The availability of audit event data is controlled by Microsoft. Therefore, this article is designed to provide you with a reference to understand which events are available and when.
When a user or admin performs an audited activity in Microsoft 365, an audit record is generated and stored in the Microsoft 365 audit log for your organization. Refer to our article about CoreView's data retention to learn for how long the data is retained.
Please note that the retention duration of an audit record also depends on your Office 365 or Microsoft 365 enterprise subscription, specifically the type of license assigned to each user.
The following list presents the sources of the audit information:
- Defender for Microsoft 365 and Threat Intelligence
- Azure Active Directory (user login events)
- Azure Active Directory (admin events)
- Data Loss Prevention
- Dynamics 365 CRM
- Exchange Online
- Microsoft Power Automate
- Microsoft Stream
- Microsoft Teams
- Power Apps
- Power Bl
- Microsoft 365 compliance center
- Sensitivity labels
- SharePoint Online and OneDrive for Business
- Workplace Analytics
- Microsoft Forms
For timing and details on the schemas, please refer to the following articles in the Microsoft documentation: