Audit Vault for M365

Long-term Microsoft 365 Audit Log Retention

A powerful and cost-effective solution to preserve your Microsoft 365 audit log records.

Audit Vault for M365 Highlights

Audit Vault Highlights

Watch Video »

Retain your SharePoint Audit Logs


Why its Important to Retain Your SharePoint Audit Logs:

Retaining SharePoint Audit Logs is crucial for several reasons, particularly for compliance, security, and operational efficiency.

  • Compliance: If your organization operates in a regulated industry (such as pharmaceuticals, biotech, or healthcare), retaining SharePoint Audit Logs helps meet Good Automated Manufacturing Practice (GAMP) and other GxP compliance requirements.
  • Legal & eDiscovery: Audit logs provide a historical record of user activities, ensuring you can retrieve evidence in case of legal or compliance investigations.
  • Microsoft Retention Limits: Microsoft only retains Audit Logs for a limited period. Long-term retention is necessary for businesses needing extended audit trails.
  • Threat Detection: Audit logs help detect unusual activity, such as unauthorized access, data theft, or users gaining higher privileges than they should.
  • Forensic Investigations: If a security breach happens, audit logs create a detailed record of events, helping teams identify how the attack happened and reduce potential risks.


How Audit Vault for M365 Solves SharePoint Audit Log Retention Issues:

Your Audit Vault for M365 solution enables long-term retention of Microsoft Teams Audit Logs (including SharePoint), ensuring compliance, security, and governance beyond Microsoft’s default limitations. This ensures that your organization remains compliant with industry regulations while safeguarding critical audit data.

Track what user has performed which action.
Run reports to be aware of user activity.
Stay compliant with industry and regulatory standards.
Detect suspicious activities.

With Audit Vault for M365, your organization can also generate SharePoint Audit Reports to monitor and document the complete audit history of your documents and folders throughout their entire lifecycle in SharePoint Online.


What type of audit information is retained from SharePoint Online?

Below is a listing of all the audit properties that Audit Vault for M365 preserves from Microsoft.

Audit Properties Retained from SharePoint Online
Property Description
Creation Time: The date and time when the audit event or operation occurred in SharePoint. Stored in UTC Time.
Microsoft Id: Unique Id of the audit log from Microsoft.
Operation: The name of activity or event that had occurred when generating the audit log. Examples:
  • AccessRequestApproved
  • AccessRequestCreated
  • AccessRequestRejected
  • AccessRequestUpdated
  • AddedToGroup
  • AddedToSecureLink
  • AddedToSharingLink
  • AnonymousLinkCreated
  • AnonymousLinkUpdated
  • AnonymousLinkUsed
  • AppStoreStorefrontShowAppDetailsPage
  • ClientViewSignaled
  • CommentCreated
  • CommentDeleted
  • CommentsDisabled
  • CompanyLinkCreated
  • CompanyLinkRemoved
  • CompanyLinkUpdated
  • CompanyLinkUsed
  • ComplianceSettingChanged
  • DenyAddAndCustomizePages
  • DLPRuleMatch
  • DLPRuleUndo
  • FileAccessed
  • FileAccessedExtended
  • FileCheckedIn
  • FileCheckedOut
  • FileCheckOutDiscarded
  • FileCopied
  • FileDeleted
  • FileDeletedFirstStageRecycleBin
  • FileDownloaded
  • FileModified
  • FileModifiedExtended
  • FileMoved
  • FilePreviewed
  • FileRecycled
  • FileRenamed
  • FileRequestUsed
  • FileRestored
  • FileSensitivityLabelApplied
  • FileSyncDownloadedFull
  • FileSyncUploadedFull
  • FileSyncUploadedFull
  • FileTimelineMetadataAccessed
  • FileTranscriptContentAccessed
  • FileTranscriptContentEdited
  • FileTranscriptDeleted
  • FileUploaded
  • FileVersionsAllDeleted
  • FolderCopied
  • FolderCreated
  • FolderDeletedFirstStageRecycleBin
  • FolderDeletedSecondStageRecycleBin
  • FolderModified
  • FolderMoved
  • FolderRecycled
  • FolderRenamed
  • GroupAdded
  • GroupRemoved
  • ListColumnCreated
  • ListColumnDeleted
  • ListColumnUpdated
  • ListContentTypeUpdated
  • ListCreated
  • ListDeleted
  • ListItemCreated
  • ListItemDeleted
  • ListItemRecycled
  • ListItemUpdated
  • ListItemViewed
  • ListUpdated
  • ListViewCreated
  • ListViewed
  • ListViewUpdated
  • PagePrefetched
  • PageViewed
  • PageViewedExtended
  • PermissionLevelAdded
  • PIMRoleAssigned
  • ReactionAdded
  • RemovedFromGroup
  • RemovedFromSecureLink
  • RemovedFromSharingLink
  • SearchQueryPerformed
  • SecureLinkCreated
  • SecureLinkUpdated
  • SecureLinkUsed
  • SharingInheritanceBroken
  • SharingLinkUsed
  • SharingPolicyChanged
  • SharingRevoked
  • SharingSet
  • SignInEvent
  • SiteCollectionAdminAdded
  • SiteCollectionAdminRemoved
  • SiteCollectionCreated
  • SiteCollectionQuotaModified
  • SiteColumnCreated
  • SiteColumnUpdated
  • SiteContentTypeCreated
  • SiteDeleted
  • SiteDesignInvoked
  • SiteFileVersionTrimmingSettingsChanged
  • SiteIBModeChanged
  • SiteIBModeSet
  • SiteLocksChanged
  • SiteSensitivityLabelApplied
  • TagApplied
  • TagUnApplied
  • TeamsMeetingRecordingUploaded
  • UnifiedSimulationCompletionNotification
  • UnifiedSimulationProgress
  • UnifiedSimulationRuleMatch
  • WACTokenShared
  • WebMembersCanShareModified
  • WebRequestAccessModified
UserId: The name of the user that performed the action that generated the SharePoint Online Audit Log.
ObjectId: The full path to the item in SharePoint for which the audit entry is for
ItemType: They type of object that the Microsoft audit log was generated for.
AdditionalProperties: Stores any new properties from SharePoint Audit Log that are not captured elsewhere.
AppAccessContext: The application context for the user or service principal that performed the action that generated the SharePoint audit log.
ApplicationId: The ID of the application performing the operation in SharePoint.
ApplicationDisplayName: The display name of the application performing the operation that created the SharePoint Online audit log.
AssertingApplication Id: The Id of the asserting application that generated the SharePoint Audit record.
Authentication ype: Example: FormsCookieAuth, OAuth
BrowserName The name of the browser from where the Audit Entry was created from SharePoint. (example Edge, Chrome, Firefox)
BrowserVersion: The version of the Browser that generated the log (example 121.0.0.0)
ClientAppId: The Id of the Microsoft SharePoint app that performed the access on behalf of the user.
ClientIp: The IP address of the device that was used when the SharePoint Audit operation was logged.
ClientRequestId: A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations.
CommentId: Example: 0, 1, 2
CompanyIP: The IP address of the Company that when the audit entry was logged.
ContainerInstanceId: The ID of the instance of container in SharePoint that created the SharePoint Audit Log.
ContainerTypeId: The ID of the type of container in SharePoint that created the SharePoint Audit Log.
CorrelationId: An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
CrossScopeSyncDelete: A boolean that indicates if Cross Scope Synce Delete occured when the log was generated.
CustomEvent: Optional string for custom events for SharePoint Audit Logs.
CustomUniqueId: Example 1, 2
CustomizedDocLibrary: Indicates if the document library was customized or not from where the audit log entry was generated. Example 0, 1
DestinationFileExtension: The file extension of a SharePoint file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
DestinationFileName: The name of the SharePoint file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
DestinationLabel: The final label of the file after it's changed by a user action.
DestinationRelative URL: The URL of the destination folder where a SharePoint Online file is copied or moved. This property is displayed only for FileCopied and FileMoved SharePoint Audit events.
DeviceDisplayName: The display name of the device. The Audit Log retained may also be an IP Address.
DoNotDistributeEvent: Was the SharePoint audit log a do not distribute event. Example 0, 1
EventData: Retains follow-up information about the sharing action withing SharePoint, such as adding a user to a group or granting edit permissions.
EventSignature: Stores a id of the event signature that created the SharePoint Audit Log.
EventSource: Identifies that an event occurred in SharePoint Online. Possible values are SharePoint or ObjectModel.
FileSizeInBytes: The size of the file in bytes for which the audit log entry was created.
FileSyncBytesCommitted: The size in bytes during when syncing files in SharePoint.
FromApp: Was the event audit log triggered from an application. Example 0, 1
GeoLocation: The location from where the SharePoint Audit Log was generated from. Example: CAN
HighPriorityMediaProcessing: Example 0, 1
ImplicitShare: Yes/No if the audit log retained was implicitly shared.
IsDocLibrary: This value is set to True if the SharePoint list is of the type Document Library.
IsHiddenList: This value is set to True if the SharePoint list is hidden for the audit log.
IsManagedDevice: Indicates if the audit log event was triggered from a Managed Device. Example 0, 1
IsWorkflow: This is set to True if SharePoint Workflows triggered the audited event.
ItemCount: The number of items affected by the audit event from Microsoft 365.
ListBaseTemplateType: The list definition type on which the list is based.
ListBaseType: Specifies the base type for a list for the retained audit log.
ListId: The Guid of the SharePoint list.
ListItemUniqueId: The Guid of uniquely an identifiable item of list.
ListName: The name of the SharePoint list for with the audit log was generated.
ListServerTemplate: The Id of the template used for the list that the SahrePoint Audit Log was generated from.
ListTitle: The title of the SharePoint list.
ListUrl: The URL of the list relative to the containing website.
ListItemVersion: The ListItemVersion (int) stores the version number of the list item for which the audit log was generated for.
MachineDomainInfo: Information about device sync operations.
MachineId: Information about device sync operations.
ModifiedProperties: The property is included for admin audit events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object.
OrganizationId: Contains the GUID for your organization's Microsoft 365 tenant ID.
Permission: Example: View, RestrictedView, Edit etc
Platform: Retains platform information for the audit log created. Example : iPad, MacOS, WinDesktop
RecordType: Stores the Id of the record type for the SharePoint Audit Log.
Examples:
4: SharePoint events
6: SharePoint file operation events.
36: SharePoint List events.
55: SharePoint list content type events.
RequestId: A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
ResultStatus: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.
Scope: Was this event created by a hosted O365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
SearchQueryText:
SensitivityLabelId: The current sensitivity label ID of the file.
SensitivityLabelOwnerEmail: The email address of the owner of the sensitivity label.
SharingLinkScope:
SharingType: The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter.
Site: The GUID of the SharePoint Online site where the file or folder accessed by the user is located.
SiteUrl: The URL of the site where the file or folder accessed by the user is located.
SiteSensitivityLabelId: The Id of the sensitivity label applied to the SharePoint site collection.
SkipforServiceWorker: Indicates if the event that generated the audit record in SharePoint was skipped by a service. Example 0, 1
Source: Source of the alert. Examples: list, site, unknown.
SourceFileExtension: The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a SharePoint folder.
SourceFileName: The name of the file or folder in SharePoint Online accessed by the user.
SourceLabel: The original label of the file before it's changed by a user action.
SourceName: The SharePoint Source Name that triggered the audited operation. Examples: SharePoint , ObjectModel.
SourceRelativeURL: The URL of the folder that contains the file accessed by the user.
SubstrateGroupId: Contains the Substrate Group Id of the event that created the SharePoint Audit Log.
TargetUserorGroupName: Stores the UPN or name of the target user or group that a resource was shared with.
TargetUserorGroupType: Identifies whether the target user or group is a Member, Guest, Group, or Partner.
TemplateTypeId: Stores the Guid or name of the template type that caused the creation of the SharePoint Audit Log.
UniqueSharingId: The unique sharing ID associated with the sharing operation.
UserAgent: Information about the user's client or browser. This information is provided by the client or browser.
UserKey: An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
UserSessionId: Contains the User's session id for the SharePoint Online event.
UserSharedWith: The user that a resource was shared with.
UserType: The type of user that performed the operation that generated the SharePoint Audit Log. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version: The version number of the Microsoft Management Api that executed the request to retrieve the SharePoint Audit Logs.
WebId: A Guid that stores the Web Id.
Workload: The Office 365 service where the activity occurred.
ZipFileName: The name of the zip file that is created in SharePoint that caused the audit entry to be created.


Note: Audit vault for M365 will only store the values for the properties listed above if they are returned from Microsoft. Some information is present only if it is applicable.


View Microsoft Audit Logs directly from SharePoint Online

Install the "Audit History for SharePoint" app from Microsoft AppSource. The Audit History for SharePoint menu is a free app that can be added to your SharePoint tenant. The app allows you to enable an "Audit history" menu item and a command bar button directly in SharePoint. When used, the menu opens the Audit Vault for M365 "View SharePoint Item's Audit History" Report to display all the audit logs for the selected SharePoint Item.

View Audit History for SharePoint on Microsoft AppSource »