You need to prove who accessed a shared Word document and when for a compliance audit. Word tracks co-author activity through Microsoft 365 auditing but does not show a simple in-app log. This article explains how to enable and use Microsoft Purview Audit to review document access and co-author events. You will learn the exact steps to generate an audit report for any Word file stored in OneDrive or SharePoint.
Key Takeaways: Auditing Word Co-Author Access in Microsoft 365
- Microsoft Purview Audit (Standard): Captures file access, co-author join, and edit events for all Word documents in OneDrive or SharePoint.
- Audit log search in Microsoft 365 Defender: The only way to retrieve co-author history — Word has no built-in document access log.
- Audit (Premium) with user IP and detailed activity: Required if your compliance policy mandates recording exact timestamps and user IP addresses for each access.
How Microsoft 365 Records Co-Author Access for Word Documents
When a user opens, edits, or co-authors a Word document stored in OneDrive or SharePoint, Microsoft 365 generates an audit event. These events are stored in the Microsoft Purview Audit log for up to 180 days with the Standard license or up to 10 years with Audit (Premium). The audit log records the user who performed the action, the exact time in UTC, the file name and location, the IP address, and the type of activity. Co-author events appear as “Co-author: Document modified” or “Co-author: User joined document.” You cannot view this history inside Word itself — you must use the Microsoft 365 Defender portal or the Purview compliance portal to search and export the log.
Prerequisites for Auditing Word Document Access
Before you can retrieve any audit data, your organization must meet the following requirements:
- A Microsoft 365 E3, E5, or equivalent subscription that includes Microsoft Purview Audit (Standard).
- The file must be stored in OneDrive for Business or SharePoint Online. Local or network-shared files do not generate audit events.
- The auditing feature must be enabled in the Microsoft 365 Defender portal. It is turned on by default for most tenants, but verify it under Audit > Audit settings.
- You need the View-Only Audit Logs role or the Audit Logs role assigned in the Microsoft Purview compliance portal.
Steps to Audit Word Co-Author Document Access History
Follow these steps to generate a compliance report for a specific Word document.
- Open the Microsoft 365 Defender portal
Go tohttps://security.microsoft.comand sign in with an account that has audit log permissions. In the left navigation, expand Audit and select Audit log search. - Set the date range for the audit query
In the Date range field, select a custom range that covers the period you need to audit. For compliance audits, choose the start and end dates that match the review period. Click Apply. - Configure the search criteria for Word document access
Under Activities, type or select the following activities:Accessed file,Co-author: Document modified,Co-author: User joined document,File synced, andFile downloaded. Leave the Users field blank to capture all users, or enter specific user email addresses. - Add the Word document URL as a file filter
Under File, folder, or site, paste the full URL of the Word document. You can get this URL by opening the document in Word Online, clicking Share, and copying the link. This filter ensures the audit results show only events for that specific file. - Run the search and review the results
Click Search. The portal will list all matching audit events. Each row shows the date and time in UTC, the user, the activity, and the file name. Click any row to see the full details, including the IP address and the user agent string. - Export the audit log to a CSV file
On the search results page, click Export all results. The portal downloads a CSV file that includes all columns from the audit log. Open the CSV in Excel to filter, sort, and print the report for your compliance documentation.
If the Audit Log Shows No Results for a Word Document
Auditing is not enabled
In the Microsoft 365 Defender portal, go to Audit > Audit settings and confirm that auditing is turned on. If it is off, enable it and wait up to 30 minutes for the setting to take effect. Only events generated after the enablement date will appear.
The document is stored in a location that does not support auditing
Word files stored on a local drive, a network share, or a third-party cloud service such as Dropbox do not generate audit events. The file must reside in OneDrive for Business or SharePoint Online. Move the document to a supported location and retry the audit search.
The user does not have permission to view audit logs
Your account must have the View-Only Audit Logs role or the Audit Logs role. If you cannot see any results, ask your Microsoft 365 global administrator to assign the appropriate role in the Microsoft Purview compliance portal under Roles.
Microsoft Purview Audit Standard vs Premium for Word Document Auditing
| Item | Audit (Standard) | Audit (Premium) |
|---|---|---|
| License required | Microsoft 365 E3, Business Premium, or equivalent | Microsoft 365 E5, E5 Compliance, or add-on |
| Retention period | 180 days | 1 year (up to 10 years with custom policy) |
| User IP address | Included | Included |
| Co-author join events | Yes, basic activity | Yes, with detailed session info |
| Export via API | Yes, limited to 50,000 records | Yes, unlimited with Office 365 Management Activity API |
Audit (Standard) is sufficient for most compliance reviews of Word co-author access. Upgrade to Audit (Premium) if you need longer retention or more granular session data for legal discovery.
You can now generate a complete audit report for any Word document stored in OneDrive or SharePoint using the Microsoft 365 Defender portal. Run the audit search with the specific file URL to isolate events for a single document. For recurring compliance checks, save the search query as a template in the portal to avoid re-entering the criteria each time.