Microsoft Purview tenant setting for audit log search is assessed to confirm unified audit log ingestion (UnifiedAuditLogIngestionEnabled), which records user and admin activities and makes them searchable.
Risk
Without audit log ingestion/search, activity trails are missing or delayed, reducing visibility and accountability.
- Data exfiltration and privilege abuse go undetected (confidentiality/integrity)
- Incident response and forensics fail due to absent evidence, increasing dwell time
prowler m365 --checks purview_audit_log_search_enabled
Recommendation
Enable and keep audit log search on (UnifiedAuditLogIngestionEnabled=true). Apply least privilege to audit roles, set retention aligned to sensitivity, forward logs to a SIEM for defense in depth, and routinely review and alert on audit events. Avoid disabling auditing even when using third-party tools.
Remediation
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
- Go to https://compliance.microsoft.com and sign in with an admin account
- Open Solutions > Audit
- Click Start recording user and admin activity
- Click Yes to confirm
Source Code
Resource Type
NotDefined