In This Article
A mortgage lender that runs Microsoft 365 already has the audit data examiners want. Microsoft Purview captures every file access, every email, every Teams message, every admin change. Microsoft Entra ID records every sign-in, every conditional access decision, every role assignment. The data is there. The question examiners ask is whether the lender knows how to use it. Access Business Technologies operates Microsoft 365 tenants for more than 750 financial institutions, and mortgage companies are a core part of that footprint. This article walks through the five-step self-audit checklist that mortgage compliance teams use to validate broker conduct, detect anomalies, and produce examiner-ready evidence from the audit data Microsoft 365 already collects.
Why ABT Runs M365 Self-Audits for Mortgage Lenders
- Mortgage-specific DLP and retention policies applied across Exchange Online, SharePoint, and OneDrive, tuned to borrower NPI, loan files, and origination correspondence rather than generic SMB templates.
- Conditional Access policies in Microsoft Entra ID calibrated to broker geography, branch hours, and device posture so the sign-in evidence the audit produces is meaningful from day one.
- MortgageExchange connects the LOS to core banking, so the audit framework covers loan origination data movement end to end, not just the Microsoft 365 surface.
State regulators now run most mortgage examinations after the federal CFPB pulled back in 2025. California's CCPA amendments require annual cybersecurity audits. New York's DFS cybersecurity regulation mandates access logging. The lender that walks into an examination with a documented self-audit cadence walks out clean. The lender that improvises walks out with findings. The difference is operational, not technical.
Why Mortgage Lenders Need M365 Self-Audits
Mortgage regulators expect evidence-driven answers. When a state examiner asks "Who accessed borrower Jones's loan file in the last ninety days?" the lender needs a definitive answer, not a guess. The audit data that produces that definitive answer already exists inside Microsoft 365. Microsoft Purview captures the file activity. Microsoft Entra ID captures the sign-in activity. The lender's job is to make sure those two layers are configured the same way every quarter, reviewed on a documented cadence, and exported into an evidence chain a compliance officer can hand to an examiner without spending three weeks pulling screenshots.
The federal CFPB stepped back from active mortgage enforcement in 2025. State regulators stepped in. Their examination questions look the same. The expectations for documentation look the same. The lenders that pass clean exams have the same thing in common, a documented quarterly self-audit cadence that reviews the Microsoft Purview activity logs and the Microsoft Entra ID sign-in logs against the lender's own access policies. That cadence is the lead reason institutions move from manual log review to a managed Microsoft 365 audit framework. The audit-readiness improvement is the byproduct.
Microsoft Purview and Microsoft Entra ID: The Two Self-Audit Data Sources
The mortgage M365 self-audit lives on two data sources inside Microsoft 365. The first is Microsoft Purview Audit, which produces the time-stamped activity trail across Exchange Online, SharePoint Online, OneDrive, and Teams. Purview Audit captures every file open, every download, every external share, every email sent, every Teams message posted, every admin action taken inside the tenant. Purview Audit Premium extends retention to one year by default, with the option to extend to ten years on the add-on, which gives mortgage compliance teams the retention window state examiners typically request. Retention policies bind tamper-evident retention to the mailboxes, sites, and Teams channels where loan files and borrower correspondence live, so the records system itself satisfies the evidence-preservation expectation that runs through state mortgage rules.
The second data source is Microsoft Entra ID, which produces the identity and access activity trail. Entra ID sign-in logs capture every authentication attempt, the location and device the sign-in came from, whether multi-factor authentication challenged the user, and whether Conditional Access allowed or blocked the session. Entra ID audit logs capture every directory change, every role assignment, every Conditional Access policy modification, every privileged access escalation. For a mortgage lender, the Purview activity logs answer the file-side question (who touched this loan file?) and the Entra ID sign-in logs answer the identity-side question (who logged in from where with what device posture?). Together those two surfaces produce the complete audit picture a state examiner asks for. The five-step self-audit framework below walks the compliance officer through both surfaces in the order that produces the cleanest evidence chain.
The Five-Step Mortgage M365 Self-Audit
The five steps below run as a quarterly cadence. Step one establishes that the audit data is being collected at all. Steps two through four work through the three categories of activity that state mortgage examiners look at most often. Step five turns the raw logs into an evidence chain. Run the cadence on the same week every quarter so the documentation lands in the lender's compliance package on a predictable schedule.
Open the Microsoft Purview portal and confirm the Audit search interface loads. If a prompt appears asking to enable auditing, the lender has been operating without an evidence trail. Confirm the retention window matches the lender's license tier. Standard Business Premium and E3 tenants get one hundred eighty days of retention on the default audit log. E5 and Compliance add-on tenants get a full year, with the option to extend to ten years. Confirm Entra ID sign-in log retention covers the same window. Document the result in the quarterly compliance file.
Run the Entra ID sign-in report for the quarter under review. Flag sign-ins from unexpected geographies, sign-ins outside the broker's normal hours, sign-ins from devices that are not enrolled in the lender's Intune fleet, and accounts that show concurrent sessions across multiple devices. Conditional Access decisions are recorded next to each sign-in, so the report also surfaces every time a sign-in was challenged or blocked. Investigate the anomalies that matter. Document the rest as reviewed.
Pull the Microsoft Purview activity log for the SharePoint sites and OneDrive accounts that hold loan files. Look for unauthorized access to borrower records, external sharing of loan documents to recipients outside the lender's organization, mass downloads (a user pulling fifty or more loan files in a single session is either doing a legitimate bulk operation or exfiltrating data, and context matters), and deletions of loan documents or compliance records. SharePoint sharing logs capture the recipient, timestamp, and sharing method for every external share, which is exactly what state examiners ask for.
Pull the Entra ID audit log filtered for role assignments and Conditional Access policy changes. A single Global Administrator assignment grants unrestricted access to every mailbox, file, and configuration setting in the tenant, so every privileged role assignment in the quarter needs an authorized ticket behind it. Conditional Access policy modifications that loosen MFA requirements or device compliance enforcement can silently weaken the lender's security posture. Mail flow rule changes that add forwarding to external addresses are a recurring breach pattern. Document every change and the approval behind it.
Export the relevant Microsoft Purview and Microsoft Entra ID log subsets before the retention window closes. Microsoft is not the lender's records custodian , the lender is. Analyze the exports against the lender's written access and supervision policies. Confirm broker actions matched policy. Confirm anti-fraud and privacy rules were followed. Attach the analysis, the remediation notes for any anomalies found, and the compliance officer's sign-off to the quarterly file. When an examiner arrives, the evidence chain is already in the lender's hands.
The audit data is already being collected. The self-audit is the operational discipline that turns it into evidence.
The Microsoft 365 self-audit framework lives on two Microsoft products. Microsoft Purview Audit, Audit Premium, retention policies, and Communication Compliance produce the file and communication side of the evidence chain. Microsoft Entra ID sign-in logs, audit logs, Conditional Access decisions, and Privileged Identity Management produce the identity and access side. For mortgage lenders that connect the loan origination system to a core banking platform through MortgageExchange, the audit framework covers the integration layer alongside the Microsoft 365 surface, so the evidence chain reaches from broker sign-in through document handling to loan-system writeback. ABT operates this audit framework as a managed quarterly cadence under M365 Guardian, the firm's operating model for regulated financial institutions.
Building an Examiner-Ready Evidence Chain
Raw audit logs are a starting point, not the finish line. State mortgage examiners expect a documented chain of evidence: the configuration that produced the logs, the logs themselves, the analysis the compliance team ran against the lender's written policies, the remediation taken when anomalies appeared, and the compliance officer's sign-off attesting that the review happened on the documented cadence. That chain is what a clean examination looks like.
A state mortgage examination opens at the lender. The examiner asks for ninety days of broker sign-in records, loan file access activity, and Conditional Access policy state. The compliance officer emails the IT contact. The IT contact pulls one-off reports from three different Microsoft 365 admin portals. The retention window has closed on the oldest week of the request. The compliance officer assembles a spreadsheet by hand. The examination stretches into a second cycle. The lender receives a finding for inconsistent retention.
The same examination opens. The compliance officer reaches for the quarterly self-audit file already in the lender's compliance package. The Microsoft Purview activity logs, the Microsoft Entra ID sign-in logs, the Conditional Access decisions, the policy alignment analysis, the remediation notes, and the sign-off are all attached. The examiner receives the package on day one. The exam closes on time with no finding on this surface.
The mortgage compliance officer does not need to learn how to write Microsoft Purview audit queries by hand. The compliance officer needs the quarterly evidence chain in the file before the examiner asks. That is the operating-model difference between an unmanaged Microsoft 365 tenant and one operated under a productized audit framework.
Get a Mortgage M365 Self-Audit Readiness Review
ABT runs the Microsoft Purview and Microsoft Entra ID self-audit framework described in this article as a managed quarterly cadence under M365 Guardian, for mortgage lenders operating across multiple branches, loan officer networks, and core banking integrations. A thirty-minute conversation maps the current audit posture, surfaces the gaps a state examiner is most likely to find, and outlines what an ABT-managed framework would cover. No commitment, no quote, no obligation.
M365 Guardian: ABT's Productized Audit Framework for Mortgage Lenders
Access Business Technologies is a Tier-1 Microsoft Cloud Solution Provider that manages Microsoft 365 tenants for more than 750 financial institutions, with a deep mortgage practice. For mortgage lenders specifically, ABT applies the Microsoft Purview and Microsoft Entra ID self-audit framework described in this article and operates it as a managed quarterly cadence. That cadence has a name: M365 Guardian. Microsoft Purview and Microsoft Entra ID are the Microsoft surface. Guardian is the ABT operating model on top of them.
The Guardian framework for a mortgage lender includes Conditional Access policies in Microsoft Entra ID calibrated to broker geography, branch hours, device posture, and Conditional Access state; Microsoft Purview retention and DLP policies tuned to borrower NPI, loan files, origination correspondence, and Teams chat rather than vendor SMB defaults; just-in-time admin access through Privileged Identity Management so every privileged action carries an approval ticket; and the quarterly evidence-chain assembly that lands in the lender's compliance package without manual reconciliation work. For mortgage lenders that connect their loan origination system to a core banking platform, MortgageExchange extends the audit framework across the integration so the evidence chain reaches from broker sign-in through document handling all the way to loan-system writeback.
ABT manages the Microsoft 365 tenants that mortgage lenders operate. The lender continues to own the regulatory relationships, the broker network, and the borrower accounts. The partner relationship is set up under Granular Delegated Administrative Privileges (GDAP) with least-privilege role grants and an executed vendor oversight agreement that satisfies state third-party expectations. The lender keeps tenant ownership. ABT keeps the audit cadence running.
Key Takeaway
Microsoft 365 already collects the audit data state mortgage examiners ask for. Microsoft Purview Audit produces the file and communication activity trail. Microsoft Entra ID sign-in logs produce the identity and access activity trail. The lender's job is to review those two surfaces against written access policies on a documented quarterly cadence and assemble the result into an evidence chain a compliance officer can hand to an examiner. M365 Guardian is ABT's productized version of that cadence for mortgage lenders, with MortgageExchange extending the audit framework across the loan origination integration so the evidence chain covers the full pipeline.
Frequently Asked Questions
Microsoft 365 retains audit logs for one hundred eighty days by default for standard Business Premium and E3 licenses. Microsoft Purview Audit Premium, included with E5 and the Compliance add-on, extends retention to one year. A ten-year retention add-on is available for long-term compliance requirements. Mortgage companies should verify the retention setting matches the lookback window state examiners typically request, and should export critical log subsets into the lender's own evidence archive before the retention window closes.
Mortgage companies should review four categories of events on a quarterly cadence. Microsoft Entra ID sign-in patterns surface sign-ins from unexpected geographies, off-hours sign-ins, sign-ins from devices not enrolled in the lender's Intune fleet, and concurrent sessions across multiple devices. Microsoft Purview file activity surfaces unauthorized access to borrower records, external sharing of loan documents, mass downloads, and deletions of loan or compliance records. Microsoft Entra ID role and policy changes surface privileged role assignments and Conditional Access modifications that need an approval ticket behind them. Mail flow rule changes that add external forwarding addresses are a recurring breach indicator and should be reviewed every quarter.
Open the Microsoft Purview portal and navigate to the Audit section. If the search interface loads and returns results for a recent date range, auditing is active for the tenant. If the portal prompts to enable auditing, the lender has been operating without an evidence trail and should turn it on immediately, then document the date auditing became active. Microsoft Entra ID sign-in logs are active by default for all tenants but the retention window varies by license tier, so a mortgage lender should confirm both Purview Audit and Entra ID retention settings match the examination lookback window the lender's state regulator typically requests.
Yes, with the right operating discipline. Microsoft Purview and Microsoft Entra ID produce time-stamped records of user access, file activity, admin changes, and policy enforcement that state mortgage examiners review during compliance examinations. The lender that walks in clean has done three things consistently: exported relevant log subsets into the lender's own evidence archive, analyzed the exports against the lender's written access and supervision policies on a documented quarterly cadence, and assembled the analysis plus remediation notes plus compliance officer sign-off into the quarterly compliance file. Raw logs alone are a starting point. The evidence chain that surrounds them is what closes the examination.
M365 Guardian is ABT's operating model on top of Microsoft Purview and Microsoft Entra ID for regulated financial institutions, including mortgage lenders. For a mortgage practice, Guardian runs the quarterly self-audit cadence as a managed service. Microsoft Purview retention and DLP policies are tuned to borrower NPI and loan files. Conditional Access policies in Microsoft Entra ID are calibrated to broker geography, branch hours, and device posture. Privileged Identity Management gates every admin action behind an approval ticket. The quarterly evidence chain is assembled and landed in the lender's compliance package on the documented cadence. For mortgage lenders that connect their loan origination system to a core banking platform, MortgageExchange extends the audit coverage across the integration so the evidence chain reaches end to end through the loan pipeline rather than stopping at the Microsoft 365 boundary.
