Auditors require a clear record of who made what change in the SharePoint admin center and when it happened. Without proper documentation, you cannot prove compliance with internal policies or external regulations such as GDPR or SOC 2. This article explains how to enable auditing in SharePoint, how to review the audit log, and how to export change data for auditor review. You will learn the specific settings and steps needed to produce a reliable change history for any SharePoint site or tenant-wide admin action.
Key Takeaways: Documenting SharePoint Admin Changes for Auditors
- SharePoint admin center > Audit > Audit log search: Central location to view all admin and user actions across SharePoint and Microsoft 365.
- Unified Audit Log in Microsoft 365 Purview: Stores all SharePoint events for up to 180 days by default; longer retention requires a license upgrade.
- Export to CSV from Purview compliance portal: Creates a portable file you can share with auditors or import into your own tracking system.
How SharePoint Admin Auditing Works
SharePoint auditing relies on the Microsoft 365 Unified Audit Log. Every time an admin changes a site setting, modifies a permission, deploys a new app, or updates a policy, the action is recorded as an audit event. The log captures the user who performed the action, the exact time, the type of change, and the affected object. Auditors can use this data to verify that changes were authorized and followed documented procedures.
Auditing is enabled by default for all Microsoft 365 tenants. You do not need to turn it on manually. However, the retention period for audit records depends on your license. Microsoft 365 E3 tenants retain audit logs for 90 days. E5 tenants retain logs for 180 days. If you need longer retention, you must purchase an Audit Standard or Audit Premium add-on through the Microsoft 365 compliance center.
The audit log covers a wide range of SharePoint admin actions. Examples include adding or removing site collection administrators, changing site storage limits, updating sharing policies, and modifying site permissions. It also records user-level actions such as file downloads, deletions, and permission changes on individual documents. For auditor purposes, you typically focus on admin-level events rather than every user file operation.
What Gets Audited in SharePoint
The following SharePoint admin actions are always recorded in the audit log:
- Site creation and deletion
- Site collection administrator changes
- Permission level modifications
- Sharing policy updates (external sharing)
- Storage quota changes
- App deployment or removal
- Tenant-level settings changes (admin center)
- Content type and hub site assignments
If an action is not listed above, it may still appear in the log under a broader category. For example, changing a site’s theme is recorded as a site update event. You can filter the log by date, user, activity, and site URL to narrow down relevant records.
Steps to Access and Export SharePoint Audit Logs for Auditors
Follow these steps to generate a change report that auditors can review. The process uses the Microsoft 365 Purview compliance portal, which is the same tool for all Microsoft 365 audit searches.
- Open the Microsoft 365 Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a Global Admin or Compliance Admin account. If you cannot access the portal, you need the Audit Log or View-Only Audit Log role assigned in the Microsoft 365 compliance center. - Navigate to Audit log search
In the left navigation, select Audit under the Solutions section. Click Audit log search. This opens the search page where you define which events to retrieve. - Set the date range for the audit period
In the Start date and End date fields, enter the time window the auditor requires. The maximum range depends on your license retention. For E3, you can search up to 90 days. For E5, up to 180 days. Use a shorter range to get results faster. - Filter by SharePoint admin activities
Click the Activities drop-down. Scroll to the SharePoint section and select the specific admin actions you want to document. To capture all admin changes, select All activities under SharePoint. You can also filter by user name or site URL in the corresponding fields. - Run the search
Click Search. The portal displays a list of matching audit records. Each row shows the date, user, activity, and item. Click any row to see full details in a side panel. - Export the results to CSV
On the search results page, click Export and choose Download all results. A CSV file is generated and downloaded. This file contains all columns including the user, action, object, and timestamp. You can open it in Excel for sorting and filtering.
After exporting, review the CSV to ensure it contains the expected events. If records are missing, check the date range and activity selection. Some actions, like changing a site’s description, may be recorded under a generic “Site updated” event. Use the Item column to identify the specific site URL.
Common Documentation Gaps and How to Avoid Them
Auditors often flag missing or incomplete records. The following issues occur frequently and have simple fixes.
Audit Log Retention Is Too Short for the Audit Period
If the auditor requests records older than your retention limit, you cannot retrieve them from the standard log. The solution is to enable Audit Standard or Audit Premium licensing for your tenant. Audit Standard retains logs for one year. Audit Premium retains logs for up to ten years. You can purchase these add-ons from the Microsoft 365 admin center under Billing > Purchase services.
Admin Changes Made Outside SharePoint Admin Center Are Missing
Some SharePoint changes are performed through PowerShell scripts or through the SharePoint Management Shell. These actions are still recorded in the Unified Audit Log, but the activity name may differ. For example, a PowerShell command that adds a site collection admin appears as “Added site collection admin” in the log. To capture these events, run a broad search with the All activities option and then filter the CSV by the user account that ran the script.
Audit Log Shows a Change but No Context on Why It Was Made
The audit log records what changed, not why. Auditors expect a change request or ticket number linked to each action. Use a change management process where every admin action is tied to a ticket. When exporting the audit log, add a column in the CSV that maps the event to the corresponding ticket ID. This requires manual matching unless your automation tool inserts the ticket ID into the audit record’s Additional Info field.
Deleted Sites No Longer Appear in the Audit Log Search
When a SharePoint site is deleted, its audit records remain in the Unified Audit Log. You can still search for events by the site’s URL or the user who deleted it. If you cannot find the records, verify that the deletion date falls within the retention period. Deleted site events are labeled as “Deleted site” in the activity column.
Unified Audit Log vs SharePoint Native Auditing: Key Differences
| Item | Unified Audit Log (Purview) | SharePoint Native Auditing (Site Settings) |
|---|---|---|
| Scope | All Microsoft 365 services (Exchange, Teams, SharePoint, etc.) | Only the specific SharePoint site collection |
| Retention | 90 days (E3) or 180 days (E5) by default; up to 10 years with add-on | 30 days for most events; configurable in SharePoint admin center |
| Admin actions recorded | All tenant-level and site-level admin changes | Only site-level actions (permission changes, file edits, etc.) |
| Export format | CSV file from compliance portal | Built-in audit report or CSV from site settings |
| Best for auditors | Yes, because it covers all changes across the tenant | Limited; only useful for single-site deep dives |
For auditor documentation, always use the Unified Audit Log. The native SharePoint audit reports are too limited in scope and retention. You can still use SharePoint native auditing to supplement the log for a specific site if needed, but the Purview export is the primary source.
After you export the CSV, you can use Power Automate to automatically send the file to a SharePoint document library or email it to the auditor on a schedule. This eliminates the need to manually run the export each time. The flow triggers on a recurring schedule and uses the “Search audit log” action in the Microsoft 365 compliance connector.
If your tenant uses sensitivity labels or data classification, the audit log also records label changes and classification updates. Include these events in your search if the auditor needs to verify data governance controls. You can find these under the “Labeling” activity group in the audit log search.