m365Corner
M365 Blogs

Microsoft 365 Audit Logs: E3 vs E5 Differences (With Scripts)

Microsoft 365 audit logs are essential for tracking user activity, investigating incidents, and ensuring compliance.

However, not all audit capabilities are equal.

  • 👉 If you're using Microsoft 365 E3, you get basic auditing
  • 👉 With E5, you unlock advanced (premium) auditing features

In this guide, we’ll break down the real differences between E3 vs E5 audit logs, along with practical Graph PowerShell scripts you can use today.


What You’ll Learn

  • Key differences between Audit (Standard) and Audit (Premium)
  • What logs are available in E3 vs E5
  • Real examples of missing data in E3
  • Graph PowerShell scripts for both scenarios
  • When upgrading to E5 actually makes sense

Audit Logging Tiers in Microsoft 365

Microsoft divides auditing into two levels:

Feature Audit (Standard) Audit (Premium)
Included In E3 / Business E5 / Add-on
Log Retention 90 days 180 days – 1 year+
Advanced Events ❌ No ✅ Yes
Search Query Logs ❌ No ✅ Yes
Mailbox Detailed Logs ❌ Limited ✅ Full
High-value Events ❌ No ✅ Yes

Key Differences: E3 vs E5 Audit Logs

Feature E3 E5
Log Retention 90 days 180 days to 1 year (or more with add-ons)
Advanced Audit Events Does not include:
  • SearchQueryPerformed
  • MailItemsAccessed
  • Send (detailed email events)
  • Advanced file access telemetry
 Includes:
  • Detailed mailbox access logs
  • Search queries
  • High-value security events
  • Data exfiltration signals
Mailbox Auditing Depth Basic mailbox actions✅
Message read tracking❌
MailItemsAccessed event ❌		 Basic mailbox actions✅
Message read tracking✅
MailItemsAccessed event ✅
Investigation Capability Limited visibility
Hard to trace insider activity
  • Full audit trail
  • Better forensic capability

Graph PowerShell Setup


Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "AuditLog.Read.All"

Script 1: Get Basic Audit Logs (Works in E3 & E5)


# Fetch recent audit logs
$Logs = Get-MgAuditLogDirectoryAudit -Top 50

$Logs | Select-Object `    
  ActivityDateTime,   
  ActivityDisplayName,    
  @{Name="User";Expression={$_.InitiatedBy.User.UserPrincipalName}},    
  LoggedByService | Format-Table

✅ What You’ll See in E3

  • User logins
  • Group changes
  • Basic file operations

Script 2: Try Fetching Advanced Events (E5 Only)


# Attempt to fetch search activity
$SearchLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq
'SearchQueryPerformed'" -All

$SearchLogs | Select-Object ActivityDateTime, ActivityDisplayName

❌ Output in E3

👉 Empty result (or event not found)

✅ Output in E5

👉 Returns:

  • Search queries
  • User activity
  • Workload (SharePoint, OneDrive)

Script 3: Mailbox Access Tracking (E5 Only)


$MailAccess = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'MailItemsAccessed'"
-All

$MailAccess | Select-Object `    
  ActivityDateTime,    
  @{Name="User";Expression={$_.InitiatedBy.User.UserPrincipalName}},   
  ActivityDisplayName

Why This Matters

This event helps detect:

  • Unauthorized email access
  • Insider threats
  • Data leaks

👉 Not available in E3


Real-World Scenarios

Scenario 1: Insider Threat Investigation

Requirement E3 E5
Track file access Partial Full
Track email reads
Track searches

👉 E5 is required

Scenario 2: Compliance Audit

  • E3 → May fail audit requirements
  • E5 → Meets advanced compliance needs

Scenario 3: Copilot Readiness

Copilot depends on:

  • search behavior
  • content usage

👉 Only E5 provides this visibility


Cmdlet Tips

  • Always test without filters first
  • Use -All cautiously
  • Expect empty results in E3 for advanced events
  • Audit logs are workload-dependent

Common Errors & Solutions

Error Cause Solution
No results returned
  • Using E3 license
  • Querying E5-only event
Verify license before troubleshooting
Error: Insufficient privileges Insufficient privileges to complete the operation Connect-MgGraph -Scopes "AuditLog.Read.All"
Error: Event not found Event not supported in tenant Upgrade to E5 / Audit Premium

When Should You Upgrade to E5?

Upgrade if you need:

  • 🔍 Full audit trail
  • 🔐 Insider risk detection
  • 📊 Search visibility
  • 📁 Detailed file access logs
  • 🧾 Long-term retention

Conclusion

Microsoft 365 audit logs are powerful—but only if you have the right license.

👉 E3 = Basic visibility
👉 E5 = Deep insights + security intelligence

Using Graph PowerShell, you can clearly see the difference:

  • Missing data in E3
  • Rich telemetry in E5

👉 If auditing is critical to your organization, E5 is not optional—it’s essential.

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.

© Your Site Name. All Rights Reserved. Design by HTML Codex