This post provides everything you need to ensure Advanced Auditing is fully configured and auditing everything we possibly can for both existing and new users. I recently shared guidance for this via social media (see below), and it felt like a perfect time to revisit my previous posts and combine everything into one comprehensive guide :)
You likely aren't collecting all available events to the Unified Audit Log
First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).
Retention is based on license... pic.twitter.com/IEKKfrkpI8
Note This article was last updated on 01/30/2025 for readability and updated URLs. We no longer need to manually load modules as shown, and this article will be completely overhauled to include backup of LAPS passwords and BitLocker keys to Azure Key Vault as well :)
Note This article was last updated on 01/27/2025 for readability and updated URLs, and the content itself will be updated in the near future :)
Note This article was last updated on 01/26/2025 for readability and updated URLs. Unfortunately, images were not able to be restored from a previous hosting provider :(
