M365/Azure Logs Past Retention Period

Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.

Signals

•UAL search returns no results for dates earlier than the retention boundary
•Azure AD sign-in log queries return HTTP 404 or empty result sets for the target timeframe
•The tenant license is E3/G3 with default 90-day retention and the incident predates that window
•Compliance search in Purview shows no matching audit records for the suspected timeframe

Pivot Actions

1.Check if a SIEM (Sentinel, Splunk) was ingesting M365/Azure AD logs -- indexed data survives the tenant retention
2.Query mailbox audit logs independently (they have separate retention, up to 1 year for E5 mailboxes)
3.Export Azure AD Provisioning Logs and Enterprise App consent logs which may have longer retention
4.Engage Microsoft Premier Support to request a backfill or extended log retrieval if contractually available
5.Review mail-flow (transport) rules and inbox rules which persist as configuration, not log entries, and reveal attacker changes

Alternate Evidence Sources

•SIEM-indexed M365 UAL and Azure AD data ingested before retention expiry
•Mailbox audit logs retained independently of UAL (up to 1 year)
•Azure AD Provisioning and Enterprise Application logs

Related Procedures

M365 Unified Audit Log Collection

collect

Bound the Investigation Timeframe

triage

Validate the Initial Access Vector

triage