Skip to main content

What are Microsoft 365 Audit Logs?

Microsoft 365 Unified Audit Logs (UAL) record user and admin activity across your Microsoft 365 environment: logins, email access, SharePoint activity, Teams interactions, and more. Petra relies on these logs to detect threats, investigate incidents, and produce reports.

How to enable audit logs

Audit logging needs to be turned on in your Microsoft 365 tenant. To enable it:
  1. Sign in to the Microsoft Purview compliance portal as a Global Admin.
  2. Navigate to Solutions > Audit.
  3. If you see a banner that says “Start recording user and admin activity”, click it to turn on audit logging.
  4. If you don’t see the banner, auditing is already enabled for your tenant.
Audit logging is free to enable and does not require any additional Microsoft licensing.

Do I need to enable audit logs myself?

Petra Active

No. When you onboard a tenant to Petra Active, Petra checks the audit log status and enables them for you automatically. You don’t need to do anything beforehand.

Petra Autopsy

Yes, and they need to have been on already. Autopsy performs a lookback over the last 6 months of activity. If audit logs were not turned on during that period, there is no historical data for Petra to retrieve. Microsoft does not backfill logs retroactively — you can only see activity from the point audit logging was enabled onward.
You cannot just turn on audit logs and expect to see 6 months of historical data. Petra Autopsy can only analyze logs that Microsoft was actively recording. If logs were enabled last week, Autopsy can only see one week of data.

How to check if your logs are flowing

From the Tenants table: If a tenant’s status shows Audit Logs Not Enabled, audit logging is not turned on for that tenant. From the Activity Viewer: Navigate into the tenant and scroll down to the logs section. Browse through the Logins, Exchange, SharePoint, and Teams tabs and look at the date range of available data:
  • If logs stop abruptly at a date within the last 6 months, that is most likely when audit logging was enabled for the tenant. Everything before that date was not recorded by Microsoft.
  • If the tenant was recently onboarded, Petra may still be backfilling. See below for expected timelines.

How long does backfill take?

When you onboard a new tenant, Petra pulls up to 6 months of historical audit logs from Microsoft. This process typically takes up to 72 hours, depending on:
  • The volume of activity in the tenant
  • Microsoft API response times and rate limits
  • The number of users and event types
Microsoft’s own APIs can introduce delays in surfacing audit log data. If your backfill seems slow, this is almost always due to Microsoft-side throttling rather than an issue with Petra.

FAQs

I just onboarded a tenant and don’t see any logs yet. Is something wrong?

Probably not. Petra takes up to 72 hours to backfill historical logs after onboarding. Give it some time and check the Activity Viewer again later.

My logs go cold a few months back. Why?

This almost always means audit logging was enabled on that date. Microsoft only records activity from the moment auditing is turned on — it does not retroactively generate logs for the period before. The date where logs stop is likely when someone enabled auditing for that tenant.

Can I see logs older than 6 months?

No. Microsoft 365 retains standard audit logs for approximately 6 months (180 days). Even if auditing has been enabled longer, data older than 6 months is no longer available from Microsoft’s APIs.

Autopsy says “Audit Logs Not Enabled.” What do I do?

This means the tenant does not have Unified Audit Logs turned on. Without them, Petra cannot do a historical lookback. Petra will automatically move the tenant to Active monitoring instead, which enables audit logs going forward and begins detecting threats from that point on. You’ll get your Autopsy slot back so you can try a different tenant that already has logging history.

My Autopsy tenant was moved to monitoring automatically. Why?

If Petra detects that a tenant’s audit logs are not enabled, it cannot perform the historical lookback that Autopsy requires. In this case, Petra automatically moves the tenant to Active monitoring so it can start protecting it going forward. You’ll receive another free Autopsy slot to try a different tenant that has audit log history.

Does Petra work without audit logs?

Petra Active will enable audit logs for you and begin monitoring from that point forward. However, without historical audit log data, Petra cannot look back at past activity — which is what Autopsy is designed to do. For the best protection, ensure audit logging is enabled on all your tenants as early as possible.