How to Audit SharePoint: Audit Logs 101

Introduction

A SharePoint audit log is the running record of everything happening on your sites, files, and permissions, who did what, when, and from where. In Microsoft 365, that record doesn’t live in per-site-collection settings anymore. Every event now flows into the unified audit log inside Microsoft Purview, right next to Exchange, Teams, and Entra ID.

This guide walks you through how to actually use that audit trail in SharePoint today, where to find it, what it captures, how to search it, and the six reports you’ll want to keep within reach.

What a SharePoint audit log actually is (and what changed)

The audit log moved from per-site collection settings to a tenant-wide pipeline. If you’ve been admin’ing SharePoint for more than three years, the workflow you learned is gone.

Two things almost every outdated blog post gets wrong

Two things worth burning into memory, because most of what’s still online gets them wrong:

• 1.There is no separate “SharePoint audit log” anymore. Every SharePoint Online event flow into the Unified Audit Log (UAL), one pipeline shared with Exchange Online, Teams, Microsoft Entra ID, Power BI, and the rest of Microsoft 365.
• 2.The classic site-collection audit reports under Site Settings are retired. The old “Configure audit settings” page and per-site-collection reports no longer drive the modern experience. Microsoft consolidated everything into Microsoft Purview Audit, enabled by default on the right subscriptions.

Bottom line: if you want a real audit trail in SharePoint, you’re heading to the Microsoft Purview portal or Exchange Online PowerShell. Everything else is a layer on top.

Why the consolidation is actually good news

The benefit is real. With unified audit logs, you can match a SharePoint event with the Entra ID sign-in that happened just before it, or with Exchange Online audit logs that show the email where the link was originally shared. So, you investigate everything in one timeline instead of three separate ones.

Why it matters – the cost of not auditing

The 2025 breach math

The global average cost of a data breach in 2025 hit USD 4.44 million, and cloud-misconfiguration breaches came in around the same number. When the breach crossed multiple environments, which is exactly what you have when SharePoint, Teams, and Exchange are all involved, the average climbed to USD 5.05 million, while across all breaches the global average time to identify and contain was 241 days.

Nearly every one of those incidents shared the same pattern: a permission change, an external share, or a bulk download that nobody caught, because nobody was watching the audit log.

What a neglected SharePoint estate looks like

If you’ve inherited a tenant that’s been running for a few years, the estate usually looks something like this:

• Hundreds of sites, with dozens running broken inheritance nobody remembers approving.
• External sharing links from a pandemic-era project that nobody ever revoked.
• “Temporary” Full Control grants that quietly became permanent.
• A handful of users syncing entire SharePoint libraries to personal devices.

Sound familiar? You’re not alone, this is the default state of most tenants more than two years old.

Four concrete wins from a weekly audit routine

Spending just 30 focused minutes each week reviewing your audit logs can provide four major benefits:

Win	What it looks like in the log
Security forensics	SharingInvitationCreated, AnonymousLinkCreated, FileDownloaded from non-corporate IP ranges or a country the user has never signed in from
Compliance evidence	Who accessed a file under legal hold, and when, exportable as CSV for legal counsel
Migration governance	Baseline permission and sharing changes pre-cutover so you can reconcile the target tenant post-cutover
Insider-risk signals	A single user downloading >200 files in 24 hours, mass-deletes across a site, permission self-elevation

What SharePoint actually records

When admins picture SharePoint audit permissions or SharePoint online audit logs, they usually think of a thin slice, file opens and deletes. The reality is much broader. Here’s everything the UAL captures for SharePoint Online:

• File and page activities – FileAccessed, FileModified, FileDownloaded, FileUploaded, FileDeleted, FileRecycled, FileRestored, FilePreviewed, FileCopied, FileMoved, FileRenamed, PageViewed.
• Sharing and access request activities – SharingInvitationCreated, SharingSet, AnonymousLinkCreated, AnonymousLinkUsed, CompanyLinkCreated, AccessRequestCreated, AccessRequestApproved.
• Site administration activities – site collection created or deleted, site geography moved, hub site associations, external sharing setting changed.
• Site permissions activities – PermissionLevelAdded, SiteCollectionAdminAdded, GroupAdded, GroupRemoved, broken or restored inheritance.
• SharePoint list activities – list created, deleted, schema changed, plus item-level operations supported.
• DLP, sensitivity label, and retention activities – label applied, changed, removed, policy match.

For the full walkthrough – enabling auditing in detail, configuring Purview search fields, the production-grade PowerShell script with paging, and CSV export, head to our companion post: The complete Office 365 unified audit log guide.

SharePoint-specific RecordTypes, Activity Names, and Filters

The exact values to plug into Purview or PowerShell when you want only SharePoint events, not Exchange, not Teams, not Entra.

The UAL covers every workload, so by default your queries pull Exchange, Teams, and Entra events mixed in with SharePoint. To pin a search to SharePoint Online audit logs only, you’ll narrow on these three RecordTypes.

The three SharePoint RecordTypes

RecordType	What it filters to	Use it for
SharePointFileOperation	File-level activity – access, modify, download, upload, delete, copy, move, rename, preview	The default lens for content investigations
SharePointSharingOperation	Sharing events – invitations, anonymous links, company links, access requests	External sharing audits, DLP investigations
SharePoint	Site administration, permissions, list/library events, settings changes	Permission audits, governance reviews

The PowerShell pattern – scope to one site collection

-RecordType narrows the workload, and -ObjectIds with a wildcard scopes the search to a specific site URL. It’s the fastest way to cut a noisy tenant down to the one investigation you actually care about:

New-AdminAuditLogSearch `

-StartDate (Get-Date).AddDays(-7).ToUniversalTime() `

-EndDate (Get-Date).ToUniversalTime() `

-RecordType SharePointSharingOperation `

-ObjectIds "https://contoso.sharepoint.com/sites/Finance/*" `

-ResultSize 5000 `

-SessionId "sp-sharing-$(Get-Random)" `

-SessionCommand ReturnLargeSet

The Purview Portal Pattern

In Audit → Search, configure the following:

• Record types – Select SharePoint, SharePointFileOperation, and SharePointSharingOperation for comprehensive SharePoint audit coverage.
• File, folder, or site – Enter the SharePoint site URL or a relevant URL fragment to narrow the search scope.
• Activities – Leave this field blank to view all matching activities or select specific activity names to filter the results.

Pro tip: save this filter combination as a Purview saved query. Your weekly review turns into a two-click recall instead of a fresh setup.

Six Audit Log Reports Every SharePoint Admin Should Have

These six reports answer the questions that your security team, legal team, or migration team will eventually ask.

A CSV export by itself is not a useful report. Instead, create reports like these:

Audit log report	Question it answers	Activities to filter
External sharing report	Who shared what outside the tenant in the last 7 days?	SharingInvitationCreated, AnonymousLinkCreated, AnonymousLinkUsed, SharingSet
SharePoint audit permissions report	Who changed permission levels or site admins this week?	PermissionLevelAdded, SiteCollectionAdminAdded, RoleAssignmentAdded, SharingPolicyChanged
Bulk download / data exfil report	Any user downloading >200 files in 24 hours?	FileDownloaded grouped by user, threshold = 200/day
Deleted content report	What disappeared from sensitive sites, and who removed it?	FileDeleted, FileRecycled, FolderDeleted, FileVersionsAllDeleted
Site activity report	Which sites are hot, cold, or trending?	Group FileAccessed + PageViewed by SiteUrl – this is the audit log sharepoint online view stakeholders ask for by name
Inactive site report	Which sites had zero activity in the period?	Group by SiteUrl, count events, surface zeros

For bulk downloads or possible data theft, use Microsoft Purview Insider Risk Management together with audit logs if you have Audit (Premium). It provides better detection and policy-based monitoring, so you don’t have to rely only on manual download limits.

Audit Log Retention by License

How long audit logs are kept depends on the user’s Microsoft 365 license. Retention is based on each user’s license, not the entire tenant.

License of the user who generated the event	Default audit retention	Maximum retention
Business Basic / Standard / Premium	180 days	180 days
F1 / F3	180 days	180 days
E3 / A3 / G3 (Audit Standard)	180 days	180 days
E5 / A5 / G5 (Audit Premium included)	1 year	Up to 10 years with an audit retention policy
E5 Compliance add-on on E3	1 year	Up to 10 years with an audit retention policy

Microsoft spells out the Standard vs. Premium difference in the auditing solutions overview: Standard holds records for 180 days, Premium extends to one year by default and up to 10 years with a retention policy in place.

Limitations you should plan around

• 180-day search window in the portal. Even if your retention is a year, a single Purview search is capped at 180 days. Run multiple searches or pivot to PowerShell.
• No native alerting on SharePoint events. The audit log records. It doesn’t notify. For real-time alerts, you’ll need Microsoft Defender for Cloud Apps, Purview Insider Risk Management, or a third-party tool.
• Delayed ingestion. Most events show up within 30 minutes, but some take up to 24 hours. Don’t decide “nothing happened” five minutes after the fact.
• No scheduled reports out of the box. The portal won’t email you a weekly sharing report. You’ll have to script it (PowerShell + scheduled task or Azure Automation), or bring in a reporting tool.
• List-item granularity is limited. Item-level audit coverage is there, but it isn’t as deep as file-level.
• Classic site-collection audit settings are gone. If a KB article tells you to enable “Configure audit settings” under Site Settings → Site Collection Administration, it’s out of date – move on.

What to do next

Pick the option that matches your scale.

Two paths, ranked by tenant size

The Unified Audit Log gives you a good starting point for tracking SharePoint activity. However, if your organization has more than 3,000 active SharePoint users, manually searching the logs and exporting them to CSV files becomes difficult and time-consuming. At that stage, audit logs are no longer used just for occasional investigations – they become part of your regular day-to-day operations. From there, you can choose two practical approaches to manage them more effectively.

Approach	Best for	Setup	Ongoing	Cost
Native Purview only	<1,000 users, ad-hoc investigations	Low	High (manual every week)	Included in M365
PowerShell + Azure Automation	1,000+ users, technical team, scheduled exports	Medium (scripts + scheduling)	Low once built, Medium for changes	Azure runtime only

Your next move

• If you just want to improve your weekly governance, start with the four searches mentioned earlier. Save them in Purview today, and you can begin your first audit review by Monday.
• If you are planning a tenant-to-tenant migration within the next 90 days, run the SharePoint audit permissions report and the external sharing report in the source tenant now. Save them and use them later to compare and verify after the migration is completed.
• If you need more details, read the Office 365 audit log walkthrough for a full explanation across different services.

In the end, the audit log will always be useful. The only question is how much time you want to spend on it every Monday morning.