How to Audit User Activity with Microsoft Purview

Ever wondered what your team is really doing in Microsoft 365?
Not in a micromanaging way, but from a compliance and security
perspective? The truth is, without auditing, you’re flying
blind—especially in a hybrid world where sensitive data moves
faster than ever. Today, we’re going to show you how Microsoft
Purview lets you actually see what’s happening behind the scenes.
Are your audit logs catching what matters most—or are you missing
the signs of a risk that could cost you? Let’s find out.


Why Visibility Matters More Than Ever


Your organization might be tracking logins, but do you know who’s
opening sensitive files at two in the morning? That’s the gap so
many companies miss. It’s easy to feel like activity is covered
when you see pretty dashboard charts of active users and
sign-ins, but that barely scratches the surface of what’s
actually happening in your environment. The shift to hybrid work
has been great for flexibility, but it’s also made user activity
harder to monitor. People are connecting from personal devices,
home networks you don’t control, and cloud apps that blur the
boundary between what lives in your tenant and what gets shared
outside of it. The lines are fuzzier than ever, and so are the
risks.Most companies assume the built-in usage reports in
Microsoft 365 are the same thing as audit logs. They’re not.
Usage reports might tell you that a OneDrive file was accessed
five times, but they rarely tell you which user accessed it,
under what session, or from where. That’s like checking the
odometer on your car—sure, you know how many miles were driven,
but you have no idea who was behind the wheel. It looks good
until your compliance officer asks for precise accountability,
and suddenly you realize those gaps aren’t just minor oversights.
They can turn into questions you can’t answer.Imagine this
scenario: your legal department asks you to provide a clear
account of who viewed and copied financial records last quarter.
Maybe there’s an investigation, maybe it’s just part of due
diligence. If all you have is a roll-up report or email activity
stats, you’ll find yourself staring at incomplete data that fails
to answer the actual question. When you can’t meet that level of
detail, the issue shifts from inconvenience to liability. The
ability to trace actions back to individual users, with a
timeline, is no longer a nice-to-have capability—it’s the
baseline expectation.Then you have the pressure of regulations
stacked on top. Frameworks like GDPR, HIPAA, and
industry-specific mandates demand that organizations keep
detailed records of user activity. They aren’t satisfied with
generic counts and summaries; they want traceability,
accountability, and proof. Regulators don’t care if your portal
makes things look secure. They care about evidence—clear logs of
who did what, when they did it, and in many cases, from what
device or IP. If you can’t produce that, you can end up with
everything from fines to litigation risk. And fines are the
visible part—damage to reputation or client trust is often far
worse.Without strong auditing, blind spots put you in danger two
ways. One is regulatory exposure, where you simply cannot produce
the information required. The other is making it easier for
insider threats to slip by unnoticed. You may catch a brute force
login attempt against an MFA-protected account, but would you
notice a trusted user quietly exporting mailbox data to a PST
file? If you don’t have the right granularity in your logs, some
of those actions blend into the background and never raise
alarms. That’s what makes blind spots so dangerous—they hide
activity in plain sight.It’s like setting up a building with
security cameras at the front door, but all those cameras do is
mark that “someone entered.” You have absolutely no view of
whether they walked straight to the lobby or broke into the
records room. That kind of system satisfies nobody. You wouldn’t
feel safe in that building, and you wouldn’t trust it to host
sensitive conversations or high-value assets. Yet many IT
organizations operate this way because they don’t realize their
current reports offer that same shallow view.The good news is
that Microsoft Purview closes those gaps. Rather than siloed or
surface-level data, it gives structured visibility into activity
happening across Exchange, SharePoint, Teams, Power BI, and more.
It doesn’t just say “a user connected”—it captures the actions
they performed. That difference moves you from broad usage stats
to fine-grained audit trails you can actually stand behind.At
this point, it’s clear that auditing user activity isn’t optional
anymore. It’s not just about checking a compliance box—it’s the
shield protecting both trust and accountability in your
organization. When you can show exactly who did what, you reduce
risk, strengthen investigations, and put yourself in a position
where regulators and security teams alike take your evidence
seriously. Now that we know why visibility is non-negotiable, the
next question is obvious: what exactly is Microsoft Purview
Audit, and how does it separate itself from the standard logs
already built into Microsoft 365?


What Microsoft Purview Audit Actually Is


So what makes Purview Audit different than simple activity
logging? On the surface, activity logs and usage reports seem
like they deliver the same thing. You get numbers, dates, and
maybe the high-level actions users performed. But Purview Audit
goes deeper—it isn’t just a log of who signed in or how many
files were shared. It’s Microsoft’s centralized system for
capturing the details of user and admin actions across Microsoft
365 services, letting you investigate events with much more
precision. Instead of looking at fragmented reports from
Exchange, SharePoint, Teams, and OneDrive individually, you work
from a single investigation pane. That unifies oversight and
makes evidence gathering a structured process rather than
scattered detective work. A lot of admins miss that difference.
It’s common to confuse the friendly graphs inside the M365 admin
center with actual auditing. A usage chart might reassure you
that Teams is “adopted widely” or SharePoint storage grew by some
percentage. But if your compliance team asks for proof about a
deleted file, that data won’t help. Purview Audit captures
forensic-level detail: the specific user, the activity type,
timestamps, and in many cases contextual metadata like client IP
or workload. It replaces the guesswork with provable logs that
hold up under scrutiny, whether that’s regulatory review or
incident response. There are two layers to understand—Standard
and Premium. Purview Audit Standard comes on for most tenants
automatically and gives you the baseline: actions like file
access, document sharing, email moves, mailbox logins, and basic
administrator activity across the core workloads such as
Exchange, SharePoint, OneDrive, and Azure Active Directory. Think
of Standard as the foundation. You’ll be able to track major user
events, verify if someone signed in, exported mail, or touched a
file, and set date ranges to review those actions. For smaller
organizations or those not working in deeply regulated
industries, it can feel sufficient. Premium is where the line
sharpens. With Audit Premium, Microsoft expands the scope and
retention of what’s captured. Suddenly you’re not only seeing the
obvious actions, you’re getting advanced signals like
forensic-level logon data including token usage, geolocation
context, and client details. Teams activity isn’t just about a
file uploaded; you can capture message reads, reactions, and link
clicks. The retention jumps from a limited 90 days in Standard to
up to 365 days or longer in Premium. That longer retention is
often the difference between being able to investigate past
incidents or hitting a frustrating dead end. If you’ve ever had
an investigation that spanned several months, you know why older
data is essential. Put this into a real-world example. Imagine
you suspect an insider quietly exported large quantities of
mailbox content. In Standard, you might see a note that “a
mailbox export was initiated” along with a timestamp and the
account name. Helpful, but limited. In Premium, you’d see the
session identifiers, the client used for the export, and the
specific context about how the action was initiated. That
additional metadata can point to whether it was a legitimate
admin following procedure or an unusual account trying to sneak
out data at 3 A.M. For forensic investigations and eDiscovery
readiness, that extra layer of granularity turns a flat report
into actionable intelligence. This is why for heavily regulated
industries—finance, healthcare, government—Standard won’t cut it
in the long term. Even if the basics cover today’s questions,
audits grow more complex as regulations get stricter. When an
auditor asks not just “who accessed this file” but “show me all
anomalous activity in the weeks before,” Premium-level logging
becomes essential. You cannot answer nuanced, time-sensitive
questions without that data. For everyone else, there’s still
value in Premium because subtle insider risks or advanced threats
won’t reveal themselves in just basic usage activity. What makes
Purview Audit stand out, then, is not simply volume. It’s the
nature of the information you can act on. You aren’t just
collecting logs to satisfy compliance; you’re capturing a
narrative of digital activity across your tenant. Every login,
every admin command, every unusual traffic spike can be turned
into evidence. The distinction boils down to this: with usage
reports you watch from 30,000 feet. With Purview, you walk the
floors and see exactly what happened, even months later. That’s
why Purview Audit isn’t just another dashboard tucked away in the
portal. It’s the fail-safe when things go sideways, the proof you
turn to after an incident, and the accountability layer for
compliance officers. Having the right edition for your scenario
determines whether you can quickly investigate or whether you’re
left scrambling for missing details. Now that we’ve clarified
what Purview Audit really is and why those distinctions matter,
the natural step is to see it in action. So let’s walk through
how to actually get hands-on with the audit experience inside the
portal.


How to Get Started in the Portal


The Compliance portal can feel overwhelming the first time you
log in. Tabs, widgets, categories—you get the sense Microsoft
wanted to pack everything neatly, but somehow it still turns into
a scroll marathon. So where do you even start if your goal is to
look at audit logs? The path isn’t obvious, and that’s why most
people hesitate the first time they land here. Don’t worry—once
you know the entry point, it actually makes sense. The place you
want to go is the Microsoft Purview compliance portal. You can
get there by heading to the URL compliance.microsoft.com and
signing in with the right level of admin privileges. If you
already have a bookmark to the Microsoft 365 admin center, don’t
confuse that for the same thing. The audit experience lives
specifically in the Purview compliance portal, not the core admin
center. That’s where Microsoft puts the compliance-focused tools
like eDiscovery, Insider Risk Management, and of course, Audit.
Here’s where most new admins trip up. You log in, you see this
long menu of solutions—Communication Compliance, Content Search,
Information Protection, Encryption, and on and on. You scroll
down, scanning through more than a dozen items, and wonder if
Audit even exists in your tenant. The answer is yes, it does. But
the menu uses broad grouping, so the “Audit” link is tucked right
under “Solutions.” You click there, and only then do you feel
like you’ve found the starting line. Picture opening this portal
for the first time. You’re scrolling past retention policies,
classification tabs, insider alerts, and endpoint data loss
prevention. It feels endless. Finally, Audit sneaks into view,
usually further down than you expect. That moment of “oh, there
it is” happens to almost everyone. And then another question pops
up: is audit actually running in the background right now? That’s
not always obvious either. By default, Microsoft enables Standard
audit logging for most tenants. What that means is user and admin
actions across your core services are likely being logged
already. But “likely” isn’t enough for compliance, and it’s
definitely not enough for peace of mind. The first thing you
should always do is confirm the setting. In the Audit homepage,
if audit logging isn’t on, you’ll see a clear option to enable
it. Click that, confirm the prompt, and from that point forward
everything across the core workloads starts landing in your logs.
If it’s already on, you’ll see a confirmation banner letting you
know it’s active. Once that groundwork is settled, you can
finally run an actual search. This is where the tool starts to
show its value. At the top of the audit page, there’s an option
for a new search. Here you can filter based on user accounts,
specific activities, or date ranges. For example, maybe you want
to check whether a certain employee accessed files in SharePoint
over the last week. You enter their username, select the
activities you want to trace—like “File Accessed” or “File
Deleted”—and then set the timeframe. The system then queries the
logs and presents you with matching results. Every record comes
with the timestamp, the service involved, and often the IP
address or device associated with the action. Running that first
query feels like the hurdle is finally cleared. You move from
staring at an empty dashboard to seeing actual data that tells
you what happened in your environment. That’s when the tool
starts to feel useful instead of confusing. And researchers or
compliance staff quickly realize it’s not difficult to build
targeted searches once you’ve seen the process once or twice.
Another feature here that gets overlooked is exporting. You’re
not limited to reviewing the data inside the Compliance portal.
Say your security team wants to line up activity with data from a
firewall appliance, or your compliance officer wants to build
charts for an internal review. You can select export to CSV
directly in the search results, hand that file off, and they can
run their own analysis. For organizations who need
visualizations, the data can also integrate into Power BI, giving
you filters and dashboards across departments. That’s a major
plus when audit needs to be shared beyond one technical team.
Once you’ve crossed that initial learning curve—finding Audit in
the portal, confirming logging is active, and running those first
queries—the tool feels much less intimidating. Search starts to
become second nature. You stop worrying about whether data is
captured, and instead focus on the insights hidden in the
records. Of course, this is just scratching the surface. Being
able to type queries and export results is one level of use, but
what happens when you need more? That’s when the question shifts
from portal clicks to integration. Because if you truly want to
catch threats or correlate behavior, you need those logs feeding
into bigger security workflows, not just sitting in a CSV file.


What If You Want to Go Further?


Running searches in the portal is nice, but what happens when you
need automation? Scrolling through logs on demand works for a
quick check, but no security team can realistically sit in the
portal each morning and run through 20 different filters. The
volume of activity in Microsoft 365 environments is massive, and
by the time someone notices something odd in a manual export,
it’s probably too late. Taking a CSV to Excel every time you want
insight gets old quickly, and more importantly, it creates lag.
If an attacker is already exfiltrating sensitive data, that
week-long lag between activity and discovery is exactly the
window they need. That’s why automation has to be part of the
picture. The audit data is only worth something if you can make
use of it in real time or on a repeatable schedule. This is where
PowerShell becomes a powerful extension of the Purview Audit
feature. Instead of relying on the portal alone, admins can
schedule scripts that query logs at set intervals and apply
advanced filters on the fly. With PowerShell, you can query by
user, IP address, activity type, or even combinations of those.
That lets you design audit pulls that map directly to what’s
relevant for your environment. For example, you might care less
about every Teams reaction and more about nonstop file downloads
in OneDrive. Building that logic into a scheduled job means the
question gets answered daily without anyone having to hit
“export.” Let’s put this into a scenario. Say you want to monitor
for unusual logins—accounts signing in outside business hours, or
connections coming from regions where your company doesn’t even
operate. With PowerShell you can create a script to query login
logs based on timestamps and geolocation, and automatically flag
results outside your expected ranges. Suddenly, the idea that
you’d only know about those odd logins a week later from an
analyst’s CSV disappears. You’ve got a repeatable detection
system feeding you results right away. Another example: if
someone tries to download hundreds of files in a short burst,
your script can be written to catch that behavior. Those are the
kinds of patterns that, if left unchecked, often indicate insider
threats or compromised accounts. Automating the search closes
that gap. But PowerShell is just one part. The other leap comes
when you integrate Microsoft Purview Audit data directly into
Sentinel, Microsoft’s SIEM and SOAR offering. Sentinel is where
security operations centers live day-to-day, watching dashboards,
running detections, and responding to alerts. If Purview sits
isolated as a compliance-only tool, audit insights aren’t helping
that SOC workflow. But once logs are funneled into Sentinel, they
stop being just historical evidence and start driving live
monitoring. You can create custom analytics rules that trigger
alerts when audit data matches suspicious behavior. Imagine near
real-time notifications for mass mailbox exports or repeated
SharePoint sharing to external domains—that context goes from
hidden in an export to front and center in your SOC screen.
Leaving audit isolated creates risk because it keeps valuable
data siloed. Compliance officers might be happy the logs exist,
but security teams lose the opportunity to act on them in the
moment. If an attacker is working slowly and carefully to avoid
detection, those siloed logs might catch the activity weeks later
during a compliance review. By then, the damage is long done.
Integrating audit into broader security workflows collapses that
timeline—you move from reactive reporting to proactive defense.
This is also why many enterprises don’t stop at just Sentinel.
They start weaving Purview Audit into other layers of Microsoft’s
security stack. For example, tying signals into Identity
Protection, so unusual audit activity combines with risk-based
conditional access policies. Or blending with Insider Risk
Management to surface subtler concerns, like employees
exfiltrating data before leaving the company. Data Loss
Prevention can even layer those insights further, correlating
what users are doing in logs with what files or items are
sensitive in the first place. The real strength arrives when
auditing isn’t sitting alone but feeding into a web of connected
defenses. When you reach that stage, the role of Purview Audit
transforms. It stops being simply a way to prove compliance
during a regulator’s audit. It becomes part of your everyday
detection engine and part of the reason your SOC spots unusual
behavior before it spirals into a breach. Instead of combing
through spreadsheets for answers after the fact, you position
audit data as an active layer of defense. It’s evidence when
questions come later, but more importantly, it’s intelligence you
can use right now. That brings us to the big picture. Having the
technology set up correctly matters, but if you want auditing to
serve its purpose, you need to think well beyond the mechanics of
settings, scripts, and exports.


Shaping Your Organization’s Strategy


It’s easy to treat auditing as a checkbox, but what if it shaped
your security culture instead of sitting quietly in the
background? Most organizations think of logs as something you
keep because compliance requires it, not because it can actively
change how the business operates. The truth is, the way you
approach auditing has a direct impact on whether it becomes a
living part of your security posture or just another archive
gathering dust. When Purview Audit is used strategically, it
stops being a tool you pull out during regulator check-ins and
becomes a system that guides your everyday understanding of
what’s normal versus what’s not. The first mindset shift is
realizing that logs by themselves don’t solve anything. Having
them switched on is the floor, not the ceiling. What matters is
how that data is used. If you never look for patterns, never test
what “normal” in your tenant feels like, then the logs collect
for months without producing real value. Reactive use of
auditing—waiting until an incident happens to start reading
through records—misses the point. Strategy means layering in
baselines from the start, understanding user rhythms, and
learning what expected activity looks like before a problem
arrives. This is where a lot of firms stumble. They enable
auditing once, assume that’s the win, and forget that the data is
useless without context. Let’s say your team logs a million
actions per week. On paper, that sounds impressive. But unless
you’ve established what counts as standard behavior for those
actions, spikes or gaps go unnoticed. An intruder who wants to
blend in doesn’t want to stand out—they want to look like
everyone else. If you never defined what “everyone else” looks
like, then camouflage works. That’s the tension: clear signals
exist in the logs, but no one notices them because there’s no
frame of reference. Baselining regular activity is one of the
simplest yet most powerful things you can do with Purview Audit.
It’s not glamorous—sometimes it’s running the same queries week
by week and plotting them so you see patterns. But over time, a
picture forms of your organization’s digital heartbeat. How often
files get accessed, when Teams chats spike, when SharePoint usage
drops for weekends or holidays. Once you know these patterns,
deviations jump off the page. That’s how the system evolves from
endless records into insight that feels alive. Take Teams file
shares. If on average your organization shares 600 files a week
and suddenly that number doubles in two days, you don’t
immediately jump to “breach.” It could be a large project
deadline or a new department adopting Teams more actively. But
now you have a reason to check, because you noticed the spike in
the first place. Without that baseline, it would sit buried in
totals until someone stumbled across it. With the baseline, you
frame a question: is this legitimate growth, or an intruder
offloading data under the cover of normal traffic? The challenge
is that data volume grows quickly in any modern tenant. Without
strategy, logs shift from valuable signals to noisy chatter. You
can’t notice meaningful patterns if they’re buried under
thousands of inconsequential entries. That’s why strategy has to
go deeper than just turning on auditing—it’s about organizational
structure. Different roles need different lenses. Compliance
officers benefit from summaries that demonstrate who accessed
what, grouped into reports they can hand to oversight committees.
Security teams, by contrast, hunt for anomalies, spikes, and
correlations that point to risk. IT admins focus on proving who
performed high-impact changes, like mailbox exports or new
privilege assignments. Trying to dump the exact same audit data
onto each of these groups won’t work. Role-based reporting
ensures everyone consumes what matters to them. Breaking down
responsibilities this way addresses two issues: people don’t feel
overwhelmed by irrelevant noise, and the signal-to-noise ratio
improves for every team. Instead of everyone ignoring the logs
because they’re unreadable, each group sees the parts of the
audit system that align with their job. That ensures logs get
checked regularly, not only when forced by external pressure. The
payoff is that auditing shifts from a reactive fallback to a
proactive monitor. It becomes a living system inside your tenant,
an indicator of health and an early-warning system. You stop
framing logs as a burden and start framing them as
visibility—evidence of everything your cloud is doing and capable
of flagging when something doesn’t match expectations. Purview
Audit, with strategy wrapped around it, is more than storage for
records. It’s the pulse you check to make sure your digital
environment is safe and accountable. At this point, the next step
is obvious: you can’t wait until trouble surfaces to decide if
your audit approach is working. You need to act intentionally
today, or those unseen risks will keep piling up, hidden behind
the comfort of “at least the logs are turned on.”


Conclusion


Auditing isn’t a future nice-to-have—it’s the barrier keeping
your operations controlled instead of running on blind trust.
Without it, you’re left hoping your environment is safe rather
than knowing it. That distinction matters more each day as data
spreads across services, devices, and users you only partially
manage. So here’s the challenge: sign in to your Purview portal
today. Don’t assume logging is enough. Check whether your audit
setup is intentional or accidental, and ask if the data you’d
need tomorrow is truly there. Because the real risk isn’t what
you see—it’s what’s quietly happening when you’re not looking.


Get full access to M365 Show - Microsoft 365 Digital Workplace
Daily at m365.show/subscribe