{"id":7262,"date":"2023-08-30T01:44:59","date_gmt":"2023-08-30T01:44:59","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7262"},"modified":"2024-07-08T01:39:14","modified_gmt":"2024-07-08T01:39:14","slug":"365-audit-log-retention-everything-for-1-year","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/365-audit-log-retention-everything-for-1-year","title":{"rendered":"365 Audit Log Retention everything for 1 Year"},"content":{"rendered":"\n

https:\/\/blog.ciaops.com\/2020\/03\/20\/office-365-audit-retention-policy<\/a><\/p>\n\n\n\n

If you create the Policy with the below powershell You cannot edit it via the GUI<\/p>\n\n\n\n

The Gui has these two items listed but they do not work in the GUI of Powershell<\/p>\n\n\n\n

VfamCreatePolicyAuditRecord
VfamDeletePolicyAuditRecord
VfamUpdatePolicyAuditRecord<\/p>\n\n\n\n

Connect-IPPSSession <\/code><\/pre>\n\n\n\n
New-UnifiedAuditLogRetentionPolicy -Name \"Log Retention Policy\" -Description \"One year retention policy for all activities\" -RecordTypes ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation, OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet, ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation, AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked, SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer, SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow, AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project, SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp, PowerAppsPlan, ThreatIntelligenceAtpContent, LabelContentExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection, Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit, ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, SecureScore, MipAutoLabelExchangeItem, CortanaBriefing, Search, WDATPAlerts, PowerPlatformAdminDlp, PowerPlatformAdminEnvironment, MDATPAudit, SensitivityLabelPolicyMatch, SensitivityLabelAction, SensitivityLabeledFileAction, AttackSim, AirManualInvestigation, SecurityComplianceRBAC, UserTraining, AirAdminActionInvestigation, MSTIC, PhysicalBadgingSignal, TeamsEasyApprovals, AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat, MCASAlerts, OnPremisesFileShareScannerDlp, OnPremisesSharePointScannerDlp, ExchangeSearch, SharePointSearch, PrivacyDataMinimization, LabelAnalyticsAggregate, MyAnalyticsSettings, SecurityComplianceUserChange, ComplianceDLPExchangeClassification, ComplianceDLPEndpoint, MipExactDataMatch, MSDEResponseActions, MSDEGeneralSettings, MSDEIndicatorsSettings, MS365DCustomDetection, MSDERolesSettings, MAPGAlerts, MAPGPolicy, MAPGRemediation, PrivacyRemediationAction, PrivacyDigestEmail, MipAutoLabelSimulationProgress, MipAutoLabelSimulationCompletion, MipAutoLabelProgressFeedback, DlpSensitiveInformationType, MipAutoLabelSimulationStatistics, LargeContentMetadata, Microsoft365Group, CDPMlInferencingResult, FilteringMailMetadata, CDPClassificationMailItem, CDPClassificationDocument, OfficeScriptsRunAction, FilteringPostMailDeliveryAction, CDPUnifiedFeedback, TenantAllowBlockList, ConsumptionResource, HealthcareSignal, DlpImportResult, CDPCompliancePolicyExecution, MultiStageDisposition, PrivacyDataMatch, FilteringDocMetadata, FilteringEmailFeatures, PowerBIDlp, FilteringUrlInfo, FilteringAttachmentInfo, CoreReportingSettings, ComplianceConnector, PowerPlatformLockboxResourceAccessRequest, PowerPlatformLockboxResourceCommand, CDPPredictiveCodingLabel, CDPCompliancePolicyUserFeedback, WebpageActivityEndpoint, OMEPortal, CMImprovementActionChange, FilteringUrlClick, MipLabelAnalyticsAuditRecord, FilteringEntityEvent, FilteringRuleHits, FilteringMailSubmission, LabelExplorer, MicrosoftManagedServicePlatform, PowerPlatformServiceActivity, ScorePlatformGenericAuditRecord, FilteringTimeTravelDocMetadata, Alert, AlertStatus, AlertIncident, IncidentStatus, Case, CaseInvestigation, RecordsManagement, PrivacyRemediation, DataShareOperation, CdpDlpSensitive, EHRConnector, FilteringMailGradingResult, PublicFolder, PrivacyTenantAuditHistoryRecord, AipScannerDiscoverEvent, EduDataLakeDownloadOperation, M365ComplianceConnector, MicrosoftGraphDataConnectOperation, MicrosoftPurview, FilteringEmailContentFeatures, PowerPagesSite, PowerAppsResource, PlannerPlan, PlannerCopyPlan, PlannerTask, PlannerRoster, PlannerPlanList, PlannerTaskList, PlannerTenantSettings, ProjectForTheWebProject, ProjectForTheWebTask, ProjectForTheWebRoadmap, ProjectForTheWebRoadmapItem, ProjectForTheWebProjectSettings, ProjectForTheWebRoadmapSettings, QuarantineMetadata, MicrosoftTodoAudit, TimeTravelFilteringDocMetadata, TeamsQuarantineMetadata, SharePointAppPermissionOperation, MicrosoftTeamsSensitivityLabelAction, FilteringTeamsMetadata, FilteringTeamsUrlInfo, FilteringTeamsPostDeliveryAction, MDCAssessments, MDCRegulatoryComplianceStandards, MDCRegulatoryComplianceControls, MDCRegulatoryComplianceAssessments, MDCSecurityConnectors, MDADataSecuritySignal, VivaGoals, FilteringRuntimeInfo, AttackSimAdmin, MicrosoftGraphDataConnectConsent, FilteringAtpDetonationInfo, PrivacyPortal, ManagedTenants, UnifiedSimulationMatchedItem, UnifiedSimulationSummary, UpdateQuarantineMetadata, MS365DSuppressionRule, PurviewDataMapOperation, FilteringUrlPostClickAction, IrmUserDefinedDetectionSignal, TeamsUpdates, PlannerRosterSensitivityLabel, MS365DIncident, FilteringDelistingMetadata, ComplianceDLPSharePointClassificationExtended, MicrosoftDefenderForIdentityAudit, SupervisoryReviewDayXInsight, DefenderExpertsforXDRAdmin, CDPEdgeBlockedMessage, HostedRpa, CdpContentExplorerAggregateRecord, CDPHygieneAttachmentInfo, CDPHygieneSummary, CDPPostMailDeliveryAction, CDPEmailFeatures, CDPHygieneUrlInfo, CDPUrlClick, CDPPackageManagerHygieneEvent, FilteringDocScan, TimeTravelFilteringDocScan, MAPGOnboard, VfamCreatePolicy, VfamUpdatePolicy, VfamDeletePolicy, M365DAAD, CdpColdCrawlStatus, PowerPlatformAdministratorActivity, Windows365CustomerLockbox, CdpResourceScopeChangeEvent -RetentionDuration TwelveMonths -Priority 100<\/code><\/pre>\n\n\n\n
Current list of record types<\/p>\n\n\n\n
ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation, OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet, ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation, AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked, SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer, SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow, AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project, SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp, PowerAppsPlan, ThreatIntelligenceAtpContent, LabelContentExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection, Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit, ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, SecureScore, MipAutoLabelExchangeItem, CortanaBriefing, Search, WDATPAlerts, PowerPlatformAdminDlp, PowerPlatformAdminEnvironment, MDATPAudit, SensitivityLabelPolicyMatch, SensitivityLabelAction, SensitivityLabeledFileAction, AttackSim, AirManualInvestigation, SecurityComplianceRBAC, UserTraining, AirAdminActionInvestigation, MSTIC, PhysicalBadgingSignal, TeamsEasyApprovals, AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat, MCASAlerts, OnPremisesFileShareScannerDlp, OnPremisesSharePointScannerDlp, ExchangeSearch, SharePointSearch, PrivacyDataMinimization, LabelAnalyticsAggregate, MyAnalyticsSettings, SecurityComplianceUserChange, ComplianceDLPExchangeClassification, ComplianceDLPEndpoint, MipExactDataMatch, MSDEResponseActions, MSDEGeneralSettings, MSDEIndicatorsSettings, MS365DCustomDetection, MSDERolesSettings, MAPGAlerts, MAPGPolicy, MAPGRemediation, PrivacyRemediationAction, PrivacyDigestEmail, MipAutoLabelSimulationProgress, MipAutoLabelSimulationCompletion, MipAutoLabelProgressFeedback, DlpSensitiveInformationType, MipAutoLabelSimulationStatistics, LargeContentMetadata, Microsoft365Group, CDPMlInferencingResult, FilteringMailMetadata, CDPClassificationMailItem, CDPClassificationDocument, OfficeScriptsRunAction, FilteringPostMailDeliveryAction, CDPUnifiedFeedback, TenantAllowBlockList, ConsumptionResource, HealthcareSignal, DlpImportResult, CDPCompliancePolicyExecution, MultiStageDisposition, PrivacyDataMatch, FilteringDocMetadata, FilteringEmailFeatures, PowerBIDlp, FilteringUrlInfo, FilteringAttachmentInfo, CoreReportingSettings, ComplianceConnector, PowerPlatformLockboxResourceAccessRequest, PowerPlatformLockboxResourceCommand, CDPPredictiveCodingLabel, CDPCompliancePolicyUserFeedback, WebpageActivityEndpoint, OMEPortal, CMImprovementActionChange, FilteringUrlClick, MipLabelAnalyticsAuditRecord, FilteringEntityEvent, FilteringRuleHits, FilteringMailSubmission, LabelExplorer, MicrosoftManagedServicePlatform, PowerPlatformServiceActivity, ScorePlatformGenericAuditRecord, FilteringTimeTravelDocMetadata, Alert, AlertStatus, AlertIncident, IncidentStatus, Case, CaseInvestigation, RecordsManagement, PrivacyRemediation, DataShareOperation, CdpDlpSensitive, EHRConnector, FilteringMailGradingResult, PublicFolder, PrivacyTenantAuditHistoryRecord, AipScannerDiscoverEvent, EduDataLakeDownloadOperation, M365ComplianceConnector, MicrosoftGraphDataConnectOperation, MicrosoftPurview, FilteringEmailContentFeatures, PowerPagesSite, PowerAppsResource, PlannerPlan, PlannerCopyPlan, PlannerTask, PlannerRoster, PlannerPlanList, PlannerTaskList, PlannerTenantSettings, ProjectForTheWebProject, ProjectForTheWebTask, ProjectForTheWebRoadmap, ProjectForTheWebRoadmapItem, ProjectForTheWebProjectSettings, ProjectForTheWebRoadmapSettings, QuarantineMetadata, MicrosoftTodoAudit, TimeTravelFilteringDocMetadata, TeamsQuarantineMetadata, SharePointAppPermissionOperation, MicrosoftTeamsSensitivityLabelAction, FilteringTeamsMetadata, FilteringTeamsUrlInfo, FilteringTeamsPostDeliveryAction, MDCAssessments, MDCRegulatoryComplianceStandards, MDCRegulatoryComplianceControls, MDCRegulatoryComplianceAssessments, MDCSecurityConnectors, MDADataSecuritySignal, VivaGoals, FilteringRuntimeInfo, AttackSimAdmin, MicrosoftGraphDataConnectConsent, FilteringAtpDetonationInfo, PrivacyPortal, ManagedTenants, UnifiedSimulationMatchedItem, UnifiedSimulationSummary, UpdateQuarantineMetadata, MS365DSuppressionRule, PurviewDataMapOperation, FilteringUrlPostClickAction, IrmUserDefinedDetectionSignal, TeamsUpdates, PlannerRosterSensitivityLabel, MS365DIncident, FilteringDelistingMetadata, ComplianceDLPSharePointClassificationExtended, MicrosoftDefenderForIdentityAudit, SupervisoryReviewDayXInsight, DefenderExpertsforXDRAdmin, CDPEdgeBlockedMessage, HostedRpa, CdpContentExplorerAggregateRecord, CDPHygieneAttachmentInfo, CDPHygieneSummary, CDPPostMailDeliveryAction, CDPEmailFeatures, CDPHygieneUrlInfo, CDPUrlClick, CDPPackageManagerHygieneEvent, FilteringDocScan, TimeTravelFilteringDocScan, MAPGOnboard, VfamCreatePolicy, VfamUpdatePolicy, VfamDeletePolicy, M365DAAD, CdpColdCrawlStatus, PowerPlatformAdministratorActivity, Windows365CustomerLockbox, CdpResourceScopeChangeEvent<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
https:\/\/blog.ciaops.com\/2020\/03\/20\/office-365-audit-retention-policy If you create the Policy with the below powershell You cannot edit it via the GUI The Gui has these two items listed but they do […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7262","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t