC requirement):

  1. Policy name: β€œSEC β€” Trading Communications β€” 7 Year”
  2. Record type: Exchange
  3. Activities: MailSend, MailReceive, MailItemsAccessed
  4. Users: Trading team security group (Audit Premium licensed)
  5. Duration: 7 years
  6. Priority: 10 (higher than the default 1-year policy)

For all other users, the default Audit Premium 1-year retention applies.

Question

What is the default audit log retention for Audit Standard vs Audit Premium?

Click or press Enter to reveal answer

Answer

Audit Standard: 180 days (not configurable). Audit Premium: 1 year (365 days) by default, extendable to 10 years with custom audit retention policies.

Click to flip back
Question

What is MailItemsAccessed and why is it important for investigations?

Click or press Enter to reveal answer

Answer

MailItemsAccessed is an Audit Premium activity that logs when a user (or attacker) accesses email items. It is critical for compromised account investigations β€” it shows exactly which emails were read by the compromised account, helping determine the scope of the breach.

Click to flip back
Question

Is Audit Premium a tenant-wide or per-user license?

Click or press Enter to reveal answer

Answer

Per-user. Only users with the Audit Premium license get extended retention, intelligent insights (MailItemsAccessed), and custom retention policy coverage. Admin actions are logged regardless of the admin's license.

Click to flip back
Knowledge Check

Meridian Financial suspects that a former employee's account was compromised after they left. Priya needs to see which emails were accessed in the compromised mailbox during the breach window. The former employee had an E5 license. Which audit activity should she search?
Knowledge Check

Dr. Liam needs to retain audit logs for patient record access at St. Harbour Health for 7 years. The clinical staff have E3 licenses. What must he do first?

🎬 Video coming soon

Next up: Activity Explorer & Content Search β€” investigate data activities and search for content across your entire M365 tenant.

← Previous

Adaptive Protection: Risk Levels Meet DLP

Next β†’

Activity Explorer & Content Search

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.