Microsoft Purview Audit Standard vs Premium: Complete Licensing Guide

In the wake of the 2021 SolarWinds and subsequent nation-state attacks, Microsoft forensic investigators consistently found the same gap: organisations had Audit Standard enabled but lacked the MailItemsAccessed event — an Audit Premium-only capability that reveals precisely which emails an attacker read. That single missing feature cost incident response teams an average of 40 additional hours per investigation. Understanding the licensing line between Audit Standard and Premium is not a compliance checkbox exercise — it is a direct determinant of your organisation's forensic capability when something goes wrong.

Audit Standard vs Premium: Capability Matrix

Microsoft Purview Audit has two tiers. Standard is the baseline — included with E1 through E3 and equivalent Business plans. Premium is gated behind E5 or the E5 Compliance add-on. The following table captures the decision-critical differences:

Licensing Requirements and Cost Model

Audit Standard requires no additional licence beyond your base M365 plan. Audit Premium requires one of: Microsoft 365 E5 ($57/user/month), Office 365 E5 ($38/user/month), or the Microsoft 365 E5 Compliance add-on ($12/user/month on top of E3). The add-on path is by far the most efficient for organisations that need audit forensics without the full E5 stack.

E5 Compliance Add-on Cost Calculation

For a 1,000-user organisation on E3 ($36/user/month), adding E5 Compliance at $12/user/month costs $144,000/year. That unlocks not just Audit Premium but also Information Protection, DLP for Teams and Endpoint, eDiscovery Premium, Communication Compliance, and Insider Risk Management. Breaking out the audit component alone, the implicit cost of Audit Premium is roughly $2–3/user/month when divided across the E5 Compliance capability set.

The Four Intelligent Insights Events Explained

Microsoft calls Premium-exclusive events "intelligent insights" — high-bandwidth, high-value events that the Audit Standard tier explicitly excludes. Understanding each one helps you determine whether your compliance or security use case genuinely requires Premium.

MailItemsAccessed

This event fires every time a mail item is accessed via any protocol: MAPI (Outlook desktop), EWS (Outlook on the web), REST API, ActiveSync (mobile), or IMAP. Each event records the user identity, access protocol, IP address, timestamp, and folder path. During a breach investigation, this is the mechanism that tells you whether a threat actor reading mail as a compromised user accessed the CEO's inbox, the M&A data room folder, or the HR salary database — and exactly when. Without this event, you cannot establish scope for breach notification purposes under GDPR Article 33.

Send Event

The Send event captures every email transmission: To/CC/BCC recipients, subject line (not body), attachment presence, and send timestamp. Critical for data exfiltration investigations and FCA/FINRA communication surveillance requirements where outbound monitoring is mandatory. Standard audit captures MessageSent only for certain scenarios; the Premium Send event is comprehensive across all send paths.

SearchQueryInitiatedExchange and SharePoint

These two events record every search query a user executes — the actual text entered into Exchange Online search (Outlook) or SharePoint/OneDrive search. In insider threat investigations, search queries are often more revealing than file access: a departing employee who searches "salary data all employees" followed by "board meeting minutes" before resignation creates an evidence trail that file access logs alone cannot provide. These events integrate directly with Insider Risk Management's correlation engine — a key reason why the two capabilities are bundled in the E5 Compliance add-on.

Log Retention: The 90-Day vs 1-Year Decision

Audit Standard provides 90-day retention for most events. Microsoft extended this to 180 days for E3+ tenants for core Exchange, SharePoint, and Teams activities in 2020 — but this is the ceiling for Standard. Audit Premium's default is 1 year across all workloads, with an optional 10-year retention add-on at approximately $12/user/month (same price as the full E5 Compliance add-on, applied only to users who need extended retention).

Why 90 Days Is Often Insufficient

Three compliance frameworks drive the retention decision. ISO 27001 recommends 12-month minimum audit log retention. SOC 2 Type II auditors routinely request 12 months of evidence for access control reviews. GDPR data breach investigations frequently look back 3–6 months from incident discovery to initial compromise — well beyond the 90-day Standard window. FCA COBS 11.8 requires 5-year electronic communication retention for MiFID-regulated firms, though this is typically handled via Communication Compliance archiving rather than audit logs.

API Bandwidth: Why It Matters for SIEM Integration

The Management Activity API bandwidth difference — 60 requests/minute for Standard versus 2,000 for Premium — is irrelevant for tenants with fewer than a few hundred users running simple search queries. For large enterprises integrating Microsoft 365 audit logs into Microsoft Sentinel, Splunk, or other SIEMs, it becomes critical. At Standard bandwidth rates, a 5,000-user tenant generating 500,000+ daily events will experience consistent API throttling, causing event delays of 2–8 hours and audit gaps. Premium's 2,000 requests/minute allocation accommodates real-time streaming for tenants up to approximately 50,000 users.

Scoped Deployment Strategy: Who Needs Premium?

Audit Premium capabilities are per-user, not per-tenant. Events generated by a Standard-licensed user are logged at Standard tier regardless of the Premium features enabled in the tenant. This creates a powerful optimisation: licence only the users who genuinely require Premium forensic coverage, rather than deploying universally.

User Populations That Justify Premium Licensing

The highest-value Premium candidates are: C-suite and board members (primary targets of compromise, highest breach impact), finance and treasury teams (payment fraud vector), M&A and legal (highest data sensitivity), IT administrators (privileged access, insider risk), departing employees in notice period (IRM integration value), and regulated users under FCA/FINRA supervision. For a 5,000-user organisation, this population typically represents 300–700 users — 15–30% of headcount — reducing Premium licensing cost from $720,000/year to $108,000–$252,000/year.

The 10-Year Retention Add-on: Cost-Benefit Analysis

The Microsoft 365 Audit (Premium) 10-Year Retention add-on costs approximately $12/user/month and extends default 1-year Premium retention to 10 years. It requires Audit Premium as a prerequisite. The total cost for a 200-user regulated team: $28,800/year. Contrast this with third-party log archiving solutions — Splunk's log archiving for equivalent volume runs $15,000–$40,000/year for comparable retention periods. For organisations under long-tail regulatory requirements (HIPAA's 6-year minimum, SEC Rule 17a-4's 7-year requirement for broker-dealers), the add-on is the most cost-efficient path for Microsoft 365 workload audit data specifically.

EA Negotiation Levers for Audit Premium

Three negotiation levers apply specifically to Audit Premium deployment:

Scoped deployment commitment: Propose licensing Audit Premium for a defined "high-risk user" population — typically 15–25% of tenant — as part of E5 Compliance add-on deployment. Microsoft will often accept this if you commit to expanding the deployment over the EA term, with year-1 pricing on the scoped population locked at year-3 rates.

Competitive displacement of log archiving: If you are currently paying for Splunk, ArcSight, or a third-party log archiving platform to retain Microsoft 365 audit data, document that cost and use it as leverage to negotiate E5 Compliance add-on pricing. Microsoft's channel teams have competitive displacement playbooks that allow 15–20% discounts when replacing named competitors.

SIEM consolidation to Sentinel: If you commit to consolidating audit log streaming into Microsoft Sentinel, Microsoft's combined licensing deals — E5 Compliance + Sentinel workspace — frequently include 15% workload bundling discounts not available on standalone purchases.

Frequently Asked Questions

What licence do I need for Purview Audit Premium?

Purview Audit Premium requires Microsoft 365 E5, Office 365 E5, or the Microsoft 365 E5 Compliance add-on ($12/user/month on top of E3). Audit Standard is included at no extra cost with E3 and above.

How long does Audit Standard retain logs?

Audit Standard retains most audit records for 90 days. Microsoft 365 E3/E5 users get 180-day retention for Exchange, SharePoint, and Teams activities. Audit Premium extends this to 1 year by default, with optional 10-year retention add-on.

What are intelligent insights in Audit Premium?

Intelligent insights in Audit Premium include MailItemsAccessed (precise email access tracking), Send (outbound email logging), SearchQueryInitiatedExchange, and SearchQueryInitiatedSharePoint — all critical for high-value investigation use cases.

Can I mix Audit Standard and Premium users in the same tenant?

Yes. Audit Premium capabilities apply only to licensed users. Unlicensed users generate Standard audit events. This allows targeted deployment — licence only investigated user populations for Premium, reducing cost by 30–50%.

Is the 10-year audit retention add-on worth it?

The 10-year retention add-on ($12/user/month) is valuable for regulated industries (financial services, healthcare, government) with long regulatory look-back requirements. For most commercial enterprises, 1-year Premium retention is sufficient.

What is the bandwidth allocation for Audit Premium?

Audit Premium provides higher-bandwidth access to the Office 365 Management Activity API — up to 2,000 requests per minute versus 60 per minute for Standard. This is critical for SIEM integrations processing large event volumes.