Microsoft Purview Audit is licensed in two tiers, and the difference between them is less about features than about retention, advanced events, and the speed of access during an investigation. Audit (Standard) is included broadly across Microsoft 365 plans. Audit (Premium) adds longer default retention, access to high-value audit events, and higher-bandwidth access to log data — and it rides on the higher-end E5-class licences. Knowing which tier a given user already holds, and which tier a given investigation actually requires, is the buyer-side discipline that prevents both over-licensing and a compliance gap. It is one of several E5-versus-add-on decisions covered in our complete Microsoft licensing guide.
Audit logging is not optional infrastructure for most regulated organisations — it is how you reconstruct who did what, when, during a security incident or regulatory inquiry. The licensing question is therefore rarely "do we need audit," but "what retention and event depth do we need, and have we already paid for it inside a suite we own?"
Audit (Standard): what's included
Audit (Standard) provides the unified audit log: a searchable record of user and admin activity across Exchange Online, SharePoint Online, OneDrive, Teams, Entra ID, and other Microsoft 365 workloads. Standard captures thousands of audit event types, supports search through the Purview portal and via API, and retains audit records for a default period that is materially shorter than Premium's. For many organisations, Standard covers day-to-day operational auditing and routine access reviews.
Standard is bundled into the common Microsoft 365 and Office 365 business and enterprise plans, so the great majority of enterprise users already have it without a separate purchase. The practical implication: before buying anything for audit, confirm what your existing suite entitlements already deliver. Paying for audit capability that is already inside an owned licence is one of the most common avoidable line items we see.
Audit (Premium): what it adds
Audit (Premium) builds on Standard in three ways that matter during an investigation. First, longer default retention of audit logs, with the option to retain certain logs for an extended multi-year period, which is decisive for regulatory regimes that require multi-year evidentiary records. Second, access to a set of high-value or "advanced" audit events — additional signals that help reconstruct the scope of a compromise. Third, higher bandwidth access to the audit log via API, so a forensic team can pull large volumes of data quickly rather than being throttled mid-incident.
Premium is associated with the E5-class licensing tier (for example, Microsoft 365 E5, the E5 Compliance add-on, or equivalent education and government SKUs). Because of that, the Premium question is usually bundled into the wider E5-versus-E3-plus-add-ons analysis rather than treated as a standalone buy.
The retention add-on nuance: beyond the default Premium retention, Microsoft offers extended audit log retention as a separate paid add-on for organisations that must keep specific logs for the longest regulatory windows. Buyers in finance, healthcare, and government should map their actual statutory retention obligations to the tier and add-on that meets them — and no further. Retaining everything for the maximum period "to be safe" is a recurring overspend.
Standard vs Premium at a glance
| Capability | Audit (Standard) | Audit (Premium) |
|---|---|---|
| Unified audit log search | Yes | Yes |
| Default log retention | Shorter baseline | Extended baseline, multi-year option |
| High-value / advanced audit events | No | Yes |
| Higher-bandwidth API access | Standard | Elevated for investigations |
| Typical licensing home | Common M365 / O365 plans | E5-class / E5 Compliance |
| Extended retention add-on | Not applicable | Available as paid add-on |
The buyer-side decision
The decision turns on three inputs: regulatory retention requirements, incident-response expectations, and what your existing suite already covers. Start by inventorying current entitlements — many users already hold Standard, and some already hold Premium inside an E5 or E5 Compliance bundle they bought for other reasons. Only the gap between what you hold and what your obligations demand should drive new spend.
Where Premium is genuinely required, the question becomes whether to acquire it through full E5, through the E5 Compliance add-on layered on E3, or through targeted licensing for the specific population that needs advanced audit. Not every user needs Premium-grade audit; privileged accounts, finance, and roles handling regulated data usually do, while a large field workforce may be adequately covered by Standard. Right-sizing the population that carries Premium is where the real saving sits, a pattern that mirrors the per-tier logic in Intune Plan 1 vs Plan 2.
Common pitfalls
Three pitfalls recur. The first is assuming audit is "on" and complete by default; default retention under Standard may be shorter than an auditor expects, and the gap only surfaces during an incident when the needed records have already aged out. Confirm retention against your obligations before you need the logs, not after.
The second is buying E5 organisation-wide purely to obtain Premium audit for a small privileged population. E5 carries far more than audit, and if audit is the only driver, a targeted compliance add-on on the right population is usually cheaper. The third is over-retaining: paying for the maximum extended retention across all log types when statute requires it for only a subset.
For adjacent SKU and security-licensing decisions, see GitHub Advanced Security licensing, Microsoft Security Copilot pricing, and the consumption-based model in Azure OpenAI commitment & pricing. For the full entitlement and renewal framework, the Microsoft EA guide sets out how compliance SKUs fold into an enterprise agreement, and our Microsoft licensing experts map your retention obligations to the lowest-cost compliant entitlement.