Microsoft expanded the default audit log retention period from 90 days to 180 days for all M365 tenants. For mortgage companies running E5 licenses, that extends to one year, with optional 10-year retention for high-risk data. These are the logs that capture every file access, email send, Teams message, and admin action across your tenant.
Most mortgage companies never look at them. According to the 2026 Zero Trust Report, 48% of organizations cite SaaS and cloud application governance as a top source of unauthorized access. The audit data is there. The question is whether your team knows how to use it.
This guide provides a five-step self-audit checklist for using M365 activity logs to validate broker conduct, detect anomalies, and produce the documentation examiners expect.
Mortgage regulators expect evidence-driven answers. When a state examiner asks "Who accessed borrower Jones's loan file in the last 90 days?" you need a definitive answer, not a guess.
M365 audit logs capture a timestamped record of every user and admin action across Exchange, SharePoint, Teams, and OneDrive. For mortgage companies managing broker access to borrower data, loan files, and financial records, these logs are the difference between "we believe we're compliant" and "here is the evidence."
With CFPB enforcement reduced in 2025, state regulators now run the examinations. They expect the same level of documentation the CFPB did. California's finalized CCPA amendments require annual cybersecurity audits. New York's DFS cybersecurity regulation mandates access logging. Self-audits keep you ready for whichever examiner arrives first.
Audit logging is enabled by default for most M365 tenants, but older tenants or those migrated from on-premises Exchange may not have it turned on. Verify before you rely on the data.
Open the Microsoft Purview Compliance Portal. Navigate to Audit and verify the search interface loads. If you see a prompt to enable auditing, turn it on immediately.
For a command-line check, connect to Exchange Online PowerShell and run:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
A "True" result confirms logging is active. A "False" result means you have been operating blind.
Restrict audit log access to your compliance team. Review who holds the Audit Manager and Audit Reader roles. Remove access for anyone who does not need it.
Use audit logs to track how brokers and staff interact with your systems. Look for patterns that indicate policy violations or security concerns.
Set automated alerts for these patterns. M365 supports alert policies that notify compliance officers when thresholds are breached.
Loan files in SharePoint and OneDrive contain the most sensitive borrower data. Audit every access, download, edit, and share event.
Build SharePoint site-level permissions that restrict loan file access to authorized processors, underwriters, and closers. Audit permissions quarterly.
Admin role changes affect your entire compliance posture. A single Global Admin assignment can grant unrestricted access to every mailbox, file, and setting in your tenant.
Implement just-in-time admin access through Microsoft Entra PIM to reduce standing admin accounts. Every admin action should be traceable to an approved request.
Examiners expect a defensible chain of evidence. Raw logs are a starting point, not the finish line.
Integrate with SIEM tools. Feed M365 audit logs into Microsoft Sentinel or a third-party SIEM for real-time correlation and alerting. This moves you from reactive investigation to proactive monitoring.
Automate report delivery. Schedule weekly or monthly compliance reports that summarize key metrics: failed logins, external shares, admin changes, and policy violations. Deliver them directly to compliance officers.
Track DLP policy effectiveness. Monitor how often DLP policies trigger and what data they catch. A DLP policy that never fires may be misconfigured. One that fires constantly may need tuning.
Monitor AI and Copilot activity. As mortgage companies adopt Microsoft Copilot and other AI tools, audit logs track what data these tools access. Ensure AI interactions with borrower data are logged and reviewed.
Microsoft 365 retains audit logs for 180 days by default for standard licenses. E5 and compliance add-on licenses extend retention to one year. A 10-year retention add-on is available for long-term compliance requirements. Mortgage companies should verify their retention settings and export critical logs before the retention window closes.
Mortgage companies should monitor login anomalies including failed authentication attempts and off-hours access, file activity including downloads and external sharing of loan documents, admin role changes that affect security posture, and DLP policy triggers that may indicate data exfiltration. Setting automated alerts for these events enables proactive compliance monitoring.
Open the Microsoft Purview Compliance Portal and navigate to the Audit section. If the search interface loads, auditing is active. For command-line verification, connect to Exchange Online PowerShell and run Get-AdminAuditLogConfig with the UnifiedAuditLogIngestionEnabled parameter. A True result confirms logging is active for your tenant.
Yes. M365 audit logs provide timestamped records of user access, file activity, admin changes, and policy enforcement that state examiners review during compliance examinations. Export relevant log subsets, analyze them against internal policies, and maintain a documented evidence chain. Schedule quarterly self-audits to stay examination-ready year-round.
The audit data is already being collected. Microsoft 365 logs every file access, login event, and admin change across your tenant. The only question is whether your compliance team is reviewing it.
Start with Step 1: verify logging is active. Then work through the remaining steps at your own pace. A quarterly self-audit cadence keeps you ready for any examiner.
Talk to a mortgage IT specialist about automating your M365 compliance audit workflow.