Why you should Extend Microsoft 365 Audit Logs

By default, Microsoft 365 stores most audit data for only 90–180 days—fine for routine troubleshooting, but nowhere near enough when you need to reconstruct activity from last year (or five years ago). With the correct licence and a single retention policy, you can stretch those logs to a full decade, giving your organisation long-term visibility without extra tools. Microsoft provides the storage; you simply tell Purview what to keep.

A quick real-world scenario

Picture this: a finance contractor leaves today, and nine months later your auditor flags irregular wire-transfer requests. You must know exactly when that contractor accessed the CFO’s mailbox and downloaded vendor spreadsheets, yet the default 180-day logs are long gone. If you’d enabled a 10-year audit-log policy for high-risk accounts, you could pull every mailbox access, file download, and permission change in minutes—saving time, mitigating risk, and presenting solid evidence to legal counsel. Extending audit logs isn’t data hoarding; it’s inexpensive insurance for the questions you can’t yet predict.

Licensing requirements

You can only keep events longer than 180 days for users who have:  

• Microsoft 365 E5 license

• or Microsoft 365 E5 Compliance

• or E5 eDiscovery and Audit

Assign the license first; otherwise the audit portal won’t let you create a 10-year policy for that user.

1 – Plan what really needs long-term retention

List the specific mailboxes, SharePoint sites, Teams, or service accounts that must meet extended retention. Licensing only high-risk roles keeps costs—and log noise—down.

2 – Create the 10-year retention policy

1. Microsoft Purview portal ➜ Solutions ➜ Audit ➜ Policies ➜ Create audit retention policy

2. Name → Audit-10-Year-CriticalUsers and add a short description.

3. Users → select the licensed accounts.

4. Record type → choose All. (You can narrow to specific services)

5. Retention duration → select a 10 Years option.

6. Save. Microsoft confirms the policy is active.

From this point forward, every event generated by those users is stored for a decade.

3 – Adjust or expand later

Navigate to Audit ➜ Policies at any time. Adding users, changing record types, or shortening retention takes effect within 24 hours and is itself recorded for audit.

How PlexHosted can help

Not sure which users or workloads require 10-year retention? PlexHosted maps your compliance and business needs to Microsoft 365 settings, builds tailored audit-log policies, and trains your team to query the data quickly. Book a 30-minute call to see how fast we can close your audit gap.