Audit Vault for M365

Long-term Microsoft 365 Audit Log Retention

A powerful and cost-effective solution to preserve your Microsoft 365 audit log records.

Audit Vault for M365 Highlights

Audit Vault Highlights

Watch Video »

Entra ID audit log retention

Retain your Entra ID audit log records.

Audit Vault for M365 preserves Microsoft Entra ID audit records so your organization can review identity, user management, application, and policy activity beyond Microsoft native retention limits.

  • Track user management and group membership events.
  • Review policy, application, service principal, and device changes.
  • Investigate failed logins and suspicious identity activity.
  • Preserve identity audit evidence without expensive Microsoft license upgrades for every user.

User management

Audit user creation, deletion, password resets, account changes, and license updates.

Group membership

Track when users are added to or removed from security and distribution groups.

Policy and app changes

Review group policy, application, service principal, and permission grant changes.

Audit properties

Audit properties retained from Entra ID

Below is a listing of the audit properties that Audit Vault for M365 preserves from Microsoft Entra ID. Use these records to detect failed logins, investigate user and group management activity, and review identity-related changes.

Property Description
Creation Time: The date and time when the audit event or operation occurred in Entra ID. Stored in UTC Time.
Microsoft Id: Unique Id of the audit log from Microsoft.
Operation: The name of activity or event that had occurred when generating the Entra ID audit log. Examples:
  • Add app role assignment grant to user.
  • Add app role assignment to service principal.
  • Add application.
  • Add delegated permission grant.
  • Add device.
  • Add group.
  • Add member to group.
  • Add member to role.
  • Add owner to group.
  • Add policy.
  • Add registered owner to device.
  • Add registered users to device.
  • Add service principal.
  • Add user.
  • Change user license.
  • Change user password.
  • Consent to application.
  • Delete user.
  • Disable account.
  • Remove member from group.
  • Remove service principal.
  • Reset user password.
  • Set Company Information.
  • Update application – Certificates and secrets management
  • Update application.
  • Update device.
  • Update group.
  • Update policy.
  • Update service principal.
  • Update StsRefreshTokenValidFrom Timestamp.
  • Update user.
  • UserLoggedIn
  • UserLoginFailed
User Id: The name of the user that performed the action that generated the Entra ID Audit Log.
Additional Properties: Stores any new properties from Entra ID Audit Log that are not captured elsewhere.
Actor: Includes the User ID and Microsoft ID of the user that performed the action that triggered the Entra ID event.
Actor Context Id: The GUID of the organization that the actor belongs to.
Actor Ip Address The actor's IP address in IPV4 or IPV6 address format.
App Access Context:
Application: The application that triggers the account login event from Entra ID, such as Office 15.
Application Id: The GUID that represents the application that is requesting the login. The display name can be looked up via the Microsoft Entra Graph API.
Client: Details about the client device, device OS, and device browser that was used for the of the account login event.
Client IP: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
Device Properties: This property includes various device details, including Id, Display name, OS, Browser, IsCompliant, IsCompliantAndManaged, SessionId, and DeviceTrustType. The DeviceTrustType property can have the following values:
  • 0 - Microsoft Entra registered
  • 1 - Microsoft Entra joined
  • 2 - Microsoft Entra hybrid joined
Entra ID Event Type: The ID of the Entra event. Example: 1
Error Code: For failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Microsoft Entra STS (AADSTS) error code. For descriptions of these error codes, see Authentication and authorization error codes. A value of 0 indicates a successful login.
Error Number: The number of the error that occured in Entra ID that triggered the audit log event.
Extended Properties: The extended properties of the Microsoft Entra event. Includes information such as Extended Audit Event Category, User Agent details, KeepMeSigned In boolean, App and Device Id's' etc.:
Inter Systems Id: The GUID that track the actions across components within the Office 365 service that created the Entra ID audit log.
Intra Systems Id: The GUID that's generated by Microsoft Entra ID to track the action.
Login Status: The mapping of various interesting logon failures could be done by alerting algorithms.
Logon Error: For failed logins, this property contains a user-readable description of the reason for the failed login.
Modified Properties: Includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property with respect to the audit log created for the Entra ID event. Examples include AccountEnabled boolean, Consent Contect IS Admin Consent boolean, App Role Id etc.
Object Id: The ID of the user that triggered the Entra ID audit log event.
Record Type: Stores the Id of the record type for the Entra ID Audit Log.
Examples:
8: AzureActiveDirectory (Microsoft Entra Events)
15: AzureActiveDirectoryStsLogon (Secure Token Service (STS) logon events in Microsoft Entra ID.).
Result Status: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Success, Failed or Failure.
Scope: Indicates if the Entra ID event created by a hosted O365 service or an on-premises server.
Support Ticket Id: The customer support ticket ID from Microsoft for the action in "act-on-behalf-of" situations. This is not an ECM Insights support ticket Id.
Target: The user that the Entra ID action (identified by the Operation property) was performed on.
Target Context Id: The GUID of the organization that the targeted user belongs to.
User Domain: The Tenant Identity Information (TII) that triggered the Entra ID Audit Log.
User Id: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the Entra ID audit record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included.
User Key: An alternative ID for the user identified in the UserId property.
User Type: The type of user that performed the operation that generated the Entra ID Audit Log. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version: The version number of the Microsoft Management Api that executed the request to retrieve the Entra ID Audit Logs.
Workload: The Office 365 service where the activity occurred. In this case its AzureActiveDirectory.
Note: Audit Vault for M365 stores the values for the properties listed above only when they are returned from Microsoft. Some information is present only when it is applicable to the audit event.