The most damaging microsoft 365 audit log mistakes are assuming logs are complete, accepting default retention, failing to review events, overlooking administrator activity, and treating Microsoft 365 as the only system that needs audit controls. Avoid them by verifying what your tenant records, setting a documented review process, protecting evidence, and covering every system that creates, stores, or uses electronic protected health information (ePHI). These steps support HIPAA Audit Controls under 45 CFR §164.312(b), which requires mechanisms to record and examine activity in systems containing or using ePHI.
What does HIPAA audit controls require from a small organization?
HIPAA does not require a small business owner to stare at logs all day or buy an enterprise security operations center. It does require you to implement reasonable mechanisms that record and examine activity involving ePHI. Microsoft 365 can provide useful evidence for email, SharePoint, OneDrive, Teams, Exchange administration, and user sign-ins, but only if the relevant logging is available, enabled, retained, and reviewed.
For an owner-operated organization, the practical goal is simple: be able to answer who accessed information, what changed, when it happened, whether the activity was expected, and what you did when it was not.
Which microsoft 365 audit log mistakes create the biggest compliance gaps?
Mistake 1: Assuming Microsoft 365 logs everything automatically
Why it happens: Microsoft 365 has several log sources with different settings, licenses, and retention behavior. Owners may see the Microsoft Purview Audit search page and assume it captures every important event. In reality, Exchange, SharePoint, OneDrive, Teams, Microsoft Entra ID, endpoint devices, and third-party applications may each produce different records.
Real-world consequence: A business may discover after a suspicious email forwarding rule or unusual file download that the needed event was not captured, is unavailable under its license, or was never tested. That makes it harder to investigate whether ePHI was exposed and to document a defensible response.
Concrete remediation: In the Microsoft Purview portal, verify that auditing is enabled and perform a test search for a known action, such as creating a mailbox forwarding rule or downloading a file from a SharePoint site. Also review Microsoft Entra ID sign-in logs for successful and failed sign-ins. Keep a short inventory listing the systems that handle ePHI and the log source used for each one.
- Microsoft Purview Audit: Exchange, SharePoint, OneDrive, Teams, and administrative activity.
- Microsoft Entra ID sign-in logs: authentication attempts, location, device, application, and conditional access results.
- Microsoft Defender portal: security alerts, phishing detections, and device-related alerts where licensed.
- Other vendors: EHR, practice-management, billing, imaging, fax, and patient-portal systems need their own audit records.
Mistake 2: Relying on default log retention without checking it
Why it happens: Retention is easy to overlook because records may be visible today but unavailable months later. Microsoft licensing and workload settings affect how long different audit data remains searchable. Sign-in log retention may also differ from Purview Audit retention.
Real-world consequence: An employee reports a possible inappropriate access event 90 days after leaving the company. The owner can no longer determine whether the employee accessed files, configured forwarding, or signed in from an unfamiliar device because the relevant records have expired.
Concrete remediation: Document the retention period actually available in your tenant, rather than relying on assumptions or a license comparison chart. If your risk assessment, contracts, insurer, legal counsel, or investigation needs require longer retention, use the appropriate Microsoft licensing, export process, or secure log archive. HIPAA does not set one universal audit-log retention period, but a business should be able to explain why its retention period is reasonable for its systems and risks.
| Log source | What to check | Owner review cadence | Evidence to retain |
|---|---|---|---|
| Microsoft Purview Audit | Audit search returns Exchange and SharePoint events | Monthly | Exported review notes and investigation exports |
| Microsoft Entra ID | Sign-in and audit log retention shown in the tenant | Weekly | Failed-sign-in and risky-sign-in investigation notes |
| Microsoft Defender | Alerts, alert retention, and assigned response owner | Weekly | Closed-alert summaries and remediation actions |
Mistake 3: Collecting logs but never examining them
Why it happens: Many owners correctly enable auditing, then treat it as a “set it and forget it” checkbox. But §164.312(b) calls for both recording and examining activity. A log that nobody reviews is weak evidence of an operating audit-control process.
Real-world consequence: A compromised account repeatedly signs in from another country, creates an inbox rule, and sends messages externally. The events exist, but no one notices until a patient or vendor reports suspicious communication.
Concrete remediation: Assign one named person and one backup to perform a short, scheduled review. The reviewer does not need to read every event. They should look for defined exceptions: unfamiliar sign-in locations, repeated failed sign-ins, new mailbox forwarding rules, unexpected administrative role changes, bulk downloads, external sharing changes, and disabled security settings.
For example, a 22-person specialty practice using Microsoft 365 Business Premium, Teams, SharePoint, and a cloud EHR can designate its office manager to review a one-page weekly summary every Friday. Its outsourced IT provider can investigate exceptions, but the practice owner should receive and retain a monthly confirmation that the review occurred.
Mistake 4: Watching user activity but ignoring administrator and sign-in events
Why it happens: File access is intuitive, while identity and administrator events feel technical. Yet a stolen administrator account can create new users, weaken security policies, reset passwords, alter sharing permissions, or establish persistent access without touching a patient file immediately.
Real-world consequence: A former IT contractor retains a privileged account. Months later, that account creates a new Global Administrator and changes multifactor authentication settings. If the organization only reviews SharePoint downloads, it may miss the root cause.
Concrete remediation: Review Microsoft Entra ID audit logs for role assignments, password resets, application-consent changes, and security-policy changes. Keep Global Administrator accounts to the smallest practical number, require multifactor authentication, and promptly disable accounts for departed staff and vendors. Configure alerts where your Microsoft licensing supports them, especially for privileged role changes and risky sign-ins.
Mistake 5: Having no list of events that should trigger action
Why it happens: Owners often receive broad alerts that are either too noisy or too vague. After a few false alarms, notifications get ignored. This is one of the most common Microsoft 365 logging mistakes because the organization has not decided what “unusual” means for its own workflow.
Real-world consequence: A staff member legitimately downloads a referral packet, while another account exports hundreds of files after hours. Without a baseline and escalation rules, both activities may look equally unremarkable—or equally alarming.
Concrete remediation: Write a short event-review standard that identifies the events requiring investigation and who decides whether they are expected. Start with five to seven high-value events rather than trying to monitor everything.
- Sign-in from an unexpected country, impossible travel pattern, or unfamiliar device.
- Multiple failed sign-ins followed by a successful sign-in.
- New or changed mailbox forwarding and inbox rules.
- Global Administrator, Exchange Administrator, or SharePoint Administrator role changes.
- External sharing enabled for a sensitive SharePoint site or OneDrive folder.
- Large-volume downloads, deletions, or permission changes outside normal work patterns.
Mistake 6: Failing to preserve review evidence and investigation decisions
Why it happens: A staff member may verbally tell the owner, “I checked the logs; everything looked fine.” That is useful operationally but difficult to prove later. Screenshots saved only on a personal laptop are also not reliable evidence.
Real-world consequence: During a HIPAA investigation or insurer inquiry, the organization can show that auditing was configured but cannot demonstrate regular examination, what was reviewed, or how suspicious events were resolved.
Concrete remediation: Keep a simple audit review record in a protected SharePoint library or compliance folder. For each review, record the date, reviewer, systems checked, exceptions found, decision made, and follow-up ticket number. Restrict edit access so ordinary users cannot alter the review history.
Review date: 2026-07-10 Reviewer: Office Manager Sources reviewed: Purview Audit, Entra sign-in logs, Defender alerts Exception: Failed sign-ins for j.smith@company.com from two foreign IP addresses Decision: User confirmed no travel; password reset and sessions revoked Follow-up: IT ticket #4821; no ePHI access confirmed after investigation
Mistake 7: Treating Microsoft 365 as the entire audit-control program
Why it happens: Microsoft 365 is visible and familiar, while specialized systems are managed by other vendors. But ePHI may also pass through the EHR, scheduling platform, billing system, secure fax service, patient portal, imaging system, and managed devices.
Real-world consequence: A practice can show excellent Microsoft 365 logs but cannot determine who opened a patient chart in its EHR or transmitted records through its fax platform. That leaves a significant gap against the HIPAA Audit Controls requirement.
Concrete remediation: Create a one-page ePHI system inventory. For every system, identify whether it records user access and administrative changes, who reviews those logs, how long records are retained, and how to obtain them during an investigation. At a 14-person medical billing and referral office, this may mean reviewing Microsoft 365 activity weekly while requesting a monthly access-audit report from the EHR vendor and checking the secure-fax portal’s transmission history.
How can you self-check your audit-control process?
- Can you name every system where your organization creates, receives, maintains, or transmits ePHI?
- Have you verified—not assumed—that Microsoft Purview Audit and Entra ID logs contain events from a recent test?
- Do you know the actual retention period for each important log source?
- Is a specific person responsible for weekly or monthly review, with a backup person identified?
- Do you have written criteria for what events require investigation?
- Can you show a dated record of recent reviews, findings, and corrective actions?
- Do your EHR, patient portal, fax, billing, and other ePHI vendors provide audit records when needed?
Next step: Set aside 30 minutes this week to test one Microsoft 365 audit event, document the result, and assign an owner for your first recurring log review.