Skip to content

Control 1.7: Comprehensive Audit Logging and Compliance

Overview

Control ID: 1.7 Control Name: Comprehensive Audit Logging and Compliance Regulatory Reference: FINRA 4511, SEC 17a-3/4, SOX 302/404, GLBA 501(b) Setup Time: 1-2 hours (Standard) or 8-10 hours (Azure WORM)

Purpose

Implement comprehensive audit logging to capture Microsoft 365 Copilot and Copilot Studio agent interactions, providing an evidence trail commonly requested for regulatory examinations, security investigations, and compliance monitoring. For broker-dealers, this control includes guidance that may help support SEC 17a-4(f) WORM storage requirements as part of a broader records and supervision program.

U.S.-only framing

The regulatory references and examples in this control are written for U.S. financial services (e.g., FINRA/SEC/SOX/GLBA). If you operate outside the U.S., adapt this guidance to your applicable regulatory regime with legal/compliance counsel.

Description

Microsoft Purview Audit provides comprehensive logging of user and admin activities across Microsoft 365, including Microsoft 365 Copilot and agent interactions. Audit logs are essential for compliance monitoring, security investigations, and regulatory examinations.

See Microsoft Purview Audit for detailed capabilities.

Key Capabilities

Capability Description FSI Relevance
Unified audit log Single log for all M365 activities Comprehensive visibility
Agent activity logging Microsoft 365 Copilot and agent interactions AI supervision
Search and filter Advanced query capabilities Investigation support
Retention policies Configurable retention periods Retention governance and exam readiness support
Export Export logs for external systems SIEM integration

Copilot Studio Automatic Security Scan

Built-in Security Safety Net

Copilot Studio includes an automatic security scan feature that warns makers before publishing agents with potentially risky configurations. This provides a defense-in-depth layer for governance.

When Security Scan Triggers:

Copilot Studio automatically scans agents at publish time and displays warnings when:

Condition Warning Risk
Authentication changed to "No authentication" Agent will be accessible without sign-in Unauthorized access
Connector credentials changed to maker auth Agent uses maker's credentials instead of user's Privilege escalation
Agent shared with everyone in organization Broad distribution enabled Oversharing

What This Means for FSI:

  • Makers receive visual warnings before risky configurations go live
  • Warnings are logged and can be monitored for compliance
  • Organizations can track how often warnings are bypassed
  • Provides evidence of "informed consent" when makers proceed despite warnings

Monitoring Bypassed Warnings:

While makers can proceed despite warnings, organizations should:

  1. Monitor audit logs for publish events with security scan warnings
  2. Review agents that were published with warnings bypassed
  3. Include security scan status in agent inventory metadata
  4. Consider policy requiring governance review when warnings are bypassed

Source: Security scan

Prerequisites

Primary Owner Admin Role: Purview Audit Admin Supporting Roles: None

Licenses Required

License Purpose Required For
Microsoft 365 E3/E5 Basic audit logging (180 days) All levels
Microsoft 365 E5/E5 Compliance Extended audit retention (up to 10 years) Level 2+
Microsoft Purview Audit (Premium) Premium audit capabilities Level 4
Azure Subscription WORM storage for SEC 17a-4(f) Broker-dealers

Permissions Required

Role Purpose Assignment Method
Compliance Administrator Access and search audit logs Entra ID
Security Administrator Security-focused audit queries Entra ID
Global Reader Read-only audit access Entra ID
Audit Manager (Custom) Export and retention management Purview RBAC

Dependencies

Dependency Description Verification
Unified audit logging Must be enabled at tenant level Check Purview → Audit
License assignment Users must have appropriate licenses Check license assignment
Retention policies Define how long to retain logs Configure in Purview
Azure storage (optional) For WORM compliance Create storage account

Pre-Setup Checklist

  • [ ] Unified audit logging enabled
  • [ ] E5 licenses assigned for extended retention
  • [ ] Retention requirements documented per regulation
  • [ ] SIEM integration requirements identified
  • [ ] Azure storage account created (if WORM required)
  • [ ] Agent inventory available to identify what to monitor

Governance Levels

Level 1 - Baseline

Requirement Configuration
Audit enabled Standard audit logging active
Review cadence Monthly audit log review
Export procedure Manual export for key events

Minimum requirements:

  • Verify audit logging is enabled
  • Document audit review procedures
  • Export key events monthly
Requirement Configuration
Audit Premium Extended retention (1+ years)
Retention policies Custom policies per governance tier
SIEM integration Export to security monitoring
Scheduled searches Weekly agent activity reviews

FSI recommendations:

  • Enable Audit Premium for extended retention
  • Create retention policies for Tier 2/3 agents
  • Integrate with SIEM for real-time monitoring
  • Weekly review of agent audit events

Level 4 - Regulated/High-Risk

Requirement Configuration
10-year retention Audit Premium or Azure immutable storage
Continuous monitoring Real-time audit alerts
Immutable storage Azure WORM for regulatory compliance
Anomaly detection Automated detection of unusual patterns

FSI considerations (high-risk):

  • Consider 10+ year retention for customer-facing agent interactions (where applicable)
  • Consider a weekly (or more frequent) export to immutable storage when WORM preservation is required
  • Consider continuous anomaly detection for Tier 3 agents
  • Perform quarterly audit log integrity verification as part of operational assurance

SIEM Integration

Export Options

Method Use Case Frequency
Manual export Ad-hoc investigations As needed
Management Activity API Automated export Continuous
Azure Monitor Real-time streaming Continuous
Microsoft Sentinel Native integration Continuous

Integration with Sentinel

See Control 3.9: Microsoft Sentinel Integration for detailed SIEM integration guidance.

Setup & Configuration

Audit Navigation

Accessing Audit

  1. Open Microsoft Purview
  2. Navigate to Audit in left navigation
  3. Select Search to query audit logs

If you don't see Audit (or see a prompt to start recording):

  • Confirm your account has a role that can access Audit (see Permissions Required).
  • Confirm audit logging is enabled at the tenant level (see PowerShell Configuration → Enable Unified Audit Logging).
  • After enabling, allow for ingestion latency; some events can take from ~30 minutes up to 24 hours to appear.

Audit Sub-Pages

Page Purpose Key Features
Search Query audit logs Advanced filters, export
Policies Audit retention policies Custom retention periods
Pay-as-you-go usage Usage tracking Cost monitoring
Solution Integration
eDiscovery Search audit logs for investigations
Data Security Investigations (preview) Security-focused audit analysis

Audit Search Interface

Search Metrics

The Search page displays summary metrics:

Metric Description
Searches completed Number of finished searches
Active searches Currently running searches
Active unfiltered searches Searches without filters

Search Form Fields

Field Description Required
Date and time range (UTC) Start Search start date and time Yes
Date and time range (UTC) End Search end date and time Yes
Keyword Search Keywords to search for No
Admin Units Administrative units to filter No
Activities - friendly names Select activities by friendly name No
Activities - operation names Enter operation values (comma-separated) No
Record Types Select record types to search No
Search name Name for the search No
Users Users whose audit logs to search No
ObjectId (File, folder, or site) File, website, or folder name No
Workloads Workloads to search No

Search Actions

Action Description
Search Execute the search query
Clear all Reset all search fields
Copy this search Duplicate search parameters
Delete Remove saved search
Refresh Update search results

Search History Table

Column Description
Search name Name assigned to the search
Job status Running, Completed, Failed
Progress (%) Completion percentage
Search time Duration of search
Total results Number of records found
Creation time (UTC) When search was created
Search performed by User who ran the search

Microsoft 365 Copilot Activities

Activity Description Record Type
CopilotInteraction User interaction with Microsoft 365 Copilot CopilotInteraction
CopilotFeedback User feedback on Microsoft 365 Copilot response CopilotInteraction
CopilotPluginUsed Plugin invoked during interaction CopilotInteraction

Copilot Studio Activities

Activity Description Record Type
AgentCreated New agent created CopilotStudio
AgentPublished Agent published to channel CopilotStudio
AgentModified Agent configuration changed CopilotStudio
AgentInteraction User interaction with agent CopilotStudio

Power Platform Activities

Activity Description Record Type
PowerPlatformAdminActivity Admin activities in PPAC PowerPlatformAdministratorActivity
EnvironmentCreated New environment created PowerPlatformAdministratorActivity
DLPPolicyModified DLP policy changed PowerPlatformAdministratorActivity

Searching for Agent Activities

  1. Navigate to Audit → Search
  2. Set Date and time range for period of interest
  3. In Activities - friendly names, select Copilot or agent activities
  4. Optionally filter by Users or Workloads
  5. Enter a Search name for reference
  6. Click Search
  7. Review results and export as needed

Example Searches for FSI

Scenario Search Parameters
All Microsoft 365 Copilot interactions Activities: CopilotInteraction, Date range: Last 30 days
Agent creation events Activities: AgentCreated, AgentPublished
Admin changes to agents Record Types: CopilotStudio, Activities: *Modified
User-specific activity Users: specific user, Activities: CopilotInteraction

Audit Retention

Standard vs Premium

Feature Audit (Standard) Audit (Premium)
Log retention 180 days Up to 10 years
Custom policies No Yes
High-value events No Yes
Intelligent insights No Yes

Creating Retention Policies

  1. Navigate to Audit → Policies
  2. Click Create policy
  3. Configure retention period
  4. Select record types to retain
  5. Assign to users or entire organization
  6. Save policy

FSI Retention Requirements

These retention values are examples to help define a policy baseline. Actual retention requirements vary by record type, business activity, and regulator interpretation; extended retention may support examination readiness but does not, by itself, guarantee regulatory compliance.

Tier Minimum Retention Recommended
Tier 1 180 days (Standard) 1 year
Tier 2 1 year 7 years
Tier 3 7 years 10 years

PowerShell Configuration

Enable Unified Audit Logging

# Connect to Security & Compliance Center
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Enable unified audit logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

# Verify status
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

# Check Mailbox Audit Logging (for mailbox activities)
Get-OrganizationConfig | Select-Object AuditDisabled
# Should return False (auditing enabled)

Search Copilot and Agent Audit Events

# Define search parameters
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

# Search for Copilot interactions
$copilotEvents = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -RecordType CopilotInteraction -ResultSize 5000

Write-Host "Found $($copilotEvents.Count) Copilot events"

# Export to CSV for analysis
$copilotEvents | Select-Object CreationDate, UserIds, Operations, AuditData |
    Export-Csv -Path "Copilot-Audit-Log-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation

# Search for Copilot Studio agent events
$agentEvents = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -RecordType PowerPlatformAdminActivity -Operations "PublishedAgent","UpdatedAgent" -ResultSize 1000

$agentEvents | Export-Csv -Path "Agent-Publish-Events.csv" -NoTypeInformation

Configure Audit Retention Policy

# Create retention policy for extended AI audit retention
$retentionPolicyParams = @{
    Name = "FSI-AI-Audit-Retention-6Years"
    Description = "6-year retention for AI-related audit events per FINRA 4511"
    RetentionDuration = "TenYears"  # Maximum available
    Comment = "Applies to Copilot and agent audit events"
}

# Note: Retention policy creation is done in Purview portal
# PowerShell for querying existing policies
Get-UnifiedAuditLogRetentionPolicy | Format-Table Name, Priority, RetentionDuration

Export Audit Logs for WORM Compliance

# Export function for SEC 17a-4(f) compliance
function Export-AuditLogsToBlob {
    param(
        [DateTime]$StartDate,
        [DateTime]$EndDate,
        [string]$OutputPath
    )

    # Search all record types
    $allEvents = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate `
        -ResultSize 5000

    # Create JSON export
    $jsonExport = $allEvents | ForEach-Object {
        $_.AuditData | ConvertFrom-Json
    } | ConvertTo-Json -Depth 10

    # Save locally (then upload to Azure Immutable Storage)
    $fileName = "Audit-Export-$($StartDate.ToString('yyyy-MM-dd'))-to-$($EndDate.ToString('yyyy-MM-dd')).json"
    $jsonExport | Out-File -FilePath "$OutputPath\$fileName" -Encoding UTF8

    Write-Host "Exported to $OutputPath\$fileName"
    return "$OutputPath\$fileName"
}

# Example: Weekly export for WORM storage
Export-AuditLogsToBlob -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -OutputPath "C:\AuditExports"

Audit Specific Agent Activities

# Define agent-related operations to monitor
$agentOperations = @(
    "PublishedAgent",
    "UpdatedAgent",
    "DeletedAgent",
    "AgentConfigChanged",
    "ConnectorAdded",
    "ConnectorRemoved"
)

# Search for agent lifecycle events
$agentAudit = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -Operations ($agentOperations -join ",") -ResultSize 1000

# Parse and display
foreach ($event in $agentAudit) {
    $data = $event.AuditData | ConvertFrom-Json
    Write-Host "$($event.CreationDate): $($event.Operations) by $($event.UserIds)"
}

# Export agent audit trail
$agentAudit | ForEach-Object {
    $data = $_.AuditData | ConvertFrom-Json
    [PSCustomObject]@{
        Date = $_.CreationDate
        Operation = $_.Operations
        User = $_.UserIds
        AgentName = $data.ObjectId
        Environment = $data.EnvironmentName
    }
} | Export-Csv -Path "Agent-Lifecycle-Audit.csv" -NoTypeInformation

Monitor Audit Log Health

# Check for recent audit events to verify logging is active
$recentEvents = Search-UnifiedAuditLog -StartDate (Get-Date).AddHours(-24) -EndDate (Get-Date) `
    -ResultSize 100

if ($recentEvents.Count -eq 0) {
    Write-Warning "No audit events in last 24 hours - verify audit logging is enabled"
} else {
    Write-Host "Audit logging active: $($recentEvents.Count) events in last 24 hours"

    # Show distribution by workload
    $recentEvents | Group-Object -Property RecordType |
        Sort-Object Count -Descending |
        Select-Object Name, Count | Format-Table
}

Financial Sector Considerations

Regulatory Mapping

Regulation Retention Requirement Control Implementation
FINRA 4511 6 years for customer records 6+ year retention policy
SEC 17a-3/4 3-6 years depending on record type Extended retention + WORM
SOX 302/404 7 years for audit documentation 7-year retention minimum
GLBA 501(b) Reasonable retention for security logs 3+ year retention
FFIEC Commensurate with risk Risk-based retention

Tier-Specific Audit Configuration

Tier Retention Real-time SIEM WORM Required Review Frequency
Tier 1 180 days (default) Optional No Monthly
Tier 2 1 year Recommended No Weekly
Tier 3 6+ years Strongly recommended (high-risk) If broker-dealer Daily

Agent Activity Event Types for FSI

Event Type Description FSI Monitoring Priority
CopilotInteraction User-Copilot conversations High - customer interactions
PublishedAgent Agent made available Critical - deployment control
AgentConfigChanged Agent settings modified High - change management
ConnectorAdded Data source connected Critical - data access
SensitiveDataAccessed Agent accessed sensitive info Critical - data protection

FSI Example: Broker-Dealer Audit Configuration

Organization: Registered Broker-Dealer
Regulatory Requirement: SEC 17a-4(f), FINRA 4511

Audit Configuration:
  Standard Retention:
    - Default: 180 days (E3)
    - Extended: 10 years (E5)
    - Custom: 6-year policy for customer records

  WORM Compliance:
    - Method: Azure Immutable Blob Storage
    - Policy: Time-based retention (6 years)
    - Export: Weekly automated export
    - Verification: Monthly integrity check

  SIEM Integration:
    - Platform: Microsoft Sentinel
    - Connector: Office 365 (Unified Audit Log)
    - Real-time: Yes
    - Alerting: Configured for sensitive events

  Monitoring:
        - Daily: Tier 3 agent activity review
    - Weekly: Full audit log health check
    - Monthly: Retention policy verification
    - Annual: SEC examination readiness test

Regulatory Context

Primary Regulations: FINRA 4511, SEC 17a-3/4, SOX 302/404, GLBA 501(b)

Regulation Audit Logging Requirement
FINRA 4511 Books and records - retain AI interaction logs
SEC 17a-3/4 Record retention for AI-assisted communications
SOX 302/404 Internal controls over AI system logging
GLBA 501(b) Security safeguards including audit trails

Examination Considerations

Regulators may request:

  • Audit logs for specific time periods
  • Evidence of retention policy configuration
  • Export of agent interaction logs
  • Demonstration of search capabilities
  • Proof of immutable storage (Level 4)

SEC 17a-4 WORM Requirements (Broker-Dealers)

Important for Broker-Dealers

SEC Rule 17a-4(f) requires certain electronic records to be stored in non-rewritable, non-erasable format (WORM - Write Once, Read Many). Microsoft 365's native audit log retention and export capabilities may not, by themselves, satisfy 17a-4(f) without additional design, validation, and oversight.

Compliance Options:

Option Description Compliance Status
Azure Immutable Blob Storage Export audit logs to Azure with an immutable (WORM) policy May support meeting WORM storage requirements when correctly configured and independently validated; consult counsel
Third-party WORM archive Use an archival vendor offering WORM retention and supervisory controls May support meeting WORM storage requirements depending on vendor capabilities/attestations (e.g., no-action context) and your procedures
Microsoft 365 Audit Premium only Extended retention without WORM immutability controls May support longer retention for investigations, but may be insufficient for 17a-4(f) WORM requirements by itself

Recommendation: Broker-dealers should implement a documented export + preservation process (often weekly or more frequent) to immutable storage and perform periodic integrity verification. Where a third-party archive is used, confirm contract terms, retention controls, and applicable attestations/letters with counsel.

See Azure immutable blob storage for implementation details.

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of audit logging that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply ensure key agent/admin activities are logged and reviewable for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain audit configuration + sample queries.
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for audit logging and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain audit configuration + sample queries.
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step Action Expected Result
1 Navigate to purview.microsoft.com → Audit Audit dashboard displayed
2 Access Search page Search form with all fields visible
3 Search for Copilot events (last 24 hours) Results returned (if activity exists)
4 Check retention policies Policies configured per governance tier and scoped appropriately
5 Verify export capability Export completes successfully
6 Test SIEM integration Logs appearing in external system

Evidence Pack (U.S.-focused exam readiness)

Capture an evidence pack that demonstrates audit configuration, operation, retention, and retrieval. Use this checklist as a starting point; the exact artifacts to retain depend on your policies, regulator expectations, and internal procedures.

  • [ ] Purview Audit access
    • Screenshot: Purview Audit → Search page visible (shows tenant can access Audit).
    • Screenshot/export: operator role assignment evidence (e.g., Entra ID role assignment screen or Purview role group membership).
  • [ ] Audit ingestion enabled
    • PowerShell transcript excerpt: Get-AdminAuditLogConfig showing UnifiedAuditLogIngestionEnabled.
  • [ ] Agent/Copilot event retrieval
    • Screenshot: Audit search parameters (date range in UTC, selected activities/record types) and the resulting record list.
    • Export: CSV export of a small, representative result set (e.g., last 24 hours) including columns such as CreationDate, UserIds, Operations, RecordType.
  • [ ] Retention policy configuration
    • Screenshot: Purview Audit → Policies list showing the relevant policy name(s), retention duration, and scope.
    • Change record: ticket/approval reference for retention configuration changes.
  • [ ] Export and preservation (if exporting to external storage)
    • Export log: evidence of the export run (job output/transcript, filenames, export window start/end).
    • File hash: record a SHA-256 of each exported file and store hashes with the change record.
    • Screenshot: storage container and immutable policy settings (if using immutable storage).
  • [ ] Monitoring and alerting (if applicable)
    • SIEM proof: screenshot showing the corresponding event(s) ingested (with timestamp alignment and UTC conversion noted).

Troubleshooting & Validation

Symptoms: Audit search returns empty results despite known activity

Solutions:

  1. Verify unified audit logging is enabled (Set-AdminAuditLogConfig)
  2. Confirm you are searching UTC time range (the UI uses UTC fields)
  3. Check date range and ingestion latency - audit events may take ~30 min to 24 hours to appear
  4. Verify you have appropriate permissions (e.g., Compliance Administrator / Purview Audit roles)
  5. Try a broad search (no Activities/Workloads filters) to confirm any audit data exists
  6. If Exchange events are expected, check if mailbox auditing is enabled for mailbox-related events
  7. Validate via PowerShell using Search-UnifiedAuditLog to rule out a UI-only issue

Issue: Copilot Events Not Being Logged

Symptoms: Other audit events appear but no CopilotInteraction records

Solutions:

  1. Verify users have Microsoft 365 Copilot licenses assigned
  2. Confirm Copilot is actually being used (not just licensed)
  3. Search broadly first (no Activities filter), then narrow to RecordType/activities such as CopilotInteraction
  4. Wait longer - Copilot events may have additional latency
  5. Verify the activity you expect is part of audited workloads for your tenant (availability can vary by workload and feature rollout)
  6. If Copilot Studio agents are the focus, also search for Copilot Studio / Power Platform record types and agent lifecycle events

Issue: Expected Events Missing (Partial Results)

Symptoms: Some audit events appear, but specific expected activities/operations are missing or incomplete

Solutions:

  1. Remove restrictive filters first (Activities/Workloads/Users/ObjectId) and confirm the time range returns any results
  2. Confirm your selected date/time range is in UTC and matches when the activity occurred
  3. Broaden the search window and repeat (e.g., last 7 days) to account for ingestion latency
  4. Validate the same query via PowerShell using Search-UnifiedAuditLog to rule out a UI-only issue
  5. Check whether the operation name you’re filtering on matches what your tenant emits (friendly names vs operation names can differ)
  6. If results are very large, break the search into smaller windows and document export windows to avoid gaps/overlaps

Issue: Audit Log Export Fails or Incomplete

Symptoms: Export times out or contains fewer records than expected

Solutions:

  1. Reduce date range to smaller chunks
  2. Add filters to reduce result set size
  3. Use PowerShell instead of portal for large exports
  4. Check for rate limiting (wait and retry)
  5. Verify network connectivity and session timeout
  6. If results exceed portal limits, perform exports in paged intervals and document the export windows to avoid gaps/overlaps

Issue: Extended Retention Not Working

Symptoms: Old audit events are missing despite retention policy

Solutions:

  1. Verify retention policy is properly configured and enabled
  2. Check policy priority if multiple policies exist
  3. Confirm users are assigned appropriate E5/E5 Compliance licenses
  4. Review policy scope (ensure it covers needed record types)
  5. Contact Microsoft Support for retention investigation

Notes:

  • Extended retention applies to eligible events/record types and requires the right licensing and policy scope.
  • Retention policy configuration helps preserve audit records, but you still need operational procedures for export, access control, and integrity verification for regulated use cases.

Issue: SIEM Integration Missing Events

Symptoms: Some audit events not appearing in Sentinel/SIEM

Solutions:

  1. Verify data connector is properly configured
  2. Check for ingestion delays (can be 5-15 minutes)
  3. Review connector health in Sentinel
  4. Verify record types are included in connector config
  5. Check for any data filtering rules that may exclude events
  6. Validate end-to-end by correlating a known audit record (timestamp/user/operation) against the SIEM query window and UTC/local time settings

Additional Resources

Control Relationship
Control 1.6: DSPM for AI AI interaction visibility
Control 1.19: eDiscovery Legal discovery
Control 3.2: Usage Analytics Activity monitoring
Control 3.9: Sentinel Integration SIEM integration

Support & Questions

For implementation support or questions about this control, contact:

  • Microsoft Purview Administrator: Audit configuration and search
  • Security Operations: SIEM integration and monitoring
  • Compliance Officer: Regulatory retention requirements
  • Azure Administrator: WORM storage configuration

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification