---
name: Audit Log Retention and Coverage Validator
description: Verify the Microsoft Purview Unified Audit Log is enabled, retention meets Essential Eight and IRAP needs, and Copilot auditing is captured.
---

# Audit Log Retention and Coverage Validator

> **TL;DR:** This skill reads your Microsoft Purview audit configuration to confirm the Unified Audit Log is on, retention meets Essential Eight and IRAP needs, and Copilot activity is captured, then produces a scored gap report.

## What the Microsoft Purview Unified Audit Log records across your tenant

The Microsoft Purview Unified Audit Log is the single, tenant-wide store of user and admin activity events from Exchange Online, SharePoint, OneDrive, Microsoft Teams, Microsoft Entra and Microsoft 365 Copilot. Audit (Standard) keeps records for a limited window, while Audit (Premium) and dedicated audit log retention policies extend retention to meet investigation and compliance obligations. This skill inspects whether logging is enabled, how long records are kept, and whether high-value workloads such as Copilot prompt-and-response auditing are in scope, so an investigator can reconstruct events long after they occur.

## When should you run this skill?

- "Is the Unified Audit Log actually turned on in our tenant?"
- "Will our audit records survive long enough to satisfy an IRAP assessment?"
- "Are Microsoft 365 Copilot prompts and responses being captured for audit?"
- "We are preparing for an Essential Eight maturity uplift and need to prove audit coverage."
- "How long do we retain admin and sign-in activity, and is it enough?"
- "Did someone disable auditing or shorten a retention policy recently?"
- "Show me which workloads are missing from our audit retention policies."

## How this skill works, step by step

1. Authenticate read-only to Microsoft Purview and Exchange Online audit endpoints using delegated permissions.
2. Confirm the Unified Audit Log ingestion state is enabled at the tenant level.
3. Determine the audit licence tier (Standard versus Premium) to establish the default retention baseline.
4. Enumerate all audit log retention policies, their record types, priorities and retention durations.
5. Check that high-value workloads, including Microsoft 365 Copilot interaction auditing, are within scope of an active policy.
6. Compare retention durations against Essential Eight and IRAP expectations and flag any window that falls short.
7. Identify gaps such as disabled auditing, default-only retention, or workloads with no explicit policy.
8. Derive a weighted risk score from coverage, retention length and Copilot capture findings.
9. Compile the findings into a prioritised, read-only report with remediation guidance.

## Output format

The skill returns a findings table followed by a summary. Each row maps a check to its status, observed value and recommended action.

| Check | Status | Observed value | Recommended action |
| --- | --- | --- | --- |
| Unified Audit Log enabled | Pass | Enabled tenant-wide | None |
| Audit licence tier | Warning | Standard (180-day default) | Evaluate Premium for one-year retention |
| Copilot interaction auditing | Fail | No policy covering CopilotInteraction | Create a retention policy for Copilot records |
| Sign-in activity retention | Pass | 365 days | None |

- Overall risk score is presented as Low, Medium or High with a short rationale.
- A prioritised remediation list orders gaps by compliance impact.
- Each finding references the relevant control so owners can act with context.
- Counts of compliant versus non-compliant workloads are summarised at the top.

## Scope and safety

This skill is read-only by default and makes no changes to your tenant, policies or audit configuration. It only reads configuration and reports findings.

This skill does NOT:

- Enable, disable or modify the Unified Audit Log or any retention policy.
- Create, edit or delete audit records or compliance policies.
- Export, retain or relocate audit event content outside your tenant.
- Assign licences or change subscription tiers.

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Audit (Standard) Unified Audit Log and 180-day retention | Microsoft 365 E3 (or equivalent audited workload licences) |
| Audit (Premium) one-year retention and custom audit log retention policies | Microsoft 365 E5 or E5 Compliance |
| Microsoft 365 Copilot interaction auditing | Microsoft 365 Copilot licence plus audited Microsoft 365 plan |

### Least-privilege roles

- Global Reader — read-only visibility of audit configuration and Purview compliance settings.
- View-Only Audit Logs role (Exchange Online) — read the Unified Audit Log ingestion state and retention policies.

### Microsoft Graph permissions (read-only)

- `AuditLog.Read.All` — reads Microsoft Entra directory audit and sign-in activity to confirm retention coverage.
- Note: the Unified Audit Log ingestion state and audit log retention policies are not exposed through Microsoft Graph. This skill inspects them via Exchange Online PowerShell (for example `Get-AdminAuditLogConfig` and `Get-UnifiedAuditLogRetentionPolicy`) and the Microsoft Purview portal, so no additional Graph scopes apply for those checks.

## Sources and compliance

- [Microsoft Purview auditing solutions overview](https://learn.microsoft.com/en-us/purview/audit-solutions-overview)
- [Manage audit log retention policies](https://learn.microsoft.com/en-us/purview/audit-log-retention-policies)
- Maps to Essential Eight, which expects centralised, retained and monitored event logs to support incident detection and forensic analysis.
- Supports ISM controls relating to event logging and log retention for IRAP-aligned environments.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.