Microsoft Copilot interactions generate audit logs that record every prompt, response, and data access event. By default, Microsoft 365 retains these logs for only 90 days for users with an E5 license and 180 days for E5 Compliance add-on subscribers. If your organization needs to keep Copilot audit records for regulatory compliance, internal investigations, or security analysis, the standard retention period may fall short. This article explains how to extend Copilot audit log retention beyond the default limits using retention policies in the Microsoft Purview compliance portal.
You will learn the precise steps to create a retention policy targeting Copilot audit data, the licensing requirements involved, and what to do if logs stop appearing after the change. The guide covers both the Unified Audit Log and the Copilot-specific schema fields that matter for eDiscovery.
Key Takeaways: Extending Copilot Audit Log Retention
- Microsoft Purview compliance portal > Data lifecycle management > Retention policies > New retention policy: Creates a policy that retains Copilot audit logs for up to 10 years.
- Workload filter set to Exchange (UnifiedAuditLog): Ensures the retention policy captures Copilot interaction events stored in the Unified Audit Log.
- Licensing requirement: Microsoft 365 E5 or E5 Compliance add-on: Needed to create retention policies for audit logs beyond 90 or 180 days.
Why Copilot Audit Logs Have Default Retention Limits
Microsoft 365 records every Copilot interaction in the Unified Audit Log. Each event contains the user who sent the prompt, the timestamp, the Copilot response summary, and the Microsoft Graph data sources accessed. The default retention period depends on your license edition:
- Microsoft 365 E3: 90 days
- Microsoft 365 E5: 90 days
- E5 Compliance add-on: 180 days
These defaults exist because Microsoft limits storage costs and assumes most organizations review logs within a quarter. However, many industries require audit records for one year or longer. Financial services, healthcare, and government agencies often need to retain Copilot logs for three to ten years to meet regulatory mandates such as SEC Rule 17a-4, HIPAA, or FedRAMP.
The Unified Audit Log stores Copilot events under the workload Copilot with the operation CopilotInteraction. These events include fields like PromptText, ResponseText, AppHost, and AccessedResources. A retention policy set on the audit log keeps these records past the default expiry.
Steps to Extend Copilot Audit Log Retention Beyond Default
You must be a Compliance Administrator, Tenant Administrator, or have the appropriate role in the Microsoft Purview compliance portal. The following steps create a retention policy that applies to all Copilot audit log entries in your tenant.
- Open the Microsoft Purview compliance portal
Go tohttps://compliance.microsoft.comand sign in with an account that has Compliance Administrator or Tenant Administrator privileges. - Navigate to Data lifecycle management
In the left navigation pane, select Data lifecycle management under the Solutions section. If you do not see this option, ensure your license includes the E5 Compliance add-on or equivalent. - Go to Retention policies
Click Retention policies to view the list of existing policies. Then click + New retention policy to start the creation wizard. - Name the policy for Copilot audit logs
Enter a descriptive name such as Copilot Audit Log Retention – 3 Years. In the description, note the retention duration and the target workload. Click Next. - Select the workload scope
Choose Exchange email as the workload. The Unified Audit Log is stored within Exchange Online data, even for Copilot events. Do not select SharePoint, OneDrive, or Teams — those workloads do not contain the Copilot audit log entries. - Configure retention duration
Under Decide if you want to retain content, delete it, or both, select Retain items for a specific period. Set the duration to the number of days, months, or years your organization needs. The maximum is 10 years. For example, set 3 years for a typical compliance requirement. - Set the retention start point
Choose When items were created as the start of the retention period. This ensures the countdown begins from the moment the Copilot interaction was logged. - Review and finish
Click Next to review the policy settings. Confirm that the workload is Exchange email, the retention period is set correctly, and no deletion action is enabled unless you also want automatic removal after retention expires. Click Submit to create the policy.
The policy takes effect within one hour. After that, all new Copilot audit log entries will be retained for the duration you specified. Existing log entries that are still within their default retention window will also be extended — entries already deleted before the policy was created cannot be recovered.
If Copilot Audit Logs Are Missing or Not Extending
Copilot audit logs disappear after creating the retention policy
If you stop seeing Copilot audit log entries after applying the policy, verify that the policy is not inadvertently deleting logs. Open the policy in the Purview portal and check the Action section. If you selected Delete items after a specific period without also selecting Retain items, logs will be deleted when the period ends. Change the action to Retain items for a specific period and set deletion to Never.
Retention policy does not apply to existing log entries
Retention policies apply to content that exists at the time the policy is created, but only if the content is not already past its retention period. If a Copilot audit log entry was created 95 days ago and your default retention is 90 days, that entry is already deleted and cannot be extended. To avoid this gap, create the retention policy before the default retention window expires. For E3 tenants, create the policy within 90 days of the first Copilot deployment.
Search for Copilot audit logs returns no results
If you run an audit log search and see no Copilot events, check that audit logging is enabled for your tenant. Go to Audit in the Purview portal under Solutions > Audit. If the status shows Turn off auditing, auditing is already on. If it shows Start recording user and admin activity, click that button to enable it. Also confirm that the search date range covers the period after the retention policy was created.
Copilot Audit Log Retention: Default vs Extended
| Item | Default Retention (E3/E5) | Extended Retention (Purview Policy) |
|---|---|---|
| Maximum duration | 90 days (E3/E5) / 180 days (E5 Compliance add-on) | Up to 10 years |
| Workload location | Unified Audit Log in Exchange Online | Same – Exchange Online Unified Audit Log |
| Required license | Microsoft 365 E3 or E5 | Microsoft 365 E5 or E5 Compliance add-on |
| Admin role needed | Audit Log Viewer | Compliance Administrator or Tenant Administrator |
| Applies to existing logs | Automatic for logs within default window | Yes – only if logs have not already been deleted |
| Supports eDiscovery | Yes – within retention window | Yes – for full extended period |
You can now create a retention policy that keeps Copilot audit logs for up to 10 years, covering regulatory requirements that exceed the default 90 or 180 day limits. After the policy is active, verify it by running an audit log search in the Purview portal for a Copilot event dated after the policy creation. For advanced compliance workflows, combine the retention policy with a litigation hold on the same workload to prevent any accidental deletion during the retention period.