How to Audit User Activity with Microsoft Purview: A Practical Guide to Using the Unified Audit Log in Microsoft 365

How to Audit User Activity with Microsoft PurviewMost audit logs are treated like a black box—something you only open when there’s a problem. In this episode, I walk through how to use Microsoft Purview’s unified audit logs to proactively understand who is doing what in your tenant, across Exchange, SharePoint, OneDrive, Teams and more, instead of scrambling through exports after an incident.We start with what the Purview audit log actually captures and how to turn it on correctly. You’ll learn which activities are logged by default, how retention works, and what you need to configure so critical actions—like mailbox access, file sharing, admin changes and label activity—are available when you need them. We also cover the differences between standard and premium audit, so you know when extended retention and more detailed events are worth the extra license cost.Then we go step by step through building useful audit searches instead of one‑off queries. I show how to filter by user, workload, activity type and time range, how to save and reuse common queries, and how to export results in a way that’s actually workable for investigations and regular reviews. You’ll hear practical examples like “Which files did this user access before leaving the company?” or “Who changed these sharing policies last week?” and how to answer them quickly with Purview.Finally, we connect auditing to ongoing monitoring and compliance. We talk about handing off saved queries to security or compliance teams, wiring audit exports into tools like Power BI or SIEM for trend analysis, and setting basic expectations around who reviews what and how often. By the end, you’ll be able to move from “we hope the logs are there if something happens” to a predictable way of using Purview audit as part of your regular security and compliance routine.WHAT YOU’LL LEARNWhat Microsoft Purview audit logging captures across M365 workloads and how to enable it properly.The differences between standard and premium audit (including retention and depth of events).How to build and reuse practical audit searches for investigations and regular checks.How to plug audit data into ongoing monitoring instead of only using it after incidents.THE CORE INSIGHTThe core insight of this episode is that audit logs are not just forensic evidence for worst‑case scenarios—they’re a continuous signal of how your environment is actually being used. Once you treat Purview audit as a regular input into security and compliance work, you gain visibility and patterns early, instead of discovering risky behavior only after something goes wrong.WHO THIS EPISODE IS FORSecurity and compliance teams who rely on M365 logs for investigations and evidence.Microsoft 365 admins who want a clearer understanding of who is doing what in their tenant.IT leaders who need a practical, non‑overwhelming way to bring audit review into regular operations.ABOUT THE AUTHOR / HOSTMirko Peters is a Microsoft 365 security and compliance consultant and host of the M365.FM podcast, helping organizations turn underused logging and audit features into everyday visibility and evidence for security and governance. He works with IT, security and compliance teams to design audit strategies, saved queries and reporting so “check the logs” becomes a reliable habit instead of a last‑minute panic.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.