You need to configure SharePoint sites to send activity data to Microsoft Purview Audit. Without this setup, site-level events like file access, permission changes, and sharing actions are not recorded in the audit log. The default audit configuration in Microsoft 365 does not automatically capture all SharePoint site activities. This article explains the required permissions, the exact settings to enable, and the steps to verify that your sites are logging data to Purview.
Key Takeaways: Activating Site-Level Audit for SharePoint
- Microsoft Purview compliance portal > Audit > Audit settings: Enable the unified audit log to start recording SharePoint events for your tenant.
- SharePoint admin center > Policies > Auditing: Configure site-level audit settings to capture file and list operations.
- Search-UnifiedAuditLog in Exchange Online PowerShell: Verify that SharePoint events are flowing into the audit log for specific sites.
What the Purview Audit Records for SharePoint Sites
Microsoft Purview Audit captures a unified log of activities across Microsoft 365 services. For SharePoint, the audit log records events such as file viewed, file downloaded, file modified, site created, permission changed, sharing invitation sent, and sharing link created.
The audit log is part of the Microsoft 365 compliance center. By default, the unified audit log is enabled for all tenants that have an E5 or A5 license, or an E3 license with an Audit add-on. However, enabling the log alone does not guarantee that every SharePoint site activity is captured. You must also configure site-level audit settings and ensure that the audit log search is turned on for your organization.
Two main components control what is audited:
Unified Audit Log in Purview
This is the central log that stores events from Exchange, SharePoint, OneDrive, Azure AD, and other services. You must have the Audit (Standard) or Audit (Premium) license assigned to users whose activities you want to record. Without the license, events from that user are not logged.
SharePoint Site-Level Audit Settings
SharePoint has its own audit configuration that determines which operations are recorded for a site collection. These settings are separate from the unified audit log. Even if the unified log is enabled, a site with audit settings turned off will not send events to Purview.
Before you start, ensure you have the following roles: Global Administrator, Compliance Administrator, or SharePoint Administrator. You also need the Exchange Online PowerShell module installed to run verification commands.
Steps to Enable SharePoint Audit for Purview
- Turn on the unified audit log in the Microsoft Purview compliance portal
Go to the Microsoft Purview compliance portal athttps://compliance.microsoft.com. Select Audit in the left navigation. If the audit log search is not enabled, you will see a banner that says Start recording user and admin activity. Click Start recording. This enables the unified audit log for your entire tenant. It may take up to 24 hours for the log to become active. - Assign audit licenses to all users whose activities you want to track
In the Microsoft 365 admin center, go to Users > Active users. Select a user, then click the Licenses and apps tab. Ensure the user has a license that includes Audit (Standard) or Audit (Premium). For E5 or A5 users, Audit (Premium) is included. For E3 users, you need the Microsoft 365 E5 Compliance add-on or an Audit (Standard) license. Repeat for all users who will access SharePoint sites. - Enable site-level audit settings in the SharePoint admin center
Open the SharePoint admin center athttps://admin.microsoft.com/SharePoint. In the left menu, select Policies, then click Auditing. Under Audit log trimming, check the box Enable audit log trimming. This prevents old audit events from being automatically deleted. Under Audit log retention, choose the number of days to retain audit data. The maximum is 365 days for Audit (Standard) and 10 years for Audit (Premium). Click Save. - Configure audit settings for individual site collections (if needed)
By default, SharePoint site collections inherit the audit settings from the SharePoint admin center. To override these settings for a specific site, use the SharePoint Online Management Shell. Connect to SharePoint Online PowerShell and run the following command:Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite -AuditLogTrimmingEnabled $true
This ensures the site sends audit events to the unified log. - Verify that SharePoint events appear in the unified audit log
Open the Microsoft Purview compliance portal and go to Audit. Use the search bar to look for SharePoint activities. For example, set the Activities filter to File accessed and File downloaded. In the Date range, select the last 24 hours. Click Search. If events appear, your setup is working. If no events appear, continue to the verification steps in the next section. - Use PowerShell to search the unified audit log for a specific site
Open Exchange Online PowerShell. Run the following command to search for SharePoint events from a specific site:Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -Operations FileAccessed,FileDownloaded,FileModified -FreeText "https://yourtenant.sharepoint.com/sites/yoursite"
This returns all matching audit records. If the result is empty, verify that the site URL is correct and that the user who performed the action has an audit license.
Common Issues When Setting Up SharePoint Audit for Purview
Audit log search shows no SharePoint events
The most common cause is that the unified audit log is not enabled. Go to the Purview compliance portal and check the Audit page. If you see the option Start recording, click it. Another cause is that the user performing the action does not have an audit license. Verify the user license in the Microsoft 365 admin center.
Site-level audit settings do not take effect
This happens when the SharePoint admin center policy overrides the site-level settings. In the SharePoint admin center, go to Policies > Auditing. Make sure Enable audit log trimming is checked. Then use PowerShell to force the setting on the specific site: Set-SPOSite -Identity .
Events from external sharing are missing
External sharing events require that sharing policies are configured in the SharePoint admin center. Go to Policies > Sharing and ensure that external sharing is allowed for the site. Also, the audit log records sharing events only if the user who shared the file has an audit license. Check the user license and retest the sharing action.
| Item | Audit (Standard) | Audit (Premium) |
|---|---|---|
| License requirement | E3 + E5 Compliance add-on, or E5/A5 | E5/A5 or E3 + E5 Compliance add-on |
| Retention period | 90 days default, up to 365 days | Up to 10 years |
| SharePoint events captured | File and folder operations, sharing, site admin actions | All Standard events plus page viewed, search queries, and custom events |
| PowerShell command to verify | Search-UnifiedAuditLog | Search-UnifiedAuditLog with -Operations parameter for Premium events |
After completing these steps, your SharePoint sites will send activity data to Microsoft Purview Audit. You can now run audit log searches to review user activity on any site. Next, consider setting up audit log retention policies to keep records for longer periods. A concrete tip: use the Purview Audit Premium feature to alert on high-severity events like multiple failed file access attempts from external IP addresses.