SoftSol IT Outsourcing Hub (Pty) Ltd
Microsoft 365 Immutable Audit
& Administrative Transparency Agreement
Framework B — Advanced Auditing & External Log Streaming
Document ref: SS-M365-IATA-01
Version: 1.0
Issued: May 2026
Classification: Confidential — Client Copy
Service Provider
SoftSol IT Outsourcing Hub (Pty) Ltd
Registration No. [â—]
softsol.co.za · support@softsol.co.za
+27 (0)10 005 0483
Hereinafter referred to as “SoftSol”
Client
[Client Organisation Name]
Registration No. [â—]
[Client Domain] · [Client Contact Email]
[Client Contact Number]
Hereinafter referred to as “the Client”
1. Purpose & Background
This Agreement governs the specific technical and procedural implementation of SoftSol’s “Framework B — Immutable Transparency” administrative accountability model within the Client’s Microsoft 365 tenant. It sets out precisely how SoftSol’s administrative actions are logged, monitored, streamed to an external repository, and made available for independent review by the Client.
Under this framework, SoftSol maintains standing administrative access to the Client’s Microsoft 365 environment for the purpose of efficient managed service delivery. In exchange for this operational convenience, SoftSol commits to implementing the comprehensive audit, alerting, and external log streaming architecture described in this Agreement — ensuring that no administrative action can occur without generating a permanent, independently verifiable record that the Client can access, review, and retain independently of SoftSol.
This Agreement supplements the Master Services Agreement (“MSA”) between the parties. In the event of a conflict between this Agreement and the MSA with respect to Microsoft 365 administrative transparency obligations, this Agreement shall prevail.
2. Definitions
“Audit Event” means any action recorded by the Microsoft 365 Unified Audit Log, including but not limited to sign-ins, permission changes, mailbox access, file operations, configuration changes, and eDiscovery actions.
“External Repository” means the append-only, read-only log storage environment maintained outside the Client’s Microsoft 365 tenant and outside SoftSol’s own production environment, to which Audit Events are streamed under this Agreement.
“GDAP” means Microsoft’s Granular Delegated Admin Privileges framework, under which SoftSol’s administrative roles in the Client’s tenant are defined.
“Purview Alert” means an automated notification dispatched by Microsoft Purview Compliance in response to a defined Audit Event trigger.
“SIEM” means Security Information and Event Management — the class of platform used as the External Repository under this Agreement.
“Tenant” means the Client’s Microsoft 365 organisational directory and all associated services.
“UAL” means the Microsoft 365 Unified Audit Log, the native Microsoft platform-level log of all administrative and user activity within a tenant.
3. Scope of Administrative Access
Under Framework B, SoftSol holds the following GDAP roles with standing activation within the Client’s tenant. These roles are individually specified, approved by the Client’s global administrator during onboarding, and documented in Schedule A of this Agreement.
The specific roles active for the Client’s engagement are confirmed in Schedule A. SoftSol does not request or hold Global Administrator at any time. All roles are scoped to infrastructure management functions and do not confer default access to mailbox content, OneDrive files, Teams messages, or any end-user data. The Administrative Access Rights Statement (document ref SS-M365-AARS-01) governs the specific permissions carried by each role.
The Client acknowledges that the transparency obligations in this Agreement — continuous logging, external streaming, and real-time alerting — are the mechanism by which the Client maintains oversight and accountability over SoftSol’s standing access. The Client may, at any time, reduce the scope of standing access or migrate to Framework A (Just-In-Time access) subject to a service change request.
4. Microsoft 365 Unified Audit Log — Native Logging
The Microsoft 365 Unified Audit Log (UAL) is a platform-level capability built into every Microsoft 365 tenancy. It records all administrative and compliance-relevant activity at the infrastructure level. It is not an optional add-on and cannot be disabled by SoftSol or the Client. Every administrative action taken by any account — including SoftSol’s delegated administrators — generates a permanent, timestamped, identity-attributed log entry that cannot be altered, overwritten, or deleted by any party.
4.1 Audit Licence Configuration
SoftSol will configure the Client’s tenancy to use Microsoft Purview Audit (Standard) as a minimum, or Purview Audit (Premium) where the Client’s licence tier permits. The table below summarises the differences relevant to this Agreement:
| Feature | Audit Standard | Audit Premium |
|---|---|---|
| Default log retention | 180 days | 1 year (extendable to 10 years) |
| MailItemsAccessed events | Not included | Included — logs every mailbox read event |
| Intelligent audit insights | Not included | Included — high-value event prioritisation |
| API access bandwidth | Standard rate limits | Higher throttling limits |
SoftSol will confirm which tier is applicable for the Client’s engagement in Schedule A. Where Purview Audit Premium is not included in the Client’s licence, SoftSol will advise on licence upgrade options. The external log streaming described in Section 6 supplements the UAL retention period regardless of the native Microsoft retention setting.
4.2 Events Captured by the UAL
The UAL captures events across all Microsoft 365 services. The following event categories are of particular relevance to this Agreement (i.e., operations performable by a delegated administrator):
- •Exchange Admin operations (transport rules, connectors, mailbox permission grants)
- •Azure AD / Entra ID operations (user creation, deletion, role assignments, password resets)
- •SharePoint admin operations (site creation, permission changes, sharing policy modifications)
- •Teams admin operations (policy changes, app permission modifications)
- •Purview Compliance operations (eDiscovery case creation, searches, exports)
- •Microsoft Defender operations (policy modifications, alert suppression)
- •Intune device management operations (where applicable)
- •Licence assignment and removal operations
5. Real-Time Alert Configuration
SoftSol will configure the following alert policies within the Client’s Microsoft Purview Compliance portal. Each policy triggers an immediate email notification to the Client’s designated management contact(s) when the defined operation is detected, regardless of which account performed it.
| Alert Policy Name | Trigger Operation | Severity & Rationale |
|---|---|---|
| Mailbox Permission Grant | Add-MailboxPermission — granting any account FullAccess, SendAs, or SendOnBehalf rights to any mailbox | High — direct path to mailbox content access; requires immediate awareness |
| eDiscovery Search Created | New-ComplianceSearch — creation of any new compliance content search within the tenant | High — potential for broad mailbox and file content access |
| Privileged Role Assignment | Any addition to Global Administrator, Privileged Role Administrator, Exchange Administrator, or Security Administrator roles in Entra ID | High — privilege escalation detection |
| eDiscovery Content Export | New-ComplianceSearchAction with action type Export — initiating any content export from a search | High — data exfiltration risk |
| Audit Log Disabled | Any attempt to disable or modify unified audit logging configuration within the tenant | Critical — would undermine the integrity of this Agreement |
| Bulk Mail Download | Anomalous bulk MailItemsAccessed events from an administrative account (Premium licence only) | Medium — unusual bulk access pattern |
| Transport Rule Created | Creation of any new Exchange transport rule — particularly rules that forward, redirect, or copy mail to external addresses | Medium — potential mail exfiltration path |
| Conditional Access Modified | Any modification to an existing Conditional Access policy, or creation of a new policy that exempts users or devices from security controls | Medium — security posture change |
5.1 Alert Delivery
Alerts are delivered to the Client’s designated management contact(s) via email from Microsoft Purview. The alert email contains:
- •The exact UTC timestamp of the event
- •The UPN (email address) of the account that performed the action
- •The specific operation code and a plain-language description
- •The target object (e.g., affected mailbox, user account, or policy)
- •A link to the full event detail in the Microsoft Purview compliance portal
The Client shall designate a minimum of one and a maximum of five email recipients for alert delivery. Recipient details are recorded in Schedule B. The Client may update recipients at any time by written notice to SoftSol. SoftSol commits to implementing recipient changes within two business days of notification.
5.2 Alert Response Expectations
The Client is not required to respond to every alert. Alerts serve as real-time transparency notifications — not approval requests. However, if the Client receives an alert for an action they did not expect or did not authorise, they should contact SoftSol immediately via the support portal or at support@softsol.co.za. SoftSol commits to providing a written account of any disputed action within four business hours of notification.
6. External Log Streaming Architecture
To ensure that the audit record is preserved independently of both the Client’s Microsoft 365 tenant and SoftSol’s own infrastructure, SoftSol implements continuous, real-time streaming of the Client’s Microsoft 365 Unified Audit Log to an external, append-only, tamper-evident repository. This section describes the technical implementation.
6.1 Streaming Mechanism
Audit events are exported from the Client’s Microsoft 365 tenancy via the Office 365 Management Activity API — Microsoft’s documented, published API for programmatic access to tenant audit data. The streaming pipeline operates as follows:
M365 Unified Audit Log
↓ Office 365 Management Activity API (polling interval: ≤5 minutes)
Azure Event Hub (Client-dedicated namespace)
↓ Azure Monitor / Log Analytics ingestion pipeline
Azure Log Analytics Workspace (append-only, RBAC-locked)
↓ Immutable Blob Storage archival (configurable retention)
Azure Storage Account with immutability policy (WORM — Write Once, Read Many)
Each component is provisioned under a dedicated resource group within SoftSol’s Azure subscription, isolated from SoftSol’s own operational infrastructure. The Client is provided with read-only access credentials (Log Analytics Reader role) to query the Log Analytics Workspace directly.
6.2 Immutability & Tamper-Evidence
The Azure Storage Account used for long-term archival is configured with a time-based immutability policy (WORM — Write Once, Read Many). Once the immutability interval is set:
- •Existing log blobs cannot be modified, overwritten, or deleted by any party, including SoftSol account owners and Azure subscription administrators, for the duration of the immutability interval.
- •Microsoft enforces the policy at the Azure storage platform level — it is not a software control that SoftSol can override in code or configuration.
- •The minimum retention period applied to the immutable archive under this Agreement is 12 months from the date of each log entry, unless a longer period is required by the Client’s industry or regulatory obligations (specified in Schedule A).
In addition to WORM storage, each log batch written to the archive is SHA-256 hashed at the time of ingestion. The hash values are stored in a separate, client-accessible index file, allowing the Client or their auditors to independently verify that the archived logs are identical to what was ingested and have not been altered in transit.
6.3 Segregation from SoftSol Production Infrastructure
The Azure resource group hosting the Client’s log streaming infrastructure is dedicated exclusively to the Client. SoftSol’s own operational accounts are restricted from write or delete access to the Client’s log resources via Azure RBAC policy. SoftSol retains reader access solely for the purpose of monitoring stream health and troubleshooting delivery failures. All access to the Client’s log resources by SoftSol accounts is itself logged in Azure Activity Log.
6.4 Stream Health Monitoring
SoftSol monitors the streaming pipeline for delivery failures, latency anomalies, and ingestion gaps. If a gap in log delivery is detected (i.e., events expected from the Office 365 Management Activity API are not received within the expected polling window), SoftSol will:
- i.Investigate and remediate the streaming pipeline within two business hours.
- ii.Notify the Client in writing if the gap exceeds four hours.
- iii.Backfill the external repository with any events that were captured in the native Microsoft UAL during the gap period, using the UAL API retention window (minimum 7 days for Standard, 180 days for Premium).
7. Client Access & Self-Audit Rights
The Client is entitled to independently access, query, and export logs from all components of the audit infrastructure described in this Agreement at any time, without prior notice to SoftSol. SoftSol will provision and maintain the following access for the Client:
| Access Point | Access Method | What the Client Can Do |
|---|---|---|
| Microsoft Purview Compliance Portal | Client’s own admin account (Compliance Administrator or Security Reader role) | Search the native UAL by date, user, operation, or workload. Export results to CSV. View and manage alert policies. View alert history. |
| Azure Log Analytics Workspace | Azure AD account with Log Analytics Reader role, provided by SoftSol during onboarding | Run KQL queries against the full streamed log dataset. Export query results. View all events regardless of native UAL retention window. |
| Azure Immutable Archive | Azure Storage Blob Reader SAS token, renewed annually or on request | Download archived log blobs for any time period. Verify SHA-256 hashes against the integrity index. Provide raw logs to auditors or insurers. |
SoftSol will provide onboarding documentation and, where requested, a walkthrough session to train the Client’s designated compliance or IT contact on querying each access point.
8. Roles & Responsibilities
| SoftSol Responsibilities | Client Responsibilities |
|---|---|
|
|
9. Implementation Checklist
The following steps will be completed by SoftSol during onboarding, with Client participation as indicated. Completion of each step will be confirmed in writing to the Client.
| # | Task | Responsible | Target | Completed |
|---|---|---|---|---|
| 1.1 | Verify Purview Audit is enabled and confirm licence tier (Standard/Premium) | SoftSol | Day 1 | ____/____/________ |
| 1.2 | Configure UAL retention policy per Schedule A requirements | SoftSol | Day 1 | ____/____/________ |
| 2.1 | Client provides designated alert recipient email addresses (Schedule B) | Client | Day 1 | ____/____/________ |
| 2.2 | Configure all eight Purview alert policies listed in Section 5 | SoftSol | Day 2 | ____/____/________ |
| 2.3 | Test alert delivery — trigger a test-safe operation and confirm receipt by Client contact | SoftSol + Client | Day 2 | ____/____/________ |
| 3.1 | Provision Azure Event Hub namespace (Client-dedicated) | SoftSol | Day 3 | ____/____/________ |
| 3.2 | Configure Office 365 Management Activity API subscription and event delivery to Event Hub | SoftSol | Day 3 | ____/____/________ |
| 3.3 | Provision Log Analytics Workspace and configure Event Hub ingestion pipeline | SoftSol | Day 4 | ____/____/________ |
| 3.4 | Configure Azure Storage Account with WORM immutability policy (12-month minimum interval) | SoftSol | Day 4 | ____/____/________ |
| 3.5 | Configure SHA-256 hash generation and integrity index for each log archive batch | SoftSol | Day 4 | ____/____/________ |
| 4.1 | Provision Log Analytics Reader credentials for Client contact — confirm receipt and access | SoftSol + Client | Day 5 | ____/____/________ |
| 4.2 | Walkthrough session with Client compliance contact on querying Log Analytics and accessing archive | SoftSol + Client | Day 7 | ____/____/________ |
| 5.1 | Verify stream continuity — confirm 48 hours of uninterrupted log delivery to external repository | SoftSol | Day 9 | ____/____/________ |
| 5.2 | Both parties sign this Agreement and file in respective compliance records | SoftSol + Client | Day 10 | ____/____/________ |
10. Compliance Alignment
POPIA (Act 4 of 2013)
The immutable audit trail provides demonstrable evidence that access to personal information is controlled, monitored, and logged — directly supporting accountability obligations under POPIA Section 8 and Condition 7.
ISO/IEC 27001:2022
Supports controls A.8.15 (Logging), A.8.17 (Clock synchronisation), A.5.36 (Compliance with policies), and A.5.34 (Privacy and PII protection). The external repository satisfies the requirement for logs to be protected against tampering.
Cyber Insurance
Provides the evidential chain of custody typically required by insurers to demonstrate that third-party access to cloud environments is governed by a documented, auditable, and independently verifiable control framework.
11. Duration, Annual Review & Termination
Duration: This Agreement takes effect on the date of signature by both parties and remains in force for the duration of the managed services engagement.
Annual Review: SoftSol will initiate a formal review of this Agreement annually, including confirmation that all alert policies remain active, that the streaming pipeline is functioning correctly, and that the alert recipient list in Schedule B is current. A written review summary will be provided to the Client.
Material Changes: Either party may propose amendments to this Agreement by providing 30 days written notice. Amendments require written agreement by both parties before taking effect.
Termination: Upon termination of the managed services engagement, SoftSol will transfer ownership of the log repository resources to the Client or provide a full export of all archived logs, at the Client’s election, within 30 days of termination. SoftSol’s access to the log resources will be revoked simultaneously with the revocation of the GDAP relationship.
12. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the Republic of South Africa. Any disputes arising from this Agreement shall be subject to the jurisdiction of the South African courts, with Gauteng as the preferred seat of any proceedings.
Schedule A — Engagement-Specific Configuration
Active GDAP Roles
To be completed at onboarding — list roles per SS-M365-AARS-01 Schedule A
Purview Audit Tier
Log Retention Period (External Archive)
Special Compliance Requirements
Schedule B — Alert Recipients
| Full Name | Email Address | Role / Title |
|---|---|---|
| ____________________________ | ____________________________ | ____________________________ |
| ____________________________ | ____________________________ | ____________________________ |
| ____________________________ | ____________________________ | ____________________________ |
Signatures
By signing below, both parties confirm that they have read, understood, and agree to be bound by the terms of this Agreement, and that the named signatory is duly authorised to execute this Agreement on behalf of their respective organisation.
For SoftSol IT Outsourcing Hub (Pty) Ltd
Signature
Full Name
Title / Capacity
Date (DD / MM / YYYY)
Witness Signature
Witness Full Name
For [Client Organisation Name]
Signature
Full Name
Title / Capacity
Date (DD / MM / YYYY)
Witness Signature
Witness Full Name