Audit Readiness

Microsoft 365 and Azure Government produce audit logs at every layer of the stack — identity, applications, data, devices, and infrastructure. This chapter maps those sources, explains how to operate them, and defines what a complete evidence package looks like for CMMC Level 2 (GCC High) and SOC 2 Type II (Commercial) assessments.

---

Log Source Reference

Microsoft 365 Unified Audit Log (UAL)

The UAL is the primary audit source for M365 workload events: Exchange (email send/receive, mailbox access), SharePoint (file access, sharing, permission changes), Teams (messages, membership changes), OneDrive, Purview (label application, DLP matches), and Entra ID (sign-in events, group changes).

Access: Purview compliance portal → Audit → New search (or Search → Audit log search in legacy portal)

Key parameters:

Parameter	Notes
Date range	Maximum 180 days per search; stagger searches for longer periods
Activities	Filter by specific operation types (e.g., FileAccessed, SensitivityLabelApplied)
Users	Filter to specific UPNs for user-specific investigation
File/folder	Filter to specific SharePoint/OneDrive paths
Record type	Filter by workload (ExchangeItem, SharePointFileOperation, etc.)

Retention:

• Purview Audit Standard (included in E3): 90 days
• Purview Audit Premium (included in E5 or as add-on): 1 year for most operations; 10 years for Exchange, SharePoint, Teams with the 10-year add-on license

PowerShell export:

# GCC High: use -Environment parameter
Connect-IPPSSession -Environment USGovernment

$results = Search-UnifiedAuditLog `
    -StartDate (Get-Date).AddDays(-90) `
    -EndDate (Get-Date) `
    -RecordType SharePointFileOperation `
    -ResultSize 5000

$results | Export-Csv -Path ".\UAL_SharePoint_90days.csv" -NoTypeInformation

Purview Audit Premium — High-Value Events

Purview Audit Premium (E5) adds additional high-value audit events not available in Standard:

Event	Value
MailItemsAccessed	Records every time a mail item is accessed — critical for email compromise investigations
Send	Records every sent message (vs. just delivery)
SearchQueryInitiatedExchange	Records mailbox search queries — detects internal reconnaissance
SearchQueryInitiatedSharePoint	Records SharePoint search queries

Enable Audit Premium for all user accounts: Purview → Audit → Audit retention policies → create a 1-year policy for all users.

Entra ID Audit and Sign-In Logs

Sign-in logs: Every authentication event — user sign-ins, service principal sign-ins, managed identity sign-ins. Each entry includes user, application, IP address, location, device, Conditional Access policies applied, and result (success, failure, interrupted).

Audit logs: All directory changes — user creation/deletion, group membership changes, role assignments, application consent grants, PIM activations, password resets.

Access: Entra admin center → Monitoring → Sign-in logs / Audit logs (or portal.azure.us for GCC High)

Retention in Entra: 30 days (P1/P2 license); 7 days without Entra ID P1. For longer retention, export to Log Analytics (via Sentinel) or Azure Storage.

PowerShell export:

# Entra audit logs via Graph API
Connect-MgGraph -Scopes "AuditLog.Read.All" -Environment USGov  # USGov for GCC High

Get-MgAuditLogDirectoryAudit -Filter "activityDateTime ge $(Get-Date -Format 'yyyy-MM-dd')Z" -All |
    Select-Object ActivityDateTime, ActivityDisplayName, InitiatedBy, TargetResources, Result |
    Export-Csv -Path ".\EntraAuditLog.csv" -NoTypeInformation

Azure Activity Log

The Azure Activity Log records all control-plane operations on Azure resources: VM creation/deletion, storage account configuration changes, Key Vault access policy changes, RBAC role assignments, network security group modifications.

Access: Azure portal → Monitor → Activity log (portal.azure.us for GCC High)

Retention: 90 days in the Azure portal. Route to Log Analytics (Sentinel) for longer retention — required for compliance.

Critical events to monitor:

Operation	Risk
Microsoft.Authorization/roleAssignments/write	New RBAC role assignment — potential privilege escalation
Microsoft.KeyVault/vaults/secrets/write	Key Vault secret modification
Microsoft.Network/networkSecurityGroups/write	NSG rule changes — potential firewall bypass
Microsoft.Compute/virtualMachines/delete	VM deletion — potential evidence destruction
Microsoft.Storage/storageAccounts/write	Storage account config change

Intune Audit Log

Records all administrative actions in Intune: policy creation/modification/deletion, device wipes, compliance policy changes. See Intune Diagnostics & Audit Evidence for details and export procedures.

Defender for Endpoint Audit Trail

MDE records: device onboarding/offboarding events, investigation actions (device isolation, file quarantine, live response commands), alert state changes, and exclusion modifications.

Access: security.microsoft.us → Settings → Endpoints → Advanced features; audit trail available in the portal activity log.

Purview DLP and Label Activity

• DLP policy matches: Purview → Data loss prevention → Alerts (real-time); Reports → DLP policy matches (historical)
• Label events: Purview → Data classification → Activity Explorer — all label apply/change/remove events with justification text for downgrades

---

Operational Audit Procedures

Configuring Audit Log Retention Policies

In Purview Audit, create a retention policy before logs start rolling off:

1. Purview compliance portal → Audit → Audit retention policies → New policy
2. Policy name: "Default 1-Year Retention"
3. Record types: All (or specify Exchange, SharePoint, AzureActiveDirectory, etc.)
4. Duration: 1 year (requires Audit Premium / E5)
5. Priority: 1 (lowest number = highest priority)

For 10-year retention (E5 Compliance add-on): create a separate policy scoped to MailItemsAccessed, Send, and FileAccessed with 10-year duration.

Routing Logs to Sentinel / Log Analytics

Route all log sources to Sentinel for long-term retention and cross-source correlation. See SIEM Strategy for connector configuration. Once in Log Analytics, logs are queryable indefinitely (up to the workspace retention setting).

Alert on Audit Log Gaps

Configure an alert if audit logging is disabled or interrupted:

// Detect gaps in UAL ingestion (run as Sentinel analytics rule, daily)
OfficeActivity
| summarize LastEvent = max(TimeGenerated)
| where LastEvent < ago(4h)  // No events in 4 hours is a gap
| project LastEvent, Alert="Unified Audit Log ingestion gap detected"

---

Assessor Evidence Packages

GCC High (CMMC)

CMMC Level 2 Evidence Package

A CMMC Level 2 assessment (C3PAO or government-led) requires evidence that each practice is implemented. The following log-based artifacts satisfy the audit domain (AU) practices and support other practice families.

AU Domain — Audit and Accountability

NIST Control	Evidence Required	Source
3.3.1 — Audit records	Demonstrate audit logging is enabled across all in-scope systems	UAL configuration screenshot; Entra diagnostic settings showing log routing to Log Analytics; Azure Activity Log routing configuration
3.3.2 — Audit review	Demonstrate logs are reviewed	Sentinel analytics rules list; evidence of alert investigation (Sentinel incident closure notes); Purview Activity Explorer review log
3.3.3 — Audit failure alert	Demonstrate alerts fire if logging fails	Sentinel rule alerting on audit gap (KQL rule export); Azure Monitor alert for Entra diagnostic failure
3.3.5 — Audit analysis	Demonstrate correlation/analysis capability	Sentinel analytics rules (exported list with KQL); workbook screenshots
3.3.6 — Reduction and reporting	Demonstrate summary reporting	Sentinel workbook exports (monthly); Compliance Manager score history
3.3.7 — Authoritative time source	Demonstrate logs use consistent UTC time source	Azure Monitor / Log Analytics uses UTC — document in SSP
3.3.8 — Protect audit logs	Demonstrate logs are protected from modification	Log Analytics workspace access control (only Security Reader/Contributor can access); immutability policy on storage export
3.3.9 — Limit audit management	Demonstrate only authorized personnel manage audit	Entra PIM audit: who has Log Analytics Contributor and Security Administrator roles

Assembling the Evidence Package

Prepare the following artifacts for each AU control:

1. UAL configuration — Screenshot of Purview Audit showing audit is enabled, retention policy settings, and the audit retention policy covering all record types
2. Log routing — Screenshot of Entra diagnostic settings and Azure Monitor settings showing export to Log Analytics workspace name
3. Analytics rules — Export from Sentinel: list of enabled analytics rules with name, severity, and data source
4. 90-day audit log export — CSV export from UAL (at minimum Exchange + SharePoint + Entra operations) covering the assessment period
5. Sentinel incident log — Export of Sentinel incidents for the past 90 days showing triage and closure
6. Access control for audit logs — PIM role assignment report showing who has Log Analytics access and when they last activated it

Commercial

SOC 2 Type II Evidence Package

SOC 2 Type II covers a 12-month audit period. The auditor tests whether controls were operating effectively throughout the period — not just at a point in time. Log-based evidence is used to demonstrate continuous operation.

Relevant Trust Service Criteria

TSC	Criteria	Evidence
CC7.2	Monitor for anomalies	Sentinel analytics rules list; sample alert evidence from period
CC7.3	Evaluate security events	Sentinel incident log (12 months); evidence of investigation and closure for significant incidents
CC7.4	Respond to anomalies	Playbook exports; incident response documentation showing playbook execution
CC6.1	Logical and physical access	Entra sign-in logs showing Conditional Access enforced; Intune compliance report
CC6.2	New access provisioning	Entra audit log: user creation + access package assignment events for the audit period
CC6.3	Access removal	Entra audit log: user disable/delete events correlated with HR offboarding
CC6.6	Network protection	Azure Firewall logs; NSG flow logs in Sentinel
A1.2	Monitoring for availability	Azure Monitor availability alerts; Log Analytics uptime data

Assembling the SOC 2 Evidence Package

1. Sentinel analytics rules — List of rules enabled throughout the audit period (take a snapshot at period start and end; show no gaps)
2. Sentinel incident log — 12-month export showing all incidents created, severity, and closure status with disposition
3. Entra sign-in summary — Monthly aggregate: total sign-ins, blocked by CA, MFA challenges, risky sign-ins (Entra Identity Protection report)
4. Access provisioning/deprovisioning log — Entra audit log filtered to user creation, group add, user disable, license removal operations for the audit period
5. UAL export — Targeted exports for any significant security events referenced in the incident log
6. Azure Activity log — RBAC changes, Key Vault access, network configuration changes for the audit period

SOC 2 auditors typically request evidence in the form of exports (CSV or Excel) for sampling. Prepare the 12-month Entra audit export and 12-month Sentinel incident list as the baseline; pull UAL exports for specific incidents the auditor flags for deeper review.