Audit Copilot Studio activities in Microsoft Purview
This article lists and describes the Copilot Studio activities that are logged and available using the Microsoft Purview compliance portal. These logs are also accessible to developers via the Office 365 Management API.
Changes to the content and settings of an agent can affect security and agent behavior. It's important to audit such actions to help mitigate failures, help contain systems of security constraints, adhere to compliance requirements, and act on security threats.
Copilot Studio logs activities related to both administrative and maker and user interactions with agents.
The data used to generate the audit logs is stored in accordance with Copilot Studio security and compliance standards. For more information, see Microsoft Copilot Studio security and compliance.
Important
Administrative activities for Copilot Studio are enabled by default on all tenants. You can't disable activity collection, but you can disable the audit logs in Purview and use retention policies to prevent the retention of user message text and response text.
Prerequisites
- Users must have an assigned Microsoft 365 license so that Copilot Studio can record audit events and save transcripts of their conversations with Microsoft 365 Copilot.
- Your tenant isn't a Federal Risk and Authorization Management Program (FedRAMP) tenant.
Access the logs
Sign in to the Microsoft Purview compliance portal as a tenant admin.
In the left menu, select Show all.
Under Solutions, select Audit.
Admins can filter for Copilot Studio activities in the Activities list. Activities are mapped to event types and categories, as listed in the following tables in this article.
Compliance managers can also use the Data Security Posture Management (DSPM) for AI solution to view chat transcripts for CopilotInteraction events. For more information, see Data Security Posture Management (DSPM).
See audited events (agent authoring)
All logging is done at the SDK layer, so a single action can trigger multiple logged events.
This table lists events typically related to administrative actions in Copilot Studio, such as deleting an agent or updating an agent's name, details, or configuration.
Category | Event label | Description of the event |
---|---|---|
Agents | BotDeleteCleanup |
The cleanup of dependencies after an agent is deleted in Copilot Studio |
Agents | BotNameUpdate |
Updating the agent's name in Copilot Studio |
Agents | BotCreate |
The creation of a new agent in Copilot Studio |
Agents | BotDelete |
The deletion of an agent in Copilot Studio |
Agents | BotAuthUpdate |
Updating the authentication settings of an agent in Copilot Studio |
Agents | BotIconUpdate |
Updating the agent icon in Copilot Studio |
Agents | BotPublish |
Publishing of an agent in Copilot Studio |
Agents | BotShare |
Sharing of an agent to other users in Copilot Studio |
Agents | BotAppInsightsUpdate |
Updating the App Insights logging configuration of an agent in Copilot Studio |
Agent Component | BotComponentCreate |
The creation of a component (such as a topic or skill) for an agent in Copilot Studio |
Agent Component | BotComponentUpdate |
The update of a component (such as a topic or skill) for an agent in Copilot Studio |
Agent Component | BotComponentDelete |
The deletion of a component (such as a topic or skill) for an agent in Copilot Studio |
Agent Component Collection | BotComponentCollectionCreate |
The creation of a component collection for an agent in Copilot Studio |
Agent Component Collection | BotComponentCollectionDelete |
The deletion of a component collection for an agent in Copilot Studio |
Agent Component Collection | BotComponentCollectionUpdate |
The update of a component collection for an agent in Copilot Studio |
AI Plugin | AIPluginOperationCreate |
Creating an AI Plugin for an agent in Copilot Studio |
AI Plugin | AIPluginOperationUpdate |
Updating an AI Plugin for an agent in Copilot Studio |
AI Plugin | AIPluginOperationDelete |
Removing an AI Plugin for an agent in Copilot Studio |
Environment Variable | EnvironmentVariableCreate |
Creating an environment variable for an agent in Copilot Studio |
Environment Variable | EnvironmentVariableUpdate |
Updating an environment variable for an agent in Copilot Studio |
Environment Variable | EnvironmentVariableDelete |
Deleting an environment variable for an agent in Copilot Studio |
See audited events (agent usage)
Note
All logging is done at the SDK layer, so a single action can trigger multiple logged events.
Some channels are excluded from logging.
For events listed in the Audit solution in Purview, the channel is identified in the audited event's CopilotEventData JSON field as the AppHost
value.
In the DSPM for AI solution, the channel is identified under the App accessed in field.
This table lists events that are logged for user interactions with Copilot agents in Copilot Studio, such as asking questions and viewing responses. The audited event contains metadata for that activity (including the date/time, organization, user and resource IDs, and the transcript thread ID).
Copilot Studio saves the text of the chat (the transcript) separately from the audited event in Purview. The transcript can be seen or accessed directly from the logged event as it appears in the Data Security Posture Management (DSPM) for AI solution.
Important
The full text or transcript of the interactions between a user and the agent aren't included in the audit logs in the Audit solution, only the transcript thread ID. The Data Security Posture Management (DSPM) for AI solution attempts to retrieve the chat text related to the event, along with links to resources that were accessed as part of the logged event.
Category | Event label | Description of the event |
---|---|---|
Users | CopilotInteraction |
User Interactions with a Copilot agent created in Copilot Studio (such as asking questions and viewing responses) |
For more information about Copilot interaction events in Microsoft 365, see Copilot interaction events overview.
Schema audit fields
Schemas define which agent fields are sent to the Microsoft Purview compliance portal. Some fields are common to all applications that send audit data to Microsoft Purview, while others are specific to Copilot Studio. The following are fields common to the Power Platform.
Field display name | Logical name | Type | Mandatory | Description |
---|---|---|---|---|
Date | CreationTime |
Edm.Date |
No | Date and time when the log was generated in UTC. |
Id | ID |
Edm.Guid |
No | Unique GUID for every logged row. |
Result Status | ResultStatus |
Edm.String |
No | Status of the logged row. |
Organization Id | OrganizationId |
Edm.Guid |
Yes | Unique identifier of the organization from which the log was generated. |
Operation | Operation |
Edm.String |
No | Name of the operation, including the event label. |
User | UserKey |
Edm.String |
No | Unique identifier of the user in Microsoft Entra ID. |
User type | UserType |
Self.UserType |
No | The audit type (admin, regular, or system). |
Copilot Studio audit fields
In addition to the fields common to Power Platform administrator activities, Copilot Studio includes the following fields.
Name | Type | Mandatory | Description |
---|---|---|---|
BotId |
Edm.String |
No | A unique identifier of the agent |
BotSchemaName |
Edm.String |
No | A unique string identifying the agent |
BotUpdateDetails |
Edm.ComplexType (Collection) |
No | Details of the properties updated on the agent |
BotComponentId |
Edm.String |
No | A unique identifier of the agent components, such as topics or entities |
BotComponentSchemaName |
Edm.String |
No | A unique string identifying the components of an agent, such as topics or entities |
BotComponentType |
Edm.String |
No | The type of the agent component, such as topics or entities |
BotComponentUpdateDetails |
Edm.ComplexType (Collection) |
No | Details of the updated properties of the agent's component |
AIPluginOperationId |
Edm.String |
No | A unique identifier for the operation with the AI plugin |
AIPluginOperationName |
Edm.String |
No | The name of the operation with the AI plugin |
EnvironmentVariableDefinitionSchemaName |
Edm.String |
No | Schema name for the environment variable definition associated with the agent |
EnvironmentVariableDefinitionId |
Edm.String |
No | A unique identifier for the environment variable definition associated with the agent |
Disable audit logging
You can disable event logging of all audit events across your tenant in Purview.
To prevent retention of user and agent text, you can create a Data Lifecycle Management policy in Purview that sets a retention policy of 0 days for Copilot Experiences.
For more information, see Create and configure retention policies.