Microsoft 365 forensic investigation: what survives, what to capture first

Microsoft 365 forensic evidence lives primarily in the unified audit log, the mailbox audit log, the message trace, the OneDrive and SharePoint activity logs, and (for Premium tenants) the Purview Audit advanced events. Default retention is 90 days for E3 licences, 180 days for E5 with Premium audit, with extended retention available on configuration. Preservation should begin within hours of the triggering event because the retention clock is already running. This guide walks through what each log captures, what to capture first, and the common gaps that compromise M365 evidence.

Table of contents

1. Why M365 evidence preservation is time-critical
2. The five M365 evidence sources you need to know
3. Retention windows in detail
4. What to capture first
5. Common gaps in M365 evidence
6. Working with Microsoft Purview eDiscovery
7. FAQ

1. Why M365 evidence preservation is time-critical

Microsoft 365 audit logs do not retain forever. The unified audit log defaults to 90 days for E3 and 180 days for E5 with Purview Audit Premium. Once the retention window closes, the events are gone.

For an investigation triggered today, that means events from 90 (or 180) days ago are about to disappear. The forensic value of a matter often depends on the older events: the email forwarding rule created two months ago, the OneDrive download from a Saturday night three months ago, the OAuth grant to a third-party app from before the user announced their resignation.

Preservation has to start within hours of the triggering event, not days.

2. The five M365 evidence sources you need to know

Unified Audit Log. The catch-all log covering Exchange, SharePoint, OneDrive, Teams, Microsoft Entra (Azure AD), and other M365 services. This is the primary source for most investigations.

Mailbox Audit Log. Per-mailbox logging of mailbox-level activity (folder access, message reads, message moves). Defaults are limited; full coverage requires explicit configuration.

Message Trace. Records the path of every message through the M365 mail flow, including timestamps, source IPs, and delivery results. Useful for tracking specific messages and for establishing whether external senders did or did not deliver.

OneDrive and SharePoint Activity Logs. File-level activity (uploads, downloads, shares, deletions, syncs). These are the strongest source for cloud exfiltration analysis.

Microsoft Entra (Azure AD) Sign-In Logs. Authentication events, including sign-in location, IP, device, and the result. Essential for compromise analysis.

For Purview Audit Premium tenants, additional advanced events become available, including MailItemsAccessed (which records every email read, even by the user) and SearchQueryInitiatedExchange.

3. Retention windows in detail

Default retention by licence tier:

• E3 / Microsoft 365 Business Premium: 90 days for unified audit log.
• E5 / E5 Compliance / Purview Audit Premium add-on: 180 days for unified audit log; up to 1 year or 10 years with retention policies.
• Mailbox Audit Log: Per-mailbox configuration; default 90 days where enabled.
• Message Trace: 90 days online; 4 hours through the lighter-weight admin interface.
• OneDrive and SharePoint Activity: Subject to unified audit log retention plus separate file-level versioning.
• Microsoft Entra Sign-In Logs: 7 days free, 30 days with Entra ID P1, 30 to 90 days with Entra ID P2.

For a matter that may surface evidence from outside the default window, retention can be extended through Microsoft Purview audit retention policies. This must be configured before the events are needed; it does not retroactively recover purged events.

4. What to capture first

When the engagement begins, capture in this order:

1. Microsoft Entra sign-in logs for the affected accounts. These have the shortest default retention.
2. Unified audit log for the affected accounts and the relevant date range. Export through Purview, not through PowerShell-only methods, because Purview returns more event types.
3. Mailbox audit log for the affected mailboxes. Confirm whether MailItemsAccessed is enabled (Premium feature).
4. OneDrive and SharePoint activity for the affected accounts. File-level events are the strongest evidence in exfiltration cases.
5. Message trace for any specific messages that are central to the matter.
6. Purview Audit Premium advanced events if licensed.
7. Tenant configuration snapshot including audit-log retention policies, conditional access policies, and OAuth-grant inventory.

Each capture is hash-verified and archived under chain of custody.

5. Common gaps in M365 evidence

Five gaps we see often:

1. Mailbox audit not enabled. Many tenants leave mailbox audit at default settings, which limits what is recorded per mailbox.
2. Premium audit features not licensed. Without Premium audit, MailItemsAccessed is not available, which makes it hard to prove or refute that a specific message was read.
3. OAuth grants not inventoried. Third-party app grants can persist after the user is offboarded, leaving an attacker pathway.
4. Sign-in logs aged out. With only 7 days of free Entra logs, by the time an investigation starts, the relevant sign-ins may be gone.
5. Retention policies not in place. When a matter surfaces, the audit log is already aging out at the default 90 days.

Counsel can mitigate these gaps by working with IT to set audit configuration and retention policies before incidents occur, not after.

6. Working with Microsoft Purview eDiscovery

For matters that go beyond audit-log analysis to include mailbox content, document libraries, and Teams chat, Microsoft Purview eDiscovery (Standard or Premium) is the native tool. Purview supports search, hold, export, and review across the entire M365 tenant.

The choice between Standard and Premium depends on volume and complexity. Standard supports basic search, hold, and export. Premium adds advanced indexing, cull and review tools, OCR, near-duplicate detection, predictive coding, and additional API access.

For e-discovery work, we typically deliver Purview-collected ESI into the review platform of your choice (Relativity, Reveal, Nuix, Everlaw, DISCO).

Reference: Microsoft Purview Audit retention policies documentation. Microsoft Purview eDiscovery overview.

7. FAQ

Q: How quickly do we need to preserve M365 evidence? A: Within hours. The Entra sign-in log default retention is 7 days. The unified audit log default is 90 days. Each day reduces what is recoverable.

Q: Can we extend M365 audit log retention after the fact? A: No. Retention policies must be in place before the events are needed. They do not retroactively recover purged events.

Q: What licence do we need for serious forensic work? A: Premium audit features (MailItemsAccessed, extended retention, additional advanced events) require E5 or the Purview Audit Premium add-on. Standard E3 still supports basic forensic work but with less depth.

Q: Can M365 evidence support a class action defence? A: Yes, when properly preserved and exported through defensible methodology. The audit log is a server-side record outside the user's control, which strengthens its weight.

Q: Do we need a Microsoft administrator for the preservation? A: Yes. Tenant access at administrator level is required for Purview eDiscovery and for unified audit log export. We work alongside your IT team or your Managed Service Provider.

Related posts

• Cloud-only employees: where the evidence actually lives
• Departing employee data theft: 12 signs and the playbook
• Ransomware in Canada: PIPEDA notification and the forensic report

CTA strip

Headline: Have an M365 matter that needs forensic preservation? Primary CTA: Book a confidential consultation Secondary text: Or call (604) 800-9060