Audit Copilot Studio activities in Microsoft Purview

This article lists and describes the Copilot Studio activities that are logged and available using the Microsoft Purview compliance portal. These logs are also accessible to developers via the Office 365 Management API.

Changes to the content and settings of an agent can affect security and agent behavior. It's important to audit such actions to help mitigate failures, help contain systems of security constraints, adhere to compliance requirements, and act on security threats.

Copilot Studio logs activities related to both administrative and maker and user interactions with agents.

The data used to generate the audit logs is stored in accordance with Copilot Studio security and compliance standards. For more information, see Microsoft Copilot Studio security and compliance.

Important

Administrative activities for Copilot Studio are enabled by default on all tenants. You can't disable activity collection, but you can disable the audit logs in Purview and use retention policies to prevent the retention of user message text and response text.

Prerequisites

Access the logs

  1. Sign in to the Microsoft Purview compliance portal as a tenant admin.

  2. In the left menu, select Show all.

  3. Under Solutions, select Audit.

Admins can filter for Copilot Studio activities in the Activities list. Activities are mapped to event types and categories, as listed in the following tables in this article.

Screenshot of the search results showing friendly names for activities in Purview.

Compliance managers can also use the Data Security Posture Management (DSPM) for AI solution to view chat transcripts for CopilotInteraction events. For more information, see Data Security Posture Management (DSPM).

See audited events (agent authoring)

All logging is done at the SDK layer, so a single action can trigger multiple logged events.

This table lists events typically related to administrative actions in Copilot Studio, such as deleting an agent or updating an agent's name, details, or configuration.

Category Event label Description of the event
Agents BotDeleteCleanup The cleanup of dependencies after an agent is deleted in Copilot Studio
Agents BotNameUpdate Updating the agent's name in Copilot Studio
Agents BotCreate The creation of a new agent in Copilot Studio
Agents BotDelete The deletion of an agent in Copilot Studio
Agents BotAuthUpdate Updating the authentication settings of an agent in Copilot Studio
Agents BotIconUpdate Updating the agent icon in Copilot Studio
Agents BotPublish Publishing of an agent in Copilot Studio
Agents BotShare Sharing of an agent to other users in Copilot Studio
Agents BotAppInsightsUpdate Updating the App Insights logging configuration of an agent in Copilot Studio
Agent Component BotComponentCreate The creation of a component (such as a topic or skill) for an agent in Copilot Studio
Agent Component BotComponentUpdate The update of a component (such as a topic or skill) for an agent in Copilot Studio
Agent Component BotComponentDelete The deletion of a component (such as a topic or skill) for an agent in Copilot Studio
Agent Component Collection BotComponentCollectionCreate The creation of a component collection for an agent in Copilot Studio
Agent Component Collection BotComponentCollectionDelete The deletion of a component collection for an agent in Copilot Studio
Agent Component Collection BotComponentCollectionUpdate The update of a component collection for an agent in Copilot Studio
AI Plugin AIPluginOperationCreate Creating an AI Plugin for an agent in Copilot Studio
AI Plugin AIPluginOperationUpdate Updating an AI Plugin for an agent in Copilot Studio
AI Plugin AIPluginOperationDelete Removing an AI Plugin for an agent in Copilot Studio
Environment Variable EnvironmentVariableCreate Creating an environment variable for an agent in Copilot Studio
Environment Variable EnvironmentVariableUpdate Updating an environment variable for an agent in Copilot Studio
Environment Variable EnvironmentVariableDelete Deleting an environment variable for an agent in Copilot Studio

See audited events (agent usage)

Note

All logging is done at the SDK layer, so a single action can trigger multiple logged events.

Some channels are excluded from logging. For events listed in the Audit solution in Purview, the channel is identified in the audited event's CopilotEventData JSON field as the AppHost value. In the DSPM for AI solution, the channel is identified under the App accessed in field.

This table lists events that are logged for user interactions with Copilot agents in Copilot Studio, such as asking questions and viewing responses. The audited event contains metadata for that activity (including the date/time, organization, user and resource IDs, and the transcript thread ID).

Copilot Studio saves the text of the chat (the transcript) separately from the audited event in Purview. The transcript can be seen or accessed directly from the logged event as it appears in the Data Security Posture Management (DSPM) for AI solution.

Important

The full text or transcript of the interactions between a user and the agent aren't included in the audit logs in the Audit solution, only the transcript thread ID. The Data Security Posture Management (DSPM) for AI solution attempts to retrieve the chat text related to the event, along with links to resources that were accessed as part of the logged event.

Category Event label Description of the event
Users CopilotInteraction User Interactions with a Copilot agent created in Copilot Studio (such as asking questions and viewing responses)

For more information about Copilot interaction events in Microsoft 365, see Copilot interaction events overview.

Schema audit fields

Schemas define which agent fields are sent to the Microsoft Purview compliance portal. Some fields are common to all applications that send audit data to Microsoft Purview, while others are specific to Copilot Studio. The following are fields common to the Power Platform.

Field display name Logical name Type Mandatory Description
Date CreationTime Edm.Date No Date and time when the log was generated in UTC.
Id ID Edm.Guid No Unique GUID for every logged row.
Result Status ResultStatus Edm.String No Status of the logged row.
Organization Id OrganizationId Edm.Guid Yes Unique identifier of the organization from which the log was generated.
Operation Operation Edm.String No Name of the operation, including the event label.
User UserKey Edm.String No Unique identifier of the user in Microsoft Entra ID.
User type UserType Self.UserType No The audit type (admin, regular, or system).

Copilot Studio audit fields

In addition to the fields common to Power Platform administrator activities, Copilot Studio includes the following fields.

Name Type Mandatory Description
BotId Edm.String No A unique identifier of the agent
BotSchemaName Edm.String No A unique string identifying the agent
BotUpdateDetails Edm.ComplexType (Collection) No Details of the properties updated on the agent
BotComponentId Edm.String No A unique identifier of the agent components, such as topics or entities
BotComponentSchemaName Edm.String No A unique string identifying the components of an agent, such as topics or entities
BotComponentType Edm.String No The type of the agent component, such as topics or entities
BotComponentUpdateDetails Edm.ComplexType (Collection) No Details of the updated properties of the agent's component
AIPluginOperationId Edm.String No A unique identifier for the operation with the AI plugin
AIPluginOperationName Edm.String No The name of the operation with the AI plugin
EnvironmentVariableDefinitionSchemaName Edm.String No Schema name for the environment variable definition associated with the agent
EnvironmentVariableDefinitionId Edm.String No A unique identifier for the environment variable definition associated with the agent

Disable audit logging

You can disable event logging of all audit events across your tenant in Purview.

To prevent retention of user and agent text, you can create a Data Lifecycle Management policy in Purview that sets a retention policy of 0 days for Copilot Experiences.

For more information, see Create and configure retention policies.