Microsoft Audit Tools

-->

Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the audit log search tool in Microsoft 365 compliance center to search the unified audit log to view user and administrator activity in your organization. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Users in your organization can use the audit log search tool to search for, view, and export (to a CSV file) the audit records for these operations.

Microsoft 365 services that support auditing

Why a unified audit log? Because you can search the audit log for activities performed in different Microsoft 365 services. The following table lists the Microsoft 365 services and features (in alphabetical order) that are supported by the unified audit log.

Microsoft 365 service or featureRecord types
Azure Active DirectoryAzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogon
Azure Information ProtectionAipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat
Communication complianceComplianceSuperVisionExchange
Content explorerLabelContentExplorer
Data loss prevention (DLP)ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint
Dynamics 365CRM
eDiscoveryDiscovery, AeD
Exact Data MatchMipExactDataMatch
Exchange OnlineExchangeAdmin, ExchangeItem, ExchangeItemAggregated
FormsMicrosoftForms
Information barriersInformationBarrierPolicyApplication
Microsoft 365 DefenderAirInvestigation, AirManualInvestigation, AirAdminActionInvestigation, MS365DCustomDetection
Microsoft TeamsMicrosoftTeams
MyAnalyticsMyAnalyticsSettings
OneDrive for BusinessOneDrive
Power AppsPowerAppsApp, PowerAppsPlan
Power AutomateMicrosoftFlow
Power BIPowerBIAudit
QuarantineQuarantine
Retention policies and retention labelsMIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation
Sensitive information typesDlpSensitiveInformationType
Sensitivity labelsMIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch
SharePoint OnlineSharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation
StreamMicrosoftStream
Threat IntelligenceThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent
Workplace AnalyticsWorkplaceAnalytics
YammerYammer

For more information about the operations that are audited in each of the services listed in the previous table, see the Audited activities section in this article.

The previous table also identifies the record type value to use to search the audit log for activities in the corresponding service using the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell or by using a PowerShell script. Some services have multiple record types for different types of activities within the same service. For a more complete list of auditing record types, see Office 365 Management Activity API schema.

For more information about using PowerShell to search the audit log, see:

Before you search the audit log

Be sure to read the following items before you start searching the audit log.

  • Enabled by default. Basic Audit is turned on by default for all organizations with the appropriate subscription. That means records for audited activities will be captured and searchable.

    The only setup that required is to assign the necessary permissions to access the audit log search tool (and the corresponding cmdlet) and make sure that user's are assigned the right license for Advanced Audit features.

  • Thousands of searchable audit events. You can search for a wide-range of audited activities that occur is most of the Microsoft 365 services in your organization. For a partial list of the activities you can search for, see Audited activities. For a list of the services and features that support audited activities, see Audit log record type. Audit search tool in the Microsoft 365 compliance center. Use the Audit log search tool in the Microsoft 365 compliance center to search for audit records. You can search for specific activities, for activities performed by specific users, and activities that occurred with a date range.

    Here's a screenshot of the Audit search tool in the compliance center.

    Search-UnifiedAuditLog cmdlet. You can also use the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell (the underlying cmdlet for the search tool) to search for audit events or to use in a script. For more information, see:. Export audit records to a CSV file.

  • After running the Audit log search tool in the compliance center, you can export the audit records returned by the search to a CSV file. This lets you use Microsoft Excel sort and filter on different audit record properties. You can also use Excel Power Query transform functionality to split each property in the AuditData JSON object into its own column.

    • This lets you effectively view and compare similar data for different events. For more information, see Export, configure, and view audit log records. Access to audit logs via Office 365 Management Activity API. A third method for accessing and retrieving audit records is to use the Office 365 Management Activity API. This lets organizations retain auditing data for longer periods than the default 90 days and lets them import their auditing data to a SIEM solution.

      For more information, see Office 365 Management Activity API reference.

      90-day audit log retention. When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. In Basic Audit, records are retained for 90 days, which means you can search for activities that occurred within the past three months.

    • Audit log retention policies. You can create customized audit log retention policies to retain audit records for longer periods of time up to one year (and up to 10 years for users with required add-on license). You can create a policy to retain audit records based the service where the audited activities occur, specific audited activities, or the user who performs an audited activity.

      Longer retention of audit records.

      Exchange, SharePoint, and Azure Active Directory audit records are retained for one year by default. Audit records for all other activities are retained for 90 days by default, or you can use audit log retention policies to configure longer retention periods.

  • High-value, crucial Advanced Audit events. Audit records for crucial events can help your organization conduct forensic and compliance investigations by providing visibility to events such as when mail items were accessed, or when mail items were replied to and forwarded, or when and what a user searched for in Exchange Online and SharePoint Online.

    These crucial events can help you investigate possible breaches and determine the scope of compromise.

    Higher bandwidth to the Office 365 Management Activity API.

  • Advanced Audit provides organizations with more bandwidth to access auditing logs through the Office 365 Management Activity API. Although all organizations (that have Basic Audit or Advanced Audit) are initially allocated a baseline of 2,000 requests per minute, this limit will dynamically increase depending on an organization's seat count and their licensing subscription.

    This results in organizations with Advanced Audit getting about twice the bandwidth as organizations with Basic Audit. 1 Advanced Audit includes higher bandwidth access to the Office 365 Management Activity API, which provides faster access to audit data.2 In addition to the required licensing for Advanced Audit (described in the next section), a user must be assigned a 10-Year Audit Log Retention add on license to retain their audit records for 10 years.

  • Microsoft 365 Business Basic subscription. Microsoft 365 Apps for Business subscription. Microsoft 365 Enterprise E3 subscription. Microsoft 365 Business Premium. Microsoft 365 Education A3 subscription. Microsoft 365 Government G3 subscription. Microsoft 365 Government G1 subscription. Microsoft 365 Frontline F1 or F3 subscription, or F5 Security add-on.

  • Office 365 Enterprise E3 subscription. Office 365 Enterprise E1 subscription. Office 365 Education A1 subscription. Office 365 Education A3 subscription. Microsoft 365 Enterprise E5 subscription. Microsoft 365 Enterprise E3 subscription + the Microsoft 365 E5 Compliance add-on.

  • Microsoft 365 Enterprise E3 subscription + the Microsoft 365 E5 eDiscovery and Audit add-on. Microsoft 365 Education A5 subscription. Microsoft 365 Education A3 subscription + the Microsoft 365 A5 Compliance add-on.

    Microsoft 365 service or feature30 minutes24 hours
    Defender for Microsoft 365 and Threat Intelligence
    Azure Active Directory (user login events)
    Azure Active Directory (admin events)
    Data Loss Prevention
    Dynamics 365 CRM
    eDiscovery
    Exchange Online
    Microsoft Power Automate
    Microsoft Stream
    Microsoft Teams
    Power Apps
    Power BI
    Microsoft 365 compliance center
    Sensitivity labels
    SharePoint Online and OneDrive for Business
    Workplace Analytics
    Yammer
    Microsoft Forms
  • Microsoft 365 Education A3 subscription + the Microsoft 365 A5 eDiscovery and Audit add-on. Microsoft 365 Government G5 subscription. Microsoft 365 Government G3 subscription + the Microsoft 365 G5 Compliance add-on.

Search the audit log

Here's the process for searching the audit log in Microsoft 365.

Step 1: Run an audit log search

  1. Microsoft 365 Government G3 subscription + the Microsoft 365 G5 eDiscovery and Audit add-on.

    Microsoft 365 Frontline F5 Compliance or F5 Security & Compliance add-on.

    Office 365 Enterprise E5 subscription. Office 365 Education A5 subscription. Verify that your organization has a subscription that supports Basic Audit and if applicable, a subscription that supports Advanced Audit. Assign permissions in Exchange Online to people in your organization who will use the audit log search tool in the Microsoft 365 compliance center or use the Search-UnifiedAuditLog cmdlet.

  2. Specifically, users must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online.

    Search the audit log. After completing step 1 and step 2, users in your organization can use the audit log search tool (or corresponding cmdlet) to search for audited activities.

    Set up Advanced Audit for users.

    This step consists of the following tasks:. Verifying that users are assigned the appropriate license or add-on license for Advanced Audit.

  3. Turning on the Advanced Audit app/service plan must be for those users.

    1. Enabling the auditing of crucial events and then turning on the Advanced Auditing app/service plan for those users. Enable Advanced Audit events to be logged when users perform searches in Exchange Online and SharePoint Online. Set up audit log retention policies.

    In additional to the default policy that retains Exchange, SharePoint, and Azure AD audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams.

    Search for crucial Advanced Audit events and other activities when conducting forensic investigations. After completing step 1 and step 2, you can search the audit log for Advanced Audit events and other activities during forensic investigations of compromised accounts and other types of security or compliance investigations.

    1. Advanced Audit is available for organizations with an Office 365 E5/A5/G5 or Microsoft 365 Enterprise E5/A5/G5 subscription. A Microsoft 365 E5/A5/G5 Compliance or E5/A5/G5 eDiscovery and Audit add-on license should be assigned to users for Advanced Audit features such as long-term retention of audit logs and the generation of Advanced Audit events for investigations. For more information about licensing, see:- Advanced Audit licensing requirements- Microsoft 365 licensing guidance for security & compliance. Retaining audit logs for 10 years will require an additional per-user add-on license. After this license is assigned to a user and an appropriate 10-year audit log retention policy is set for that user, audit logs covered by that policy will start to be retained for the 10-year period.

    2. This policy is not retroactive and can't retain audit logs that were generated before the 10-year audit log retention policy was created. For more information, see the FAQs for Advanced Audit section in this article. The Microsoft 365 service where the audited activities occur.

    3. Specific audited activities. The user who performs an audited activity. MessageBind was only configurable for AuditAdmin user logon type; it did not apply to delegate or owner actions. MailItemsAccessed applies to all logon types. MessageBind only covered access by a mail client. It didn't apply to sync activities. MailItemsAccessed events are triggered by both bind and sync access types. MessageBind actions would trigger the creation of multiple audit records when the same email message was accessed, which resulted in auditing "noise".

    In contrast, MailItemsAccessed events are aggregated into fewer audit records.

    • Sends an email message. Replies to an email message. Forwards an email message. Outlook (desktop client). Outlook on the web (OWA). Outlook for iOS. Outlook for Android. Mail app for Windows 10.

    • You must enable SearchQueryInitiatedExchange to be logged so you can search for this event in the audit log. For instructions, see Set up Advanced Audit. Communication sites.

  4. Sites associated with Microsoft Teams. You must enable SearchQueryInitiatedSharePoint to be logged so you can search for this event in the audit log.

    For instructions, see Set up Advanced Audit. When dealing with a cloud environment, auditing user activities is a necessary security practice because users can sign in from practically anywhere. However, by using Microsoft 365 by itself, you may be missing some of the crucial details you need to fully monitor user activities.

Tips for searching the audit log

  • Use M365 Manager Plus to ease your security concerns and keep your Microsoft 365 setup intact. Track even the most granular user activities in Exchange Online, Azure Active Directory, OneDrive for Business, Sway, and other services. You need to constantly audit Exchange Online to keep mailbox issues, like spam and malware, at bay.

  • Use M365 Manager Plus to audit and monitor not only mailbox accesses but public folder accesses, contact changes, and permission changes as well. With M365 Manager Plus, keep track of:. Non-owner mailbox accesses, admin activities, and mailbox delegations to check for malicious activities.

    Owner, non-owner, and admin activities on Exchange Online groups, group delegations, emails sent as groups, and more. Contacts created, modified, or deleted by users. Public folders created, modified, or deleted by users. Any changes made to critical mailbox permissions.

  • Auditing user activities helps organizations make preemptive decisions. If your auditing tool reveals suspicious user activities in Azure AD, you can avoid security breaches well before any dire consequences occur.

  • M365 Manager Plus provides in-depth audit details, which keep you aware of every event in the Azure AD environment. With M365 Manager Plus, keep track of:. Failed logon attempts due to an invalid username or password, which are indicators of brute force attacks.

Step 2: View the search results

The results of an audit log search are displayed under Results on the Audit log search page. As previously stated, a maximum of 50,000 (newest) events are displayed in increments of 150 events. Use the scroll bar or press Shift + End to display the next 150 events.

The results contain the following information about each event returned by the search:

  • Password and license changes made by users. Recently created, modified, or deleted user accounts and user groups.

  • Group membership changes. M365 Manager Plus audits OneDrive for Business to bring even the smallest file changes to light. Monitor file activities, file sharing activities, and sync activities, such as files uploaded to or downloaded from the cloud, to keep OneDrive for Business undamaged.

    Create your own audit profiles to audit only those events you want to track.

    Audit profiles help you avoid the overhead that comes along with scrutinizing the entire audit log for details. With M365 Manager Plus, keep track of:. Files created, modified, deleted, renamed, or moved—with details on who did what action and when. Sharing invitations, accepted and rejected access requests, and created, accepted, and deleted file sharing activities. Partially and fully downloaded files, as well as uploaded files.

  • Synced devices and more. Yammer is the enterprise social network that brings all the stakeholders of a company, both internal and external, together.

  • It's all about collaboration and networking. From Yammer, users can schedule a meeting in Outlook, start a video call in Skype for Business, access documents from OneDrive, and so on. With everything users can access from Yammer, it's essential that actions are tracked.

  • With M365 Manager Plus, you can:. Audit the user groups created, modified, and deleted in Yammer, including the messages exchanged in those groups. Keep track of files accessed, downloaded, modified, and viewed by Yammer users to ensure the integrity of files.

  • Track network configuration, profile settings, and security configuration changes made by admin.

Receive notifications about suspended users, exported data, and other modified Yammer settings the moment any of these activities happen.

Power BI is a business analytics suite fit for handling any amount of data. When bestowed with the responsibility of handling company data, extra precaution must be taken to comply with industrial mandates, so you can avoid mishaps.

View the details for a specific event

You can view more details about an event by clicking the event record in the list of search results. A flyout page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the service in which the event occurs.

Step 3: Export the search results to a file

You can export the results of an audit log search to a comma-separated value (CSV) file on your local computer. You can open this file in Microsoft Excel and use features such as search, sorting, filtering, and splitting a single column (that contains multiple properties) into multiple columns.

  1. But Power BI's audit logs are difficult to get to and require multiple access features to be enabled in Microsoft 365.

  2. With M365 Manager Plus, you can:. Keep track of the groups created, modified, and deleted by users on Power BI.

    See what dashboards were created, modified, deleted, and printed by users. Audit the reports generated, viewed, printed, and shared by users to ensure that no data is shared with the external network, where it can fall into the wrong hands.

    Know which users viewed metrics, admin portal activities, and datasets.

    Microsoft Teams helps get your teams on the same page with group chat, online meetings, web conferencing, etc. Users can customize their workspace by adding their favorite Microsoft app and third-party services. Teams can also collaborate on files with built-in Microsoft 365 apps like Word, Excel, PowerPoint, and SharePoint. With M365 Manager Plus, you can:.

  3. Track every team, organization, and channel setting changed by users. Audit the teams and channels created in your organization to understand team dynamics better. See the bots added and removed from your team's environment.

More information about exporting and viewing audit log search results

  • Configure alerts to notify you about changes you deem critical. Micorosft Stream is the video sharing service of Microsoft 365, which lets you create and share videos across your organization. Users can create videos for knowledge sharing or promotion, and share them to their target audience. With M365 Manager Plus, you can:. Audit created, shared, modified, downloaded, and deleted videos by users. See the likes and comments on videos, including deleted comments, along with permission changes made to videos. Track the channels created, modified, and deleted by users in your Stream environment. View information on user settings changes, deleted users, admin setting changes, and more. Compliance management is an arduous, but inevitable, task.

    Required audit details often need to be maintained manually. M365 Manager Plus helps you generate and maintain the audit details you need to meet compliance requirements such as SOX, PCI-DSS, HIPAA, FISMA, and GLBA.

  • With M365 Manager Plus, keep track of:. Security searches and created, modified, or deleted compliance security filters. Created, modified, or deleted Data Loss Prevention (DLP) and retention compliance policies. New case hold policies, DLP matches, activity alerts, users, and groups. Management role groups that are created or deleted, including their members, and more. Never let anything escape your eye! Audit every Microsoft 365 user activity. For most people the word “audit” conjures up a painful experience courtesy of the IRS.

    While tax audits are relatively rare, they’re nerve-wracking and potentially expensive all the same. Going through a software audit can be equally stressful and costly.

Audited activities

The tables in this section describe the activities that are audited in Microsoft 365. You can search for these events by searching the audit log in the security and compliance center.

These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the Activities drop-down list and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see Detailed properties in the audit log.

Click one of the following links to go to a specific table.

File and page activities

The following table describes the file and page activities in SharePoint Online and OneDrive for Business.

Friendly nameOperationDescription
Accessed fileFileAccessedUser or system account accesses a file. Once a user accesses a file, the FileAccessed event is not logged again for the same user for same file for the next five minutes.
(none)FileAccessedExtendedThis is related to the "Accessed file" (FileAccessed) activity. A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period (up to 3 hours).
The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileAccessed event.
Changed retention label for a fileComplianceSettingChangedA retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.
Changed record status to lockedLockRecordThe record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Changed record status to unlockedUnlockRecordThe record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Checked in fileFileCheckedInUser checks in a document that they checked out from a document library.
Checked out fileFileCheckedOutUser checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.
Copied fileFileCopiedUser copies a document from a site. The copied file can be saved to another folder on the site.
Deleted fileFileDeletedUser deletes a document from a site.
Deleted file from recycle binFileDeletedFirstStageRecycleBinUser deletes a file from the recycle bin of a site.
Deleted file from second-stage recycle binFileDeletedSecondStageRecycleBinUser deletes a file from the second-stage recycle bin of a site.
Deleted file marked as a recordRecordDeleteA document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
Detected document sensitivity mismatchDocumentSensitivityMismatchDetectedUser uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled Confidential is uploaded to a site labeled General.
This event isn't triggered if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential. For more information about sensitivity label priority, see Label priority (order matters).
Detected malware in fileFileMalwareDetectedSharePoint anti-virus engine detects malware in a file.
Discarded file checkoutFileCheckOutDiscardedUser discards (or undoes) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
Downloaded fileFileDownloadedUser downloads a document from a site.
Modified fileFileModifiedUser or system account modifies the content or the properties of a document on a site. The system waits five minutes before it logs another FileModified event when the same user modifies the content or properties of the same document.
(none)FileModifiedExtendedThis is related to the "Modified file" (FileModified) activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period (up to 3 hours).
The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified. This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileModified event.
Moved fileFileMovedUser moves a document from its current location on a site to a new location.
(none)FilePreviewedUser previews files on a SharePoint or OneDrive for Business site. These events typically occur in high volumes based on a single activity, such as viewing an image gallery.
Performed search querySearchQueryPerformedUser or system account performs a search in SharePoint or OneDrive for Business. Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and auto-applying retention or sensitivity labels to site content.
Recycled a fileFileRecycledUser moves a file into the SharePoint Recycle Bin.
Recycled a folderFolderRecycledUser moves a folder into the SharePoint Recycle Bin.
Recycled all minor versions of fileFileVersionsAllMinorsRecycledUser deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
Recycled all versions of fileFileVersionsAllRecycledUser deletes all versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
Recycled version of fileFileVersionRecycledUser deletes a version from the version history of a file. The deleted version is moved to the site's recycle bin.
Renamed fileFileRenamedUser renames a document on a site.
Restored fileFileRestoredUser restores a document from the recycle bin of a site.
Uploaded fileFileUploadedUser uploads a document to a folder on a site.
Viewed pagePageViewedUser views a page on a site. This doesn't include using a Web browser to view files located in a document library. Once a user views a page, the PageViewed event is not logged again for the same user for same page for the next five minutes.
(none)PageViewedExtendedThis is related to the "Viewed page" (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period (up to 3 hours).
The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed. This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.
View signaled by clientClientViewSignaledA user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page.
NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. The system waits five minutes before it logs the same event when the same user's client signals that the page has been viewed again by the user.
(none)PagePrefetchedA user's client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page.
When the page content is rendered by the client (as per the user's request) a ClientViewSignaled event should be generated. Not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events.

Frequently asked questions about FileAccessed and FilePreviewed events

Could any non-user activities trigger FilePreviewed audit records that contain a user agent like "OneDriveMpc-Transform_Thumbnail"?

We aren't aware of scenarios where non-user actions generate events like these. User actions like opening a user profile card (by clicking their name or email address in a message in Outlook on the web) would generate similar events.

Are calls to the OneDriveMpc-Transform_Thumbnail always intentionally being triggered by the user?

No. But similar events can be logged as a result of browser pre-fetch.

If we see a FilePreviewed event coming from a Microsoft-registered IP address, does that mean that the preview was displayed on the screen of the user's device?

No. The event might have been logged as a result of browser pre-fetch.

Are there scenarios where a user previewing a document generates FileAccessed events?

Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). While these events are intended to align with preview vs. access intention, the event distinction isn't a guarantee of the user's intent.

The [email protected] user in audit records

In audit records for some file activities (and other SharePoint-related activities), you may notice the user who performed the activity (identified in the User and UserId fields) is [email protected] This indicates that the "user" who performed the activity was an application. In this case, the application was granted permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. This process of giving permissions to an application is called SharePoint App-Only access. This indicates that the authentication presented to SharePoint to perform an action was made by an application, instead of a user. This is why the [email protected] user is identified in certain audit records. For more information, see Grant access using SharePoint App-Only.

For example, [email protected] is often identified as the user for "Performed search query" and "Accessed file" events. That's because an application with SharePoint App-Only access in your organization performs search queries and accesses files when applying retention policies to sites and OneDrive accounts.

Here are a few other scenarios where [email protected] may be identified in an audit record as the user who performed an activity:

  • Plus, your chances of going through one are a lot higher than they are for a tax audit, especially when it comes to Microsoft. According to a 2014 Flexera Software study, Microsoft audited its customers nearly twice as frequently as Adobe, IBM, and Oracle.

  • Almost 60 percent of survey respondents said that they had been audited by the software giant in the previous 12 months. Not all Microsoft audits are created equal.

  • As Spiceworks user Gabrielle.L explained, there are two common types of audits: the more relaxed “self audit,” which requires you to return a signed compliance letter on company letterhead, and a more thorough “full audit” that involves filling out a spreadsheet and, if necessary, purchasing any additional licenses that are not accounted for in that completed document.

In these and other scenarios, you'll also notice that multiple audit records with [email protected] as the specified user were created within a short time frame, often within a few seconds of each other. This also indicates they were probably triggered by the same user-initiated task. Also, the ApplicationDisplayName and EventData fields in the audit record may help you identify the scenario or application that triggered the event.

Folder activities

The following table describes the folder activities in SharePoint Online and OneDrive for Business. As previously explained, audit records for some SharePoint activities will indicate the [email protected] user performed the activity of behalf of the user or admin who initiated the action. For more information, see The [email protected] user in audit records.

Friendly nameOperationDescription
Copied folderFolderCopiedUser copies a folder from a site to another location in SharePoint or OneDrive for Business.
Created folderFolderCreatedUser creates a folder on a site.
Deleted folderFolderDeletedUser deletes a folder from a site.
Deleted folder from recycle binFolderDeletedFirstStageRecycleBinUser deletes a folder from the recycle bin on a site.
Deleted folder from second-stage recycle binFolderDeletedSecondStageRecycleBinUser deletes a folder from the second-stage recycle bin on a site.
Modified folderFolderModifiedUser modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.
Moved folderFolderMovedUser moves a folder to a different location on a site.
Renamed folderFolderRenamedUser renames a folder on a site.
Restored folderFolderRestoredUser restores a deleted folder from the recycle bin on a site.

SharePoint list activities

The following table describes activities related to when users interact with lists and list items in SharePoint Online. As previously explained, audit records for some SharePoint activities will indicate the [email protected] user performed the activity of behalf of the user or admin who initiated the action. For more information, see The [email protected] user in audit records.

Friendly nameOperationDescription
Created listListCreatedA user created a SharePoint list.
Created list columnListColumnCreatedA user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists.
Created list content typeListContentTypeCreatedA user created a list content type. A list content type is a content type that's attached to one or more SharePoint lists.
Created list itemListItemCreatedA user created an item in an existing SharePoint list.
Created site columnSiteColumnCreatedA user created a SharePoint site column. A site column is a column that isn't attached to a list. A site column is also a metadata structure that can be used by any list in a given web.
Created site content typeSite ContentType CreatedA user created a site content type. A site content type is a content type that's attached to the parent site.
Deleted listListDeletedA user deleted a SharePoint list.
Deleted list columnList Column DeletedA user deleted a SharePoint list column.
Deleted list content typeListContentTypeDeletedA user deleted a list content type.
Deleted list itemList Item DeletedA user deleted a SharePoint list item.
Deleted site columnSiteColumnDeletedA user deleted a SharePoint site column.
Deleted site content typeSiteContentTypeDeletedA user deleted a site content type.
Recycled list itemListItemRecycledA user moved a SharePoint list item to the Recycle Bin.
Restored listListRestoredA user restored a SharePoint list from the Recycle Bin.
Restored list itemListItemRestoredA user restored a SharePoint list item from the Recycle Bin.
Updated listListUpdatedA user updated a SharePoint list by modifying one or more properties.
Updated list columnListColumnUpdatedA user updated a SharePoint list column by modifying one or more properties.
Updated list content typeListContentTypeUpdatedA user updated a list content type by modifying one or more properties.
Updated list itemListItemUpdatedA user updated a SharePoint list item by modifying one or more properties.
Updated site columnSiteColumnUpdatedA user updated a SharePoint site column by modifying one or more properties.
Updated site content typeSiteContentTypeUpdatedA user updated a site content type by modifying one or more properties.
Viewed list itemListItemViewedA user viewed a SharePoint list item. Once a user views a list item, the ListItemViewed event is not logged again for the same user for same list item for the next five minutes.

Sharing and access request activities

The following table describes the user sharing and access request activities in SharePoint Online and OneDrive for Business. For sharing events, the Detail column under Results identifies the name of the user or group the item was shared with and whether that user or group is a member or guest in your organization. For more information, see Use sharing auditing in the audit log.

No matter what kind of audit you face, every IT department should understand what Microsoft products the company is running as well as what license keys are in use.

If you just have a handful of computers, a regularly updated Excel spreadsheet might be the only tracking tool you need. But Microsoft licensing can get complicated, especially if you manage a lot of computers. It can be a challenge to find all of the computers on your network and record licensing information for dozens, hundreds, or even thousands of PCs in an easy-to-read format that can be referenced when you get a notice of audit.

Friendly nameOperationDescription
Added permission level to site collectionPermissionLevelAddedA permission level was added to a site collection.
Accepted access requestAccessRequestAcceptedAn access request to a site, folder, or document was accepted and the requesting user has been granted access.
Accepted sharing invitationSharingInvitationAcceptedUser (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
Blocked sharing invitationSharingInvitationBlockedA sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because:
The target user's domain isn't included in the list of allowed domains.
Or
The target user's domain is included in the list of blocked domains.
For more information about allowing or blocking external sharing based on domains, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
Created access requestAccessRequestCreatedUser requests access to a site, folder, or document they don't have permissions to access.
Created a company shareable linkCompanyLinkCreatedUser created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't be used by guests.
Created an anonymous linkAnonymousLinkCreatedUser created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.
Created secure linkSecureLinkCreatedA secure sharing link was created to this item.
Created sharing invitationSharingInvitationCreatedUser shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.
Deleted secure linkSecureLinkDeletedA secure sharing link was deleted.
Denied access requestAccessRequestDeniedAn access request to a site, folder, or document was denied.
Removed a company shareable linkCompanyLinkRemovedUser removed a company-wide link to a resource. The link can no longer be used to access the resource.
Removed an anonymous linkAnonymousLinkRemovedUser removed an anonymous link to a resource. The link can no longer be used to access the resource.
Shared file, folder, or siteSharingSetUser (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest.
This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource.
Updated access requestAccessRequestUpdatedAn access request to an item was updated.
Updated an anonymous linkAnonymousLinkUpdatedUser updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
Updated sharing invitationSharingInvitationUpdatedAn external sharing invitation was updated.
Used an anonymous linkAnonymousLinkUsedAn anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address.
Unshared file, folder, or siteSharingRevokedUser (member or guest) unshared a file, folder, or site that was previously shared with another user.
Used a company shareable linkCompanyLinkUsedUser accessed a resource by using a company-wide link.
Used secure linkSecureLinkUsedA user used a secure link.
User added to secure linkAddedToSecureLinkA user was added to the list of entities who can use a secure sharing link.
User removed from secure linkRemovedFromSecureLinkA user was removed from the list of entities who can use a secure sharing link.
Withdrew sharing invitationSharingInvitationRevokedUser withdrew a sharing invitation to a resource.

Synchronization activities

The following table lists file synchronization activities in SharePoint Online and OneDrive for Business.

Friendly nameOperationDescription
Allowed computer to sync filesManagedSyncClientAllowedUser successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization.
For more information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
Blocked computer from syncing filesUnmanagedSyncClientBlockedUser tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library.
For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
Downloaded files to computerFileSyncDownloadedFullUser downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
Downloaded file changes to computerFileSyncDownloadedPartialThis event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
Uploaded files to document libraryFileSyncUploadedFullUser uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
Uploaded file changes to document libraryFileSyncUploadedPartialThis event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).

Site permissions activities

The following table lists events related to assigning permissions in SharePoint and using groups to give (and revoke) access to sites. As previously explained, audit records for some SharePoint activities will indicate the [email protected] user performed the activity of behalf of the user or admin who initiated the action. For more information, see The [email protected] user in audit records.

Friendly nameOperationDescription
Added site collection adminSiteCollectionAdminAddedSite collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites. This activity is also logged when an admin gives themselves access to a user's OneDrive account (by editing the user profile in the SharePoint admin center or by using the Microsoft 365 admin center).
Added user or group to SharePoint groupAddedToGroupUser added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.
Broke permission level inheritancePermissionLevelsInheritanceBrokenAn item was changed so that it no longer inherits permission levels from its parent.
Broke sharing inheritanceSharingInheritanceBrokenAn item was changed so that it no longer inherits sharing permissions from its parent.
Created groupGroupAddedSite administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
Deleted groupGroupRemovedUser deletes a group from a site.
Modified access request settingWebRequestAccessModifiedThe access request settings were modified on a site.
Modified 'Members Can Share' settingWebMembersCanShareModifiedThe Members Can Share setting was modified on a site.
Modified permission level on a site collectionPermissionLevelModifiedA permission level was changed on a site collection.
Modified site permissionsSitePermissionsModifiedSite administrator or owner (or system account) changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group.
NOTE: This operation has been deprecated in SharePoint Online. To find related events, you can search for other permission-related activities such as Added site collection admin, Added user or group to SharePoint group, Allowed user to create groups, Created group, and Deleted group.
Removed permission level from site collectionPermissionLevelRemovedA permission level was removed from a site collection.
Removed site collection adminSiteCollectionAdminRemovedSite collection administrator or owner removes a person as a site collection administrator for a site. This activity is also logged when an admin removes themselves from the list of site collection administrators for a user's OneDrive account (by editing the user profile in the SharePoint admin center). To return this activity in the audit log search results, you have to search for all activities.
Removed user or group from SharePoint groupRemovedFromGroupUser removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.
Requested site admin permissionsSiteAdminChangeRequestUser requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.
Restored sharing inheritanceSharingInheritanceResetA change was made so that an item inherits sharing permissions from its parent.
Updated groupGroupUpdatedSite administrator or owner changes the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.

Site administration activities

The following table lists events that result from site administration tasks in SharePoint Online. As previously explained, audit records for some SharePoint activities will indicate the [email protected] user performed the activity of behalf of the user or admin who initiated the action. For more information, see The [email protected] user in audit records.

Friendly nameOperationDescription
Added allowed data locationAllowedDataLocationAddedA SharePoint or global administrator added an allowed data location in a multi-geo environment.
Added exempt user agentExemptUserAgentSetA SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.
Added geo location adminGeoAdminAddedA SharePoint or global administrator added a user as a geo admin of a location.
Allowed user to create groupsAllowGroupCreationSetSite administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
Canceled site geo moveSiteGeoMoveCancelledA SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Changed a sharing policySharingPolicyChangedA SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperties field in the detailed properties of the event record.
Changed device access policyDeviceAccessPolicyChangedA SharePoint or global administrator changed the unmanaged devices policy for your organization. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organization. Configuring this policy requires an Enterprise Mobility + Security subscription. For more information, see Control access from unmanaged devices.
Changed exempt user agentsCustomizeExemptUsersA SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.
Changed network access policyNetworkAccessPolicyChangedA SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell. This type of policy controls who can access SharePoint and OneDrive resources in your organization based on authorized IP address ranges that you specify. For more information, see Control access to SharePoint Online and OneDrive data based on network location.
Completed site geo moveSiteGeoMoveCompletedA site geo move that was scheduled by a global administrator in your organization was successfully completed. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Created Sent To connectionSendToConnectionAddedA SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
Created site collectionSiteCollectionCreatedA SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.
Deleted orphaned hub siteHubSiteOrphanHubDeletedA SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it. An orphaned hub is likely caused by the deletion of the original hub site.
Deleted Sent To connectionSendToConnectionRemovedA SharePoint or global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
Deleted siteSiteDeletedSite administrator deletes a site.
Enabled document previewPreviewModeEnabledSetSite administrator enables document preview for a site.
Enabled legacy workflowLegacyWorkflowEnabledSetSite administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
Enabled Office on DemandOfficeOnDemandSetSite administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires a Microsoft 365 subscription that includes full, installed Office applications.
Enabled result source for People SearchesPeopleResultsScopeSetSite administrator creates the result source for People Searches for a site.
Enabled RSS feedsNewsFeedEnabledSetSite administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
Joined site to hub siteHubSiteJoinedA site owner associates their site with a hub site.
Modified site collection quotaSiteCollectionQuotaModifiedSite administrator modifies the quota for a site collection.
Registered hub siteHubSiteRegisteredA SharePoint or global administrator creates a hub site. The results are that the site is registered to be a hub site.
Removed allowed data locationAllowedDataLocationDeletedA SharePoint or global administrator removed an allowed data location in a multi-geo environment.
Removed geo location adminGeoAdminDeletedA SharePoint or global administrator removed a user as a geo admin of a location.
Renamed siteSiteRenamedSite administrator or owner renames a site
Scheduled site geo moveSiteGeoMoveScheduledA SharePoint or global administrator successfully schedules a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Set host siteHostSiteSetA SharePoint or global administrator changes the designated site to host personal or OneDrive for Business sites.
Set storage quota for geo locationGeoQuotaAllocatedA SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.
Unjoined site from hub siteHubSiteUnjoinedA site owner disassociates their site from a hub site.
Unregistered hub siteHubSiteUnregisteredA SharePoint or global administrator unregisters a site as a hub site. When a hub site is unregistered, it no longer functions as a hub site.

Exchange mailbox activities

The following table lists the activities that can be logged by mailbox audit logging. Mailbox activities performed by the mailbox owner, a delegated user, or an administrator are automatically logged in the audit log for up to 90 days. It's possible for an admin to turn off mailbox audit logging for all users in your organization. In this case, no mailbox actions for any user are logged. For more information, see Manage mailbox auditing.

You can also search for mailbox activities by using the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell.

Friendly nameOperationDescription
Accessed mailbox itemsMailItemsAccessedMessages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account. For more information, see the "Advanced Audit events" section in Advanced Audit.
Added delegate mailbox permissionsAdd-MailboxPermissionAn administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see System accounts in Exchange mailbox audit records.
Added or removed user with delegate access to calendar folderUpdateCalendarDelegationA user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.
Added permissions to folderAddFolderPermissionsA folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
Copied messages to another folderCopyA message was copied to another folder.
Created mailbox itemCreateAn item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.
Created new inbox rule in Outlook web appNew-InboxRuleA mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.
Deleted messages from Deleted Items folderSoftDeleteA message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete.
Labeled message as a recordApplyRecordLabelA message was classified as a record. This occurs when a retention label that classifies content as a record is manually or automatically applied to a message.
Moved messages to another folderMoveA message was moved to another folder.
Moved messages to Deleted Items folderMoveToDeletedItemsA message was deleted and moved to the Deleted Items folder.
Modified folder permissionUpdateFolderPermissionsA folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder.
Modified inbox rule from Outlook web appSet-InboxRuleA mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app.
Purged messages from the mailboxHardDeleteA message was purged from the Recoverable Items folder (permanently deleted from the mailbox).
Removed delegate mailbox permissionsRemove-MailboxPermissionAn administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it.
Removed permissions from folderRemoveFolderPermissionsA folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
Sent messageSendA message was sent, replied to or forwarded. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. For more information, see the "Advanced Audit events" section in Advanced Audit.
Sent message using Send As permissionsSendAsA message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.
Sent message using Send On Behalf permissionsSendOnBehalfA message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message.
Updated inbox rules from Outlook clientUpdateInboxRulesA mailbox owner or other user with access to the mailbox created, modified, or removed an inbox rule by using the Outlook client.
Updated messageUpdateA message or its properties was changed.
User signed in to mailboxMailboxLoginThe user signed in to their mailbox.
Label message as a recordA user applied a retention label to an email message and that label is configured to mark the item as a record.

System accounts in Exchange mailbox audit records

In audit records for some mailbox activities (especially Add-MailboxPermissions), you may notice the user who performed the activity (and is identified in the User and UserId fields) is NT AUTHORITY\SYSTEM or NT AUTHORITY\SYSTEM(Microsoft.Exchange.Servicehost). This indicates that the "user" who performed the activity was a system account in Exchange service in the Microsoft cloud. This system account often performs scheduled maintenance tasks on behalf of your organization. For example, a common audited activity performed by the NT AUTHORITY\SYSTEM(Microsoft.Exchange.ServiceHost) account is to update the permissions on the DiscoverySearchMailbox, which is a system mailbox. The purpose of this update is to verify that the FullAccess permission (which is the default) is assigned to the Discovery Management role group for the DiscoverySearchMailbox. This ensures that eDiscovery administrators can perform necessary tasks in their organization.

Another system user account that may be identified in an audit record for Add-MailboxPermission is [email protected] This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the [email protected] account are typically triggered when Microsoft support personnel run an RBAC role diagnostic tool on behalf of your organization.

User administration activities

The following table lists user administration activities that are logged when an admin adds or changes a user account by using the Microsoft 365 admin center or the Azure management portal.

Adding to the confusion, you’ll also need to record and track whether license keys are from original equipment manufacturers (OEMs), retail purchases and/or the Microsoft’s Volume Licensing Service Center.

Being audited by Microsoft? Here’s how to get ready. Much like when working on a homework assignment or a term paper, it’s a good idea not to wait until the last minute to start on a full audit. Procrastination is the enemy, and you don’t want to get stuck frantically populating an Excel sheet before a tight deadline. Instead, you should take advantage of tools, such as a network inventory solution, that can help you track early and often… before you get audited.

ActivityOperationDescription
Added userAdd user.A user account was created.
Changed user licenseChange user license.The license assigned to a user what changed. To see what licenses were changes, see the corresponding Updated user activity.
Changed user passwordChange user password.A user changes their password. Self-service password reset has to be enabled (for all or selected users) in your organization to allow users to reset their password. You can also track self-service password reset activity in Azure Active Directory. For more information, see Reporting options for Azure AD password management.
Deleted userDelete user.A user account was deleted.
Reset user passwordReset user password.Administrator resets the password for a user.
Set property that forces user to change passwordSet force change user password.Administrator set the property that forces a user to change their password the next time the user signs in to Microsoft 365.
Set license propertiesSet license properties.Administrator modifies the properties of a licensed assigned to a user.
Updated userUpdate user.Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in Azure Active Directory Audit Report Events.

Azure AD group administration activities

The following table lists group administration activities that are logged when an admin or a user creates or changes a Microsoft 365 Group or when an admin creates a security group by using the Microsoft 365 admin center or the Azure management portal. For more information about groups in Microsoft 365, see View, create, and delete Groups in the Microsoft 365 admin center.

That way, you don’t run the risk of unexpectedly having to spend big bucks or waste time tracking down missing licenses.

“There’s a lesson to be learned here,” Spiceworks Community member Glenn_P summed up perfectly: “Track your licenses and installs regularly and the audit will be very easy. If you wait until they send you the letter to figure it out, then you’ll be running around gathering data in a rush.”. What should your audit tools do for you? Just as tax preparers have software options that can simplify their jobs, IT pros have solutions for taking inventory of the devices and software on their network.

Friendly nameOperationDescription
Added groupAdd group.A group was created.
Added member to groupAdd member to group.A member was added to a group.
Deleted groupDelete group.A group was deleted.
Removed member from groupRemove member from group.A member was removed from a group.
Updated groupUpdate group.A property of a group was changed.

Application administration activities

The following table lists application admin activities that are logged when an admin adds or changes an application that's registered in Azure AD. Any application that relies on Azure AD for authentication must be registered in the directory.

A good software audit app should be able to:.

Scan each of the computers on your network and tell you what software is installed. Track Microsoft Office and operating system licenses (server and client) across all of your computers. Discover unlicensed software running on the network. Automatically gather license information. Keep tabs on how often each volume license has been utilized. Generate detailed reports that eliminate the need for manual guesswork.

Friendly nameOperationDescription
Added delegation entryAdd delegation entry.An authentication permission was created/granted to an application in Azure AD.
Added service principalAdd service principal.An application was registered in Azure AD. An application is represented by a service principal in the directory.
Added credentials to a service principalAdd service principal credentials.Credentials were added to a service principal in Azure AD. A service principle represents an application in the directory.
Removed delegation entryRemove delegation entry.An authentication permission was removed from an application in Azure AD.
Removed a service principal from the directoryRemove service principal.An application was deleted/unregistered from Azure AD. An application is represented by a service principal in the directory.
Removed credentials from a service principalRemove service principal credentials.Credentials were removed from a service principal in Azure AD. A service principle represents an application in the directory.
Set delegation entrySet delegation entry.An authentication permission was updated for an application in Azure AD.

Role administration activities

The following table lists Azure AD role administration activities that are logged when an admin manages admin roles in the Microsoft 365 admin center or in the Azure management portal.

In a tool like Spiceworks, you can easy search all the software you have installed in your environment and automatically or manually track license keys for any piece of software.

Additionally, you can tell which software versions are installed on each individual device. The best-case scenario is having the product key information stored in a database that you can query for advanced reporting. You’ll also want to be able to easily export your data to a spreadsheet so you can easily copy and paste into any templates provided by Microsoft.

Friendly nameOperationDescription
Add member to RoleAdd member to role.Added a user to an admin role in Microsoft 365.
Removed a user from a directory roleRemove member from role.Removed a user to from an admin role in Microsoft 365.
Set company contact informationSet company contact information.Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.

Directory administration activities

The following table lists Azure AD directory and domain-related activities that are logged when an administrator manages their organization in the Microsoft 365 admin center or in the Azure management portal.

There are few other things to keep in mind during the license tracking process.

For example, sometimes tracking workstations is straightforward, but there might be a bit more complexity with server CALs (client access licenses) because many of these products are licensed per processor or per user. In the case of server OS or SQL server licenses, you might want to write additional notes in your spreadsheet or database to keep all of the details straight.

Friendly nameOperationDescription
Added domain to companyAdd domain to company.Added a domain to your organization.
Added a partner to the directoryAdd partner to company.Added a partner (delegated administrator) to your organization.
Removed domain from companyRemove domain from company.Removed a domain from your organization.
Removed a partner from the directoryRemove partner from company.Removed a partner (delegated administrator) from your organization.
Set company informationSet company information.Updated the company information for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
Set domain authenticationSet domain authentication.Changed the domain authentication setting for your organization.
Updated the federation settings for a domainSet federation settings on domain.Changed the federation (external sharing) settings for your organization.
Set password policySet password policy.Changed the length and character constraints for user passwords in your organization.
Turned on Azure AD syncSet DirSyncEnabled flag.Set the property that enables a directory for Azure AD Sync.
Updated domainUpdate domain.Updated the settings of a domain in your organization.
Verified domainVerify domain.Verified that your organization is the owner of a domain.
Verified email verified domainVerify email verified domain.Used email verification to verify that your organization is the owner of a domain.

eDiscovery activities

Content Search and eDiscovery-related activities that are performed in the security and compliance center or by running the corresponding PowerShell cmdlets are logged in the audit log. This includes the following activities:

  • Also, if you buy software through a partner, you might ask for their help during an audit.

  • They should have records of your purchases and can help fill in gaps in your documentation.

  • Whether a Microsoft audit is imminent or just a possibility in the future, you can save yourself some headaches by getting all of your ducks in a row when it comes to license tracking.

  • Responding to an audit can be easy enough as long as you have an effective network inventory tool.

  • There are options out there, and many IT pros rely on tools like the Spiceworks Inventory app to give them deep insight into their devices, installed software, and license keys.

For a list and detailed description of the eDiscovery activities that are logged, see Search for eDiscovery activities in the audit log.

Whether you’re tracking your licenses manually or with a tool that can help you do it automatically, by being prepared your next Microsoft audit can be relatively easy and painless.

Alerts: Enables you to manage alerts, view security-related alerts, and manage advanced alerts using Defender for Cloud Apps. Permissions: Enables you to assign permissions such as Compliance Administrator, eDiscovery Manager, and others to people in your organization so they can perform tasks in these centers.

Advanced eDiscovery activities

You can also search the audit log for activities in Advanced eDiscovery. For a description of these activities, see the "Advanced eDiscovery activities" section in Search for eDiscovery activities in the audit log.

Power BI activities

You can search the audit log for activities in Power BI. For information about Power BI activities, see the "Activities audited by Power BI" section in Using auditing within your organization.

Audit logging for Power BI isn't enabled by default. To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the "Audit logs" section in Power BI admin portal.

Workplace Analytics activities

Workplace Analytics provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Workplace Analytics. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Workplace Analytics. For more information, see Workplace Analytics.

Friendly nameOperationDescription
Accessed OData linkAccessedOdataLinkAnalyst accessed the OData link for a query.
Canceled queryCanceledQueryAnalyst canceled a running query.
Created meeting exclusionMeetingExclusionCreatedAnalyst created a meeting exclusion rule.
Deleted resultDeletedResultAnalyst deleted a query result.
Downloaded reportDownloadedReportAnalyst downloaded a query result file.
Executed queryExecutedQueryAnalyst ran a query.
Updated data access settingUpdatedDataAccessSettingAdmin updated data access settings.
Updated privacy settingUpdatedPrivacySettingAdmin updated privacy settings; for example, minimum group size.
Uploaded organization dataUploadedOrgDataAdmin uploaded organizational data file.
User logged in*UserLoggedInA user signed in to their Microsoft 365 user account.
User logged off*UserLoggedOffA user signed out of their Microsoft 365 user account.
Viewed ExploreViewedExploreAnalyst viewed visualizations in one or more Explore page tabs.

You assign permissions for most features in each center, but other permissions must be configured using the Exchange admin center and SharePoint admin center.

Threat management: Enables you to create and apply device management policies using Basic Mobility and Security for Microsoft 365, to set up data loss prevention (DLP) policies for your organization, to configure email filtering, anti-malware, DomainKeys Identified Mail (DKIM), safe attachments, safe links, and OAuth apps.

Microsoft Teams activities

You can search the audit log for user and admin activities in Microsoft Teams. Teams is a chat-centered workspace in Microsoft 365. It brings a team's conversations, meetings, files, and notes together into a single place. For descriptions of the Teams activities that are audited, see Search the audit log for events in Microsoft Teams.

Microsoft Teams Healthcare activities

If your organization is using the Patients application in Microsoft Teams, you can search the audit log for activities related to the using the Patients app. If your environment is configured to support Patients app, an additional activity group for these activities is available in the Activities picker list.

For a description of the Patients app activities, see Audit logs for Patients app.

Microsoft Teams Shifts activities

If your organization is using the Shifts app in Microsoft Teams, you can search the audit log for activities related to the using the Shifts app. If your environment is configured to support Shifts apps, an additional activity group for these activities is available in the Activities picker list.

For a description of Shifts app activities, see Search the audit log for events in Microsoft Teams.

Yammer activities

The following table lists the user and admin activities in Yammer that are logged in the audit log. To return Yammer-related activities from the audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results.

Data governance: Enables you to import email or SharePoint data from other systems into Microsoft 365, configure archive mailboxes, and set retention policies for email and other content within your organization.

Search & investigation: Provides content search, audit log, quarantine, and eDiscovery case management tools to quickly drill into activity across Exchange Online mailboxes, groups and public folders, SharePoint Online, and OneDrive for Business. Reports: Enables you to quickly access reports for SharePoint Online, OneDrive for Business, Exchange Online, and Azure AD.

Friendly nameOperationDescription
Changed data retention policySoftDeleteSettingsUpdatedVerified admin updates the setting for the network data retention policy to either Hard Delete or Soft Delete. Only verified admins can perform this operation.
Changed network configurationNetworkConfigurationUpdatedNetwork or verified admin changes the Yammer network's configuration. This includes setting the interval for exporting data and enabling chat.
Changed network profile settingsProcessProfileFieldsNetwork or verified admin changes the information that appears on member profiles for network users network.
Changed private content modeSupervisorAdminToggledVerified admin turns Private Content Mode on or off. This mode lets an admin view the posts in private groups and view private messages between individual users (or groups of users). Only verified admins only can perform this operation.
Changed security configurationNetworkSecurityConfigurationUpdatedVerified admin updates the Yammer network's security configuration. This includes setting password expiration policies and restrictions on IP addresses. Only verified admins can perform this operation.
Created fileFileCreatedUser uploads a file.
Created groupGroupCreationUser creates a group.
Created message*MessageCreatedUser creates a message.
Deleted groupGroupDeletionA group is deleted from Yammer.
Deleted messageMessageDeletedUser deletes a message.
Downloaded fileFileDownloadedUser downloads a file.
Exported dataDataExportVerified admin exports Yammer network data. Only verified admins can perform this operation.
Failed to access community*CommunityAccessFailureUser failed to access a community.
Failed to access file*FileAccessFailureUser failed to access a file.
Failed to access message*MessageAccessFailureUser failed to access a message.
Shared fileFileSharedUser shares a file with another user.
Suspended network userNetworkUserSuspendedNetwork or verified admin suspends (deactivates) a user from Yammer.
Suspended userUserSuspensionUser account is suspended (deactivated).
Updated file descriptionFileUpdateDescriptionUser changes the description of a file.
Updated file nameFileUpdateNameUser changes the name of a file.
Updated message*MessageUpdatedUser updates a message.
Viewed fileFileVisitedUser views a file.
Viewed message*MessageViewedUser views a message.

Microsoft Power Automate activities

You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog Power Automate audit events now available in Microsoft 365 compliance center.

Microsoft Power Apps activities

You can search the audit log for app-related activities in Power Apps. These activities include creating, launching, and publishing an app. Assigning permissions to apps is also audited. For a description of all Power Apps activities, see Activity logging for Power Apps.

Microsoft Stream activities

You can search the audit log for activities in Microsoft Stream. These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. For a description of these activities, see the "Actions logged in Stream" section in Audit Logs in Microsoft Stream.

Content explorer activities

The following table lists the activities in content explorer that are logged in the audit log. Content explorer, which is accessed on the Data classifications tool in the Microsoft 365 compliance center. For more information, see Using data classification content explorer.

Friendly nameOperationDescription
Accessed itemLabelContentExplorerAccessedItemAn admin (or a user who's a member of the Content Explorer Content Viewer role group) uses content explorer to view an email message or SharePoint/OneDrive document.

Quarantine activities

The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see Quarantine email messages.

Friendly nameOperationDescription
Deleted quarantine messageQuarantineDeleteA user deleted an email message that was deemed to be harmful.
Exported quarantine messageQuarantineExportA user exported an email message that was deemed to be harmful.
Previewed quarantine messageQuarantinePreviewA user previewed an email message that was deemed to be harmful.
Released quarantine messageQuarantineReleaseA user released an email message from quarantine that was deemed to be harmful.
Viewed quarantine message's headerQuarantineViewHeaderA user viewed the header an email message that was deemed to be harmful.

Microsoft Forms activities

The tables in this section the user and admin activities in Microsoft Forms that are logged in the audit log. Microsoft Forms is a forms/quiz/survey tool used to collect data for analysis. Where noted below in the descriptions, some operations contain additional activity parameters.

If a Forms activity is performed by a coauthor or an anonymous responder, it will be logged slightly differently. For more information, see the Forms activities performed by coauthors and anonymous responders section.

Service assurance: Provides information about how Microsoft maintains security, privacy, and compliance with global standards for Microsoft 365, Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and other cloud services.

Also includes access to third-party ISO, SOC, and other audit reports, as well as Audited Controls, which provides details about the various controls that have been tested and verified by third-party auditors of Microsoft 365.

Friendly nameOperationDescription
Created commentCreateCommentForm owner adds comment or score to a quiz.
Created formCreateFormForm owner creates a new form.
Property DataMode:string indicates the current form is set to sync with a new or existing Excel workbook if the property value equals DataSync. Property ExcelWorkbookLink:string indicates the associated Excel workbook ID of the current form.
Edited formEditFormForm owner edits a form such as creating, removing, or editing a question. The property EditOperation:string indicates the edit operation name. The possible operations are:
- CreateQuestion
- CreateQuestionChoice
- DeleteQuestion
- DeleteQuestionChoice
- DeleteFormImage
- DeleteQuestionImage
- UpdateQuestion
- UpdateQuestionChoice
- UploadFormImage/Bing/Onedrive
- UploadQuestionImage
- ChangeTheme
FormImage includes any place within Forms that user can upload an image, such as in a query or as a background theme.
Moved formMoveFormForm owner moves a form.
Property DestinationUserId:string indicates the user ID of the person who moved the form. Property NewFormId:string is the new ID for the newly copied form. Property IsDelegateAccess:boolean indicates the current form move action is performed through the admin delegate page.
Deleted formDeleteFormForm owner deletes a form. This includes SoftDelete (delete option used and form moved to recycle bin) and HardDelete (Recycle bin is emptied).
Viewed form (design time)ViewFormForm owner opens an existing form for editing.
Property AccessDenied:boolean indicates access of current form is denied due to permission check. Property FromSummaryLink:boolean indicates current request comes from the summary link page.
Previewed formPreviewFormForm owner previews a form using the Preview function.
Exported formExportFormForm owner exports results to Excel.
Property ExportFormat:string indicates if the Excel file is Download or Online.
Allowed share form for copyAllowShareFormForCopyForm owner creates a template link to share the form with other users. This event is logged when the form owner clicks to generate template URL.
Disallowed share form for copyDisallowShareFormForCopyForm owner deletes template link.
Added form coauthorAddFormCoauthorA user uses a collaboration link to help design for/view responses. This event is logged when a user uses a collab URL (not when collab URL is first generated).
Removed form coauthorRemoveFormCoauthorForm owner deletes a collaboration link.
Viewed response pageViewRuntimeFormUser has opened a response page to view. This event is logged regardless of whether the user submits a response or not.
Created responseCreateResponseSimilar to receiving a new response. A user has submitted a response to a form.
Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.
For an anonymous responder, the ResponderId property will be null.
Updated responseUpdateResponseForm owner has updated a comment or score on a quiz.
Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.
For an anonymous responder, the ResponderId property will be null.
Deleted all responsesDeleteAllResponsesForm owner deletes all response data.
Deleted ResponseDeleteResponseForm owner deletes one response.
Property ResponseId:string indicates the response being deleted.
Viewed responsesViewResponsesForm owner views the aggregated list of responses.
Property ViewType:string indicates whether form owner is viewing Detail or Aggregate
Viewed responseViewResponseForm owner views a particular response.
Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.
For an anonymous responder, the ResponderId property will be null.
Created summary linkGetSummaryLinkForm owner creates summary results link to share results.
Deleted summary linkDeleteSummaryLinkForm owner deletes summary results link.
Updated form phishing statusUpdatePhishingStatusThis event is logged whenever the detailed value for the internal security status was changed, regardless of whether this changed the final security state (for example, form is now Closed or Opened). This means you may see duplicate events without a final security state change. The possible status values for this event are:
- Take Down
- Take Down by Admin
- Admin Unblocked
- Auto Blocked
- Auto Unblocked
- Customer Reported
- Reset Customer Reported
Updated user phishing statusUpdateUserPhishingStatusThis event is logged whenever the value for the user security status was changed. The value of the user status in the audit record is Confirmed as Phisher when the user created a phishing form that was taken down by the Microsoft Online safety team. If an admin unblocks the user, the value of the user's status is set to Reset as Normal User.
Sent Forms Pro invitationProInvitationUser clicks to activate a Pro trial.
Updated form setting*UpdateFormSettingForm owner updates one or multiple form settings.
Property FormSettingName:string indicates updated sensitive settings' name. Property NewFormSettings:string indicates updated settings' name and new value. Property thankYouMessageContainsLink:boolean indicates updated thank-you message contains a URL link.
Updated user settingUpdateUserSettingForm owner updates a user setting.
Property UserSettingName:string indicates the setting's name and new value
Listed forms*ListFormsForm owner is viewing a list of forms.
Property ViewType:string indicates which view the form owner is looking at: All Forms, Shared with Me, or Group Forms
Submitted responseSubmitResponseA user submits a response to a form.
Property IsInternalForm:boolean indicates if the responder is within the same organization as the form owner.
Enabled anyone can respond setting*AllowAnonymousResponseForm owner turns on the setting allowing any one to respond to the form.
Disabled anyone can respond setting*DisallowAnonymousResponseForm owner turns off the setting allowing any one to respond to the form.
Enabled specific people can respond setting*EnableSpecificResponseForm owner turns on the setting allowing only specific people or specific groups in the current organization to respond to the form.
Disabled specific people can respond setting*DisableSpecificResponseForm owner turns off the setting allowing only specific people or specific groups in the current organization to respond to the form.
Added specific responder*AddSpecificResponderForm owner adds a new user or group to the specific responders list.
Removed specific responder*RemoveSpecificResponderForm owner removes a user or group from the specific responders list.
Disabled collaboration*DisableCollaborationForm owner turns off the setting of collaboration on the form.
Enabled Office 365 work or school account collaboration*EnableWorkOrSchoolCollaborationForm owner turns on the setting allowing users with a Microsoft 365 work or school account to view and edit the form.
Enabled people in my organization collaboration*EnableSameOrgCollaborationForm owner turns on the setting allowing users in the current organization to view and edit the form.
Enabled specific people collaboration*EnableSpecificCollaboarationForm owner turns on the setting allowing only specific people or specific groups in the current organization to view and edit the form.
Connected to Excel workbook*ConnectToExcelWorkbookConnected the form to an Excel workbook.
Property ExcelWorkbookLink:string indicates the associated Excel workbook ID of the current form.
Created a collectionCollectionCreatedForm owner created a collection.
Updated a collectionCollectionUpdatedForm owner updated a collection property.
Deleted collection from the Recycle BinCollectionHardDeletedForm owner hard-deleted a collection from the Recycle Bin.
Moved collection to the Recycle BinCollectionSoftDeletedForm owner moved a collection to the Recycle Bin.
Renamed a collectionCollectionRenamedForm owner changed the name of a collection.
Moved a form into collectionMovedFormIntoCollectionForm owner moved a form into a collection.
Moved a form out of collectionMovedFormOutofCollectionForm owner moved a form out of a collection.

Forms activities performed by coauthors and anonymous responders

Forms supports collaboration when forms are designed and when analyzing responses. A form collaborator is known as a coauthor. Coauthors can do everything a form owner can do, except delete or move a form. Forms also allows you to create a form that can be responded to anonymously. This means the responder doesn't have to be signed into your organization to respond to a form.

The following table describes the auditing activities and information in the audit record for activities performed by coauthors and anonymous responders.

Activity typeInternal or external userUser ID that's loggedOrganization logged in toForms user type
Coauthoring activitiesInternalUPNForm owner's orgCoauthor
Coauthoring activitiesExternalUPN
Coauthor's org
Coauthor
Coauthoring activitiesExternalurn:forms:coauthor#[email protected]
(The second part of the ID is a hash, which will differ for different users)
Form owner's org
Coauthor
Response activitiesExternalUPN
Responder's org
Responder
Response activitiesExternalurn:forms:external#[email protected]
(The second part of the User ID is a hash, which will differ for different users)
Form owner's orgResponder
Response activitiesAnonymousurn:forms:anonymous#[email protected]
(The second part of the User ID is a hash, which will differ for different users)
Form owner's orgResponder

Sensitivity label activities

The following table lists events that result from using sensitivity labels.

Friendly nameOperationDescription
Applied sensitivity label to siteSensitivityLabelAppliedA sensitivity label was applied to a SharePoint or Teams site.
Removed sensitivity label from siteSensitivityLabelRemovedA sensitivity label was removed from a SharePoint or Teams site.
Applied sensitivity label to fileFileSensitivityLabelAppliedA sensitivity label was applied to a document by using Microsoft 365 apps, Office on the web. or an auto-labeling policy.
Changed sensitivity label applied to fileFileSensitivityLabelChanged
SensitivityLabelUpdated
A different sensitivity label was applied to a document.
The operations for this activity are different depending on how the label was changed:
- Office on the web or an auto-labeling policy (FileSensitivityLabelChanged)
- Microsoft 365 apps (SensitivityLabelUpdated)
Changed sensitivity label on a siteSensitivityLabelChangedA different sensitivity label was applied to a SharePoint or Teams site.
Removed sensitivity label from fileFileSensitivityLabelRemovedA sensitivity label was removed from a document by using Microsoft 365 apps, Office on the web, an auto-labeling policy, or the Unlock-SPOSensitivityLabelEncryptedFile cmdlet.

Retention policy and retention label activities

The following table describes the configuration activities for retention policies and retention labels when they were created, reconfigured, or deleted.

Friendly nameOperationDescription
Changed adaptive scope membershipApplicableAdaptiveScopeChangeUsers, sites, or groups were added to or removed from the adaptive scope. These changes are the results of running the scope’s query. Because the changes are system-initiated, the reported user displays as a GUID rather than a user account.
Configured settings for a retention policyNewRetentionComplianceRuleAdministrator configured the retention settings for a new retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the New-RetentionComplianceRule cmdlet.
Created adaptive scopeNewAdaptiveScopeAdministrator created an adaptive scope.
Created retention labelNewComplianceTagAdministrator created a new retention label.
Created retention policyNewRetentionCompliancePolicyAdministrator created a new retention policy.
Deleted adaptive scopeRemoveAdaptiveScopeAdministrator deleted an adaptive scope.
Deleted settings from a retention policyRemoveRetentionComplianceRule
Administrator deleted the configuration settings of a retention policy. Most likely, this activity is logged when an administrator deletes a retention policy or runs the Remove-RetentionComplianceRule cmdlet.
Deleted retention labelRemoveComplianceTagAdministrator deleted a retention label.
Deleted retention policyRemoveRetentionCompliancePolicy
Administrator deleted a retention policy.
Enabled regulatory record option for retention labels
SetRestrictiveRetentionUIAdministrator ran the Set-RegulatoryComplianceUI cmdlet so that an administrator can then select the UI configuration option for a retention label to mark content as a regulatory record.
Updated adaptive scopeSetAdaptiveScopeAdministrator changed the description or query for an existing adaptive scope.
Updated settings for a retention policySetRetentionComplianceRuleAdministrator changed the retention settings for an existing retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the Set-RetentionComplianceRule cmdlet.
Updated retention labelSetComplianceTagAdministrator updated an existing retention label.
Updated retention policySetRetentionCompliancePolicyAdministrator updated an existing a retention policy. Updates that trigger this event include adding or excluding content locations that the retention policy is applied to.

Briefing email activities

The following table lists the activities in Briefing email that are logged in the Microsoft 365 audit log. For more information about Briefing email, see:

Friendly nameOperationDescription
Updated organization privacy settingsUpdatedOrganizationBriefingSettingsAdmin updates the organization privacy settings for Briefing email.
Updated user privacy settingsUpdatedUserBriefingSettingsAdmin updates the user privacy settings for Briefing email.

MyAnalytics activities

The following table lists the activities in MyAnalytics that are logged in the Microsoft 365 audit log. For more information about MyAnalytics, see MyAnalytics for admins.

Friendly nameOperationDescription
Updated organization MyAnalytics settingsUpdatedOrganizationMyAnalyticsSettingsAdmin updates organization-level settings for MyAnalytics.
Updated user MyAnalytics settingsUpdatedUserMyAnalyticsSettingsAdmin updates user settings for MyAnalytics.

Information barriers activities

The following table lists the activities in information barriers that are logged in the Microsoft 365 audit log. For more information about information barriers, see Learn about information barriers in Microsoft 365.

Friendly nameOperationDescription
Added segments to a siteSegmentsAddedA SharePoint, global administrator, or site owner added one or more information barriers segments to a site.
Changed segments of a siteSegmentsChangedA SharePoint or global administrator changed one or more information barriers segments for a site.
Removed segments from a siteSegmentsRemovedA SharePoint or global administrator removed one or more information barriers segments from a site.

Disposition review activities

The following table lists the activities a disposition reviewer took when an item reached the end of its configured retention period. For more information, see Viewing and disposing of content.

Friendly nameOperationDescription
Approved disposalApproveDisposalA disposition reviewer approved the disposition of the item to move it to the next disposition stage. If the item was in the only or final stage of disposition review, the disposition approval marked the item as eligible for permanent deletion.
Extended retention periodExtendRetentionA disposition reviewer extended the retention period of the item.
Relabeled itemRelabelItemA disposition reviewer relabeled the retention label.
Added reviewersAddReviewerA disposition reviewer added one or more other users to the current disposition review stage.

Communication compliance activities

The following table lists communication compliance activities that are logged in the Microsoft 365 audit log. For more information, see Learn about communication compliance in Microsoft 365.

Friendly nameOperationDescription
Policy updateSupervisionPolicyCreated, SupervisionPolicyUpdated, SupervisionPolicyDeletedA communication compliance administrator has performed a policy update.
Policy matchSupervisionRuleMatchA user has sent a message that matches a policy's condition.
Tag applied to message(s)SupervisoryReviewTagTags are applied to messages or messages are resolved.

Report activities

The following table lists the activities for usage reports that are logged in the Microsoft 365 audit log.

Friendly nameOperationDescription
Updated usage report privacy settingsUpdateUsageReportsPrivacySettingAdmin updated privacy settings for usage reports.

Exchange admin audit log

Exchange administrator audit logging (which is enabled by default in Microsoft 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs Get-, Search-, or Test- are not logged in the audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.

Important

Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log (or in the audit log). Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events. If there's an Exchange Online cmdlet that isn't being audited, please submit a design change request (DCR) to Microsoft Support.

Here are some tips for searching for Exchange admin activities when searching the audit log:

  • To return entries from the Exchange admin audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.

  • To display events from the Exchange admin audit log, click the Activity column to sort the cmdlet names in alphabetical order.

  • To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the Download all results option. For more information, see Export, configure, and view audit log records.

  • You can also use the Search-UnifiedAuditLog -RecordType ExchangeAdmin command in Exchange Online PowerShell to return only audit records from the Exchange admin audit log. It may take up to 30 minutes after an Exchange cmdlet is run for the corresponding audit log entry to be returned in the search results. For more information, see Search-UnifiedAuditLog. For information about exporting the search results returned by the Search-UnifiedAuditLog cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in Export, configure, and view audit log records.

  • You can also view events in the Exchange admin audit log by using the Exchange admin center or running the Search-AdminAuditLog in Exchange Online PowerShell. This is a good way to specifically search for activity performed by Exchange Online administrators. For instructions, see:

    Keep in mind that the same Exchange admin activities are logged in both the Exchange admin audit log and audit log.

Frequently asked questions

What are different Microsoft 365 services that are currently audited?

The most used services like Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Dynamics 365, Defender for Office 365, and Power BI are audited. See the beginning of this article for a list of services that are audited.

What activities are audited by auditing service in Microsoft 365?

See the Audited activities section in this article for a list and description of the activities that are audited.

How long does it take for an auditing record to be available after an event has occurred?

Most auditing data is available within 30 minutes but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. See the table in the Before you search the audit log section of this article that shows the time it takes for events in the different services to be available.

How long are the audit records retained for?

As previously explained, audit records for activities performed by users assigned an Office 365 E5 or Microsoft E5 license (or users with a Microsoft 365 E5 add-on license) are retained for one year. For all other subscriptions that support unified audit logging, audit records are retained for 90 days.

Can I access the auditing data programmatically?

Yes. The Office 365 Management Activity API is used to fetch the audit logs programmatically. To get started, see Get started with Office 365 Management APIs.

Are there other ways to get auditing logs other than using the security and compliance center or the Office 365 Management Activity API?

No. These are the only two ways to get data from the auditing service.

Do I need to individually enable auditing in each service that I want to capture audit logs for?

In most services, auditing is enabled by default after you initially turn on auditing for your organization (as described in the Before you search the audit log section in this article).

Does the auditing service support de-duplication of records?

No. The auditing service pipeline is near real time, and therefore can't support de-duplication.

Where is auditing data stored?

We currently have auditing pipeline deployments in the NA (North America), EMEA (Europe, Middle East, and Africa) and APAC (Asia Pacific) regions. Tenants homed in these regions will have their auditing data stored in region. For multi-geo tenants, the audit data collected from all regions of the tenant will be stored only in tenant's home region. However, we may flow the data across these regions for load-balancing and only during live-site issues. When we do perform these activities, the data in transit is encrypted.

Is auditing data encrypted?

Auditing data is stored in Exchange mailboxes (data at rest) in the same region where the unified auditing pipeline is deployed. Mailbox data at rest is not encrypted by Exchange. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft datacenters are encrypted via BitLocker. For more information, see Microsoft 365 Encryption for Skype for Business, OneDrive for Business, SharePoint Online, and Exchange Online.

Mail data in transit is always encrypted.

Comments are closed.