Audit log activities

The tables in this article describe the activities that are audited in Microsoft 365. You can search for these activities by searching the audit log in the Microsoft Purview portal or Microsoft Purview compliance portal.

These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the Activities drop-down list (or that are available in PowerShell) and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see Audit log detailed properties.

Tip

Select one of the links in the In this article list at the top of this article to go directly to a specific product table.

Application administration activities

The following table lists application admin activities that are logged when an admin adds or changes an application that's registered in Microsoft Entra ID. Any application that relies on Microsoft Entra ID for authentication must be registered in the directory.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name Operation Description
Added delegation entry Add delegation entry. An authentication permission was created/granted to an application in Microsoft Entra ID.
Added service principal Add service principal. An application was registered in Microsoft Entra ID. An application is represented by a service principal in the directory.
Added credentials to a service principal Add service principal credentials. Credentials were added to a service principal in Microsoft Entra ID. A service principle represents an application in the directory.
Removed delegation entry Remove delegation entry. An authentication permission was removed from an application in Microsoft Entra ID.
Removed a service principal from the directory Remove service principal. An application was deleted/unregistered from Microsoft Entra ID. An application is represented by a service principal in the directory.
Removed credentials from a service principal Remove service principal credentials. Credentials were removed from a service principal in Microsoft Entra ID. A service principle represents an application in the directory.
Set delegation entry Set delegation entry. An authentication permission was updated for an application in Microsoft Entra ID.

Briefing email activities

The following table lists the activities in Briefing email that are logged in the Microsoft 365 audit log. For more information about Briefing email, see:

Friendly name Operation Description
Updated organization privacy settings UpdatedOrganizationBriefingSettings Admin updates the organization privacy settings for Briefing email.
Updated user privacy settings UpdatedUserBriefingSettings Admin updates the user privacy settings for Briefing email.

Communication compliance activities

The following table lists communication compliance activities that are logged in the Microsoft 365 audit log. For more information, see Learn about Microsoft Purview Communication Compliance.

Note

These activities are available when using the Search-UnifiedAuditLog PowerShell cmdlet. These activities aren't available in the Activities drop-down list.

Friendly name Operation Description
Policy update SupervisionPolicyCreated, SupervisionPolicyUpdated, SupervisionPolicyDeleted A communication compliance administrator has performed a policy update.
Policy match SupervisionRuleMatch A user has sent a message that matches a policy's condition.
Tag applied to message(s) SupervisoryReviewTag Tags are applied to messages or messages are resolved.

Compliance Manager activities

The following table lists the operations and activities that are logged when an admin manages the settings in Compliance Manager. For more information, see Learn about Compliance Manager.

Friendly name Operation Description
Roles change ComplianceManagerRolesChange An admin changed the roles for users.
Tenant automation level change ComplianceManagerAutomationLevelChange An admin changed the automation level for tenant across all actions.
Testing source automation change ComplianceManagerAutomationChange An admin changed the testing source automation settings.

Content explorer activities

The following table lists the activities in content explorer that are logged in the audit log. Content explorer, which is accessed on the Data classifications tool in the Microsoft Purview portal and the compliance portal. For more information, see Using data classification content explorer.

Friendly name Operation Description
Accessed item LabelContentExplorerAccessedItem An admin (or a user who's a member of the Content Explorer Content Viewer role group) uses content explorer to view an email message or SharePoint/OneDrive document.

Copilot activities

The following table lists the activities from Microsoft 365 Copilot and Microsoft Copilot that are logged in the audit log. Copilot can be accessed across Microsoft services. Activities include how and when users interact with Copilot. This includes the Microsoft service where the activity took place and references to the files accessed during the interaction. For more information about Copilot interaction events and a schema example, see Copilot interaction events overview.

To access the text from the user's prompt during the interaction, see Content Search or view the AI interaction event from the activity explorer in Data Security Posture Management for AI.

For more information about auditing and other compliance management options for Copilot, see Microsoft Purview supports compliance management for Copilot.

Friendly Name Operation Description
Created a new Copilot plugin CreateCopilotPlugin A user (or admin or system on behalf of a user) created a new Copilot plugin.
Created a new Copilot promptbook CreateCopilotPromptBook A user (or admin or system on behalf of a user) created a new promptbook in Copilot.
Deleted a Copilot plugin DeleteCopilotPlugin A user (or admin or system on behalf of a user) deleted a Copilot plugin.
Deleted a Copilot promptbook DeleteCopilotPromptBook A user (or admin or system on behalf of a user) deleted a Copilot promptbook.
Disabled a Copilot plugin DisableCopilotPlugin A user (or admin or system on behalf of a user) disabled a Copilot plugin.
Disabled a Copilot promptbook DisableCopilotPromptBook A user (or admin or system on behalf of a user) disabled a Copilot promptbook.
Enabled a Copilot plugin EnableCopilotPlugin A user (or admin or system on behalf of a user) enabled a Copilot plugin.
Enabled a Copilot promptbook EnableCopilotPromptBook A user (or admin or system on behalf of a user) enabled a Copilot promptbook.
Interacted with Copilot CopilotInteraction A user (or admin or system on behalf of a user) entered prompts in Copilot.
Updated a Copilot plugin setting UpdateCopilotPlugin A user (or admin or system on behalf of a user) updated a Copilot plugin setting.
Updated a Copilot promptbook setting UpdateCopilotPromptBook A user (or admin or system on behalf of a user) updated a Copilot promptbook setting.
Updated a Copilot setting UpdateCopilotSettings An admin (or system on behalf of an admin) updated a Copilot setting.

Directory administration activities

The following table lists Microsoft Entra directory and domain-related activities that are logged when an administrator manages their organization in the Microsoft 365 admin center or in the Azure management portal.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name Operation Description
Added domain to company Add domain to company. Added a domain to your organization.
Added a partner to the directory Add partner to company. Added a partner (delegated administrator) to your organization.
Removed domain from company Remove domain from company. Removed a domain from your organization.
Removed a partner from the directory Remove partner from company. Removed a partner (delegated administrator) from your organization.
Set company information Set company information. Updated the company information for your organization. Includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
Set domain authentication Set domain authentication. Changed the domain authentication setting for your organization.
Updated the federation settings for a domain Set federation settings on domain. Changed the federation (external sharing) settings for your organization.
Set password policy Set password policy. Changed the length and character constraints for user passwords in your organization.
Turned on Azure AD Sync Set DirSyncEnabled flag. Set the property that enables a directory for Azure AD Sync.
Updated domain Update domain. Updated the settings of a domain in your organization.
Verified domain Verify domain. Verified that your organization is the owner of a domain.
Verified email verified domain Verify email verified domain. Used email verification to verify that your organization is the owner of a domain.

Disposition review activities

The following table lists the activities a disposition reviewer took when an item reached the end of its configured retention period, or an item was automatically moved to the next disposition stage or permanently deleted as a result of autoapproval.

Friendly name Operation Description
Approved disposal ApproveDisposal For manual approval: A disposition reviewer approved the disposition of the item to move it to the next disposition stage. If the item was in the only or final stage of disposition review, the disposition approval marked the item as eligible for permanent deletion.

For autoapproval: No manual action was taken within the configured autoapproval time period so the item automatically moved to the next disposition stage. If the item was in the only or final stage of disposition review, the item automatically became eligible for permanent deletion.
Extended retention period ExtendRetention A disposition reviewer extended the retention period of the item.
Relabeled item RelabelItem A disposition reviewer relabeled the retention label.
Added reviewers AddReviewer A disposition reviewer added one or more other users to the current disposition review stage.

eDiscovery activities

Content Search and eDiscovery-related activities (for Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium)) that are performed in the Microsoft Purview portal, the Microsoft Purview compliance portal, or by running the corresponding PowerShell cmdlets are logged in the audit log. Events are logged when administrators or eDiscovery managers (or any user assigned eDiscovery permissions) perform the following Content Search and eDiscovery (Standard) tasks in the portals:

  • Creating and managing eDiscovery (Standard) and eDiscovery (Premium) cases.
  • Creating, starting, and editing Content searches.
  • Performing search actions, such as previewing, exporting, and deleting search results.
  • Managing custodians and review sets in eDiscovery (Premium).
  • Configuring permissions filtering for Content search.
  • Managing the eDiscovery Administrator role.

For more information about searching the audit log, the permissions that are required, and exporting search results, see Search the audit log.

Note

It takes up to 30 minutes for activities that result from the activities listed under eDiscovery activities and eDiscovery (Premium) activities in the Activities drop-down list to be displayed in the search results. Conversely, it takes up to 24 hours for the corresponding events from eDiscovery cmdlet activities to appear in the search results.

Content Search and eDiscovery (Standard) activities

The following table describes the Content Search and eDiscovery (Standard) activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the compliance portal. Some activities performed in eDiscovery (Premium) may be returned when you search for activities in this list.

Note

The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It may take up to 24 hours for eDiscovery cmdlet activities to appear in audit log search results.

Friendly name Operation Corresponding cmdlet Description
Added member to eDiscovery case
CaseMemberAdded
Add-ComplianceCaseMember
A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they've been assigned the necessary permissions.
Changed content search
SearchUpdated
Set-ComplianceSearch
An existing content search was changed. Changes can include adding or removing content locations or editing the search query.
Changed eDiscovery administrator membership
CaseAdminUpdated
Update-eDiscoveryCaseAdmin
The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the CaseAdminAdded operation is logged.
Changed eDiscovery case
CaseUpdated
Set-ComplianceCase
An eDiscovery case was changed. Changes include closing an open case or reopening a closed case.
Changed eDiscovery case membership
CaseMemberUpdated
Update-ComplianceCaseMember
The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, CaseMemberAdded or CaseMemberRemoved operation is logged.
Changed search permissions filter
SearchPermissionUpdated
Set-ComplianceSecurityFilter
A search permissions filter was changed.
Changed search query for eDiscovery case hold
HoldUpdated
Set-CaseHoldRule
A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.
Content search preview item downloaded
PreviewItemDownloaded
N/A
A user downloaded an item to their local computer (by selecting the Download original item link) when previewing search results.
Content search preview item listed
PreviewItemListed
N/A
A user selected Preview search results to display the preview search results page, which lists up to 1,000 items from the results of a search.
Created content search
SearchCreated
New-ComplianceSearch
A new content search was created.
Created eDiscovery administrator
CaseAdminAdded
Add-eDiscoveryCaseAdmin
A user was added as an eDiscovery Administrator in the organization.
Created eDiscovery case
CaseAdded
New-ComplianceCase
An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
Created search permissions filter
SearchPermissionCreated
New-ComplianceSecurityFilter
A search permissions filter was created.
Created search query for eDiscovery case hold
HoldCreated
New-CaseHoldRule
A query-based hold associated with an eDiscovery case was created.
Deleted content search
SearchRemoved
Remove-ComplianceSearch
An existing content search was deleted.
Deleted eDiscovery administrator
CaseAdminRemoved
Remove-eDiscoveryCaseAdmin
An eDiscovery Administrator was deleted from your organization.
Deleted eDiscovery case
CaseRemoved
Remove-ComplianceCase
An eDiscovery case was deleted. Any hold associated with the case has to be removed before the case can be deleted.
Deleted search permissions filter
SearchPermissionRemoved
Remove-ComplianceSecurityFilter
A search permissions filter was deleted.
Deleted search query for eDiscovery case hold
HoldRemoved
Remove-CaseHoldRule
A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query is deleted, the content locations that were on hold are released.
Downloaded export of content search
SearchExportDownloaded
N/A
A user downloaded the results of a content search to their local computer. A Started export of content search activity has to be initiated before search results can be downloaded.
Previewed results of content search
SearchPreviewed
N/A
A user previewed the results of a content search.
Purged results of content search
SearchResultsPurged
New-ComplianceSearchAction
A user purged the results of a Content search by running the New-ComplianceSearchAction -Purge command.
Removed analysis of content search
RemovedSearchResultsSentToZoom
Remove-ComplianceSearchAction
A content search prepare action (to prepare search results for eDiscovery (Premium)) was deleted. If the preparation action was less than two weeks old, the search results that were prepared for eDiscovery (Premium) were deleted from the Microsoft Azure storage area. If the preparation action was older than 2 weeks, then this event indicates that only the corresponding preparation action was deleted.
Removed export of content search
RemovedSearchExported
Remove-ComplianceSearchAction
A content search export action was deleted. If the export action was less than two weeks old, the search results that were uploaded to the Microsoft Azure storage area were deleted. If the export action was older than 2 weeks, then this event indicates that only the corresponding export action was deleted.
Removed member from eDiscovery case
CaseMemberRemoved
Remove-ComplianceCaseMember
A user was removed as a member of an eDiscovery case.
Removed preview results of content search
RemovedSearchPreviewed
Remove-ComplianceSearchAction
A content search preview action was deleted.
Removed purge action performed on content search
RemovedSearchResultsPurged
Remove-ComplianceSearchAction
A content search purge action was deleted.
Removed search report
SearchReportRemoved
Remove-ComplianceSearchAction
A content search export report action was deleted.
Started analysis of content search
SearchResultsSentToZoom
New-ComplianceSearchAction
The results of a content search were prepared for analysis in eDiscovery (Premium).
Started content search
SearchStarted
Start-ComplianceSearch
A content search was started. When you create or change a content search by using the compliance portal, the search is automatically started.
Started export of content search
SearchExported
New-ComplianceSearchAction
A user exported the results of a content search.
Started export report
SearchReport
New-ComplianceSearchAction
A user exported a content search report.
Stopped content search
SearchStopped
Stop-ComplianceSearch
A user stopped a content search.
(none) CaseViewed Get-ComplianceCase A user viewed an eDiscovery (Standard) case in the compliance portal. The audit record for this event includes the name of the case that was viewed.
(none) SearchViewed Get-ComplianceSearch A user viewed a Content search in the compliance portal by accessing the search on the Searches tab in an eDiscovery (Standard) case or accessing it on the Content search page. The audit record for this event includes the identity of the search that was viewed.
(none) ViewedSearchExported Get-ComplianceSearchAction -Export A user viewed a Content search export in the compliance portal by accessing the export on the Exports tab on the Content search page. This activity is also logged when a user views an export associated with an eDiscovery (Standard) case.
(none) ViewedSearchPreviewed Get-ComplianceSearchAction -Preview A user previewed the results of a Content search in the compliance portal. This activity is also logged when a user previews the results of a search associated with an eDiscovery (Standard) case.

eDiscovery (Premium) activities

The following table describes the eDiscovery (Premium) activities logged in the audit log. These activities can be used to help you track the progression of activity in an eDiscovery (Premium) case.

Friendly name Operation Description
Added data to another review set AddWorkingSetQueryToWorkingSet User added documents from one review set to a different review set.
Added data to review set AddQueryToWorkingSet User added the search results from a content search associated with an eDiscovery (Premium) case to a review set.
Added non-Microsoft 365 data to review set AddNonOffice365DataToWorkingSet User added non-Microsoft 365 data to a review set.
Added remediated documents to review set AddRemediatedData User uploads documents that had indexing errors that were fixed to a review set.
Analyzed data in review set RunAlgo User ran analytics on the documents in a review set.
Annotated document in review set AnnotateDocument User annotated a document in a review set. Annotation includes redacting content in a document.
Compared load sets LoadComparisonJob User compared two different load sets in a review set. A load set is when data from a content search that associated with the case is added to a review set.
Converted redacted documents to PDF BurnJob User converted all the redacted documents in a review set to PDF files.
Created review set CreateWorkingSet User created a review set.
Created review set search CreateWorkingSetSearch User created a search query that searches the documents in a review set.
Created tag CreateTag User created a tag group in a review set. A tag group can contain one or more child tags. These tags are then used to tag documents in the review set.
Deleted review set search DeleteWorkingSetSearch User deleted a search query in a review set.
Deleted tag DeleteTag User deleted a tag or a tag group in a review set.
Downloaded document DownloadDocument User downloaded a document from a review set.
Edited tag UpdateTag User changed a tag in a review set.
Exported documents from review set ExportJob User exported documents from a review set.
Modified case setting UpdateCaseSettings User modified the settings for a case. Case settings include case information, access permissions, and settings that control search and analytics behavior.
Modified review set search UpdateWorkingSetSearch User edited a search query in a review set.
Previewed review set search PreviewWorkingSetSearch User previewed the results of a search query in a review set.
Remediated error documents ErrorRemediationJob User fixes files that contained indexing errors.
Tagged document TagFiles User tags a document in a review set.
Tagged results of a query TagJob User tags all of the documents that match the criteria of search query in a review set.
Viewed document in review set ViewDocument User viewed a document in a review set.

eDiscovery cmdlet activities

The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance portal or by running the corresponding cmdlet in Security & Compliance PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.

As previously stated, it may take up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.

Tip

The cmdlets in the Operation column in the following table are linked to the corresponding cmdlet help topic on TechNet. Go to the cmdlet help topic for a description of the available parameters for each cmdlet. The parameter and the parameter value that were used with a cmdlet are included in the audit log entry for each eDiscovery cmdlet activity that's logged.

Friendly name Operation (cmdlet) Description
Created hold in eDiscovery case
New-CaseHoldPolicy
A hold was created for an eDiscovery case. A hold can be created with or without specifying a content source. If content sources are specified, they're identified in the audit log entry.
Deleted hold from eDiscovery case
Remove-CaseHoldPolicy
A hold that is associated with an eDiscovery case was deleted. Deleting a hold releases all of the content locations from the hold. Deleting the hold also results in deleting the case hold rules associated with the hold (see Remove-CaseHoldRule).
Changed hold in eDiscovery case
Set-CaseHoldPolicy
A hold that is associated with an eDiscovery was changed. Possible changes include adding or removing content locations or turning off (disabling) the hold.
Created search query for eDiscovery case hold
New-CaseHoldRule
A query-based hold associated with an eDiscovery case was created.
Deleted search query for eDiscovery case hold
Remove-CaseHoldRule
A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query is deleted, the content locations that were on hold are released.
Changed search query for eDiscovery case hold
Set-CaseHoldRule
A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.
Created eDiscovery case
New-ComplianceCase
An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
Deleted eDiscovery case
Remove-ComplianceCase
An eDiscovery case was deleted. Any hold associated with the case has to be removed before the case can be deleted.
Changed eDiscovery case
Set-ComplianceCase
An eDiscovery case was changed. Changes include closing an open case or reopening a closed case.
Added member to eDiscovery case
Add-ComplianceCaseMember
A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they've been assigned the necessary permissions.
Removed member from eDiscovery case
Remove-ComplianceCaseMember
A user was removed as a member of an eDiscovery case.
Changed eDiscovery case membership
Update-ComplianceCaseMember
The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, the Add-ComplianceCaseMember or Remove-ComplianceCaseMember operation is logged.
Created content search
New-ComplianceSearch
A new content search was created.
Deleted content search
Remove-ComplianceSearch
An existing content search was deleted.
Changed content search
Set-ComplianceSearch
An existing content search was changed. Changes can include adding or removing content locations that are searched and editing the search query.
Started content search
Start-ComplianceSearch
A content search was started. When you create or change a content search by using the compliance portal GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.
Stopped content search
Stop-ComplianceSearch
A content search that was running was stopped.
Created content search action
New-ComplianceSearchAction
A content search action was created. Content search actions include previewing search results, exporting search results, preparing search results for analysis in eDiscovery (Premium), and permanently deleting items that match the search criteria of a content search.
Deleted content search action
Remove-ComplianceSearchAction
A content search action was deleted.
Created search permissions filter
New-ComplianceSecurityFilter
A search permissions filter was created.
Deleted search permissions filter
Remove-ComplianceSecurityFilter
A search permissions filter was deleted.
Changed search permissions filter
Set-ComplianceSecurityFilter
A search permissions filter was changed.
Created eDiscovery administrator
Add-eDiscoveryCaseAdmin
A user was added as an eDiscovery Administrator in your organization.
Deleted eDiscovery administrator
Remove-eDiscoveryCaseAdmin
An eDiscovery Administrator was deleted from your organization.
Changed eDiscovery administrator membership
Update-eDiscoveryCaseAdmin
The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the Add-eDiscoveryCaseAdmin or Remove-eDiscoveryCaseAdmin operation is logged.
(none) Get-ComplianceCase
This activity is logged when a user viewed a list of eDiscovery (Standard) or eDiscovery (Premium) cases. This activity is also logged when a user views a specific case in eDiscovery (Standard). When a user views a specific case, the audit record includes the identity of the case that was viewed. If the user only viewed a list of cases, the audit record doesn't contain a case identity.
(none) Get-ComplianceSearch This activity is logged when a user viewed a list of Content searches or searches associated with an eDiscovery (Standard) case. This activity is also logged when a user views a specific Content search or views a specific search associated with an eDiscovery (Standard) case. When a user views a specific search, the audit record includes the identity of the search that was viewed. If the user only viewed a list of searches, the audit record doesn't contain a search identity.
(none) Get-ComplianceSearchAction This activity is logged when a user viewed a list of compliance search actions (such as exports, previews, or purges) or actions associated with an eDiscovery (Standard) case. This activity is also logged when a user views a specific compliance search action (such as an export) or views a specific action associated with an eDiscovery (Standard) case. When a user views a search action, the audit record includes the identity of the search action that was viewed. If the user only viewed a list of actions, the audit record doesn't contain an action identity.

Detailed properties for eDiscovery activities

The following table describes the properties that are included on the flyout page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. An audit log record for an eDiscovery activity won't include every detailed property listed in the following table.

Tip

When you export the search results, the CSV file contains a column named AudtiData, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property has its own column. This will let you sort and filter on one or more of these properties. For more information, see Search the audit log.

Property Description
Case
The identity (GUID) of the eDiscovery case that was created, changed, or deleted.
ClientApplication
eDiscovery cmdlet activities have a value of EMC for this property. This indicates the activity was performed by using the compliance portal GUI or running the cmdlet in PowerShell.
ClientIP
The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
ClientRequestId
For eDiscovery activities, this property is typically blank.
CmdletVersion
The build number for the version of the compliance portal running in your organization.
CreationTime
The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed.
EffectiveOrganization
The name of the Microsoft 365 organization.
ExchangeLocations
The Exchange Online mailboxes that are included in a content search or placed on hold in an eDiscovery case.
Exclusions
Mailbox or site locations that are excluded from a content search or a hold in an eDiscovery case.
ExtendedProperties
Additional properties from a content search, a content search action, or hold in an eDiscovery case, such as the object GUID and the corresponding cmdlet and cmdlet parameters that were used when the activity was performed.
Id
The ID of the report entry. The ID uniquely identifies the audit log entry.
NonPIIParameters
A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. The parameters listed in this property are the same as those listed in the Parameters property.
ObjectId
The GUID or name of the object (for example, a Content search or an eDiscovery (Standard) case) that was created, accessed, changed, or deleted by the activity listed in the Operation property. This object is also identified in the Item column in the audit log search results.
ObjectType
The type of eDiscovery object that the user created, deleted, or modified; for example, a content search action (preview, export, or purge), an eDiscovery case, or a content search.
Operation
The name of the operation that corresponds to the eDiscovery activity that was performed.
OrganizationId
The GUID for your Microsoft 365 organization.
Parameters
The name and value for the parameters that were used with the corresponding cmdlet.
PublicFolderLocations
The public folder locations in Exchange Online that are included in a content search or placed on hold in an eDiscovery case.
Query
The search query associated with the activity, such as a content search or a query-based hold.
RecordType
The type of operation indicated by the record. The value of 18 indicates an event related to an activity listed in the eDiscovery cmdlet activities section. A value of 24 indicates an event related to an activity listed in the eDiscovery activities section.
ResultStatus
Indicates whether the action (specified in the Operation property) was successful or not.
SecurityComplianceCenterEventType
Indicates that the activity was a compliance portal event. All eDiscovery activities will have a value of 0 for this property.
SharepointLocations
The SharePoint Online sites that are included in a content search or placed on hold in an eDiscovery case.
StartTime
The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started.
UserId
The user who performed the activity (specified in the Operation property) that resulted in the record being logged. Records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log.
UserKey
An alternative ID for the user identified in the UserId property. For eDiscovery activities, the value for this property is typically the same as the UserId property.
UserServicePlan
The subscription used by your organization. For eDiscovery activities, this property is typically blank.
UserType
The type of user that performed the operation. The following values indicate the user type.
0 A regular user. 2 An administrator in your organization. 3 A Microsoft datacenter administrator or datacenter system account. 4 A system account. 5 An application. 6 A service principal.
Version
Indicates the version number of the activity (identified by the Operation property) that's logged.
Workload
The service where the activity occurred. For eDiscovery activities, the value is SecurityComplianceCenter.

Encrypted message portal activities

Access logs are available for encrypted messages through the encrypted message portal that lets your organization determine when messages are read, and forwarded by your external recipients. For more information on enabling and using encrypted message portal activity logs, see Encrypted message portal activity log.

Each audit entry for a tracked message contains the following fields:

  • MessageID: Contains the ID of the message being tracked. The key identifier used to follow a message through the system.
  • Recipient: List of all recipient email addresses.
  • Sender: The originating email address.
  • AuthenticationMethod: Describes the authenticating method for accessing the message, for example OTP, Yahoo, Gmail, or Microsoft.
  • AuthenticationStatus: Contains a value indicating that the authentication succeeded or failed.
  • OperationStatus: Indicates whether the indicated operation succeeded or failed.
  • AttachmentName: Name of the attachment.
  • OperationProperties: A list of optional properties. For example, the number of OTP passcodes sent, or the email subject.

Exchange admin activities

Exchange administrator audit logging (which is enabled by default in Microsoft 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs Get-, Search-, or Test- aren't logged in the audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.

Important

Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log (or in the audit log). Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events. If there's an Exchange Online cmdlet that isn't being audited, please submit a design change request (DCR) to Microsoft Support.

Here are some tips for searching for Exchange admin activities when searching the audit log:

  • Use the date range boxes and the Users list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.
  • To display events from the Exchange admin audit log, select the Activity column to sort the cmdlet names in alphabetical order.
  • To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the Download all results option. For more information, see Export, configure, and view audit log records.
  • You can also use the Search-UnifiedAuditLog -RecordType ExchangeAdmin command in Exchange Online PowerShell to return only audit records from the Exchange admin audit log. It may take up to 30 minutes after an Exchange cmdlet is run for the corresponding audit log entry to be returned in the search results. For more information, see Search-UnifiedAuditLog. For information about exporting the search results returned by the Search-UnifiedAuditLog cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in Export, configure, and view audit log records.

Exchange mailbox activities

The following table lists the activities that can be logged by mailbox audit logging. Mailbox activities performed by the mailbox owner, a delegated user, or an administrator are automatically logged in the audit log for up to 180 days. It's possible for an admin to turn off mailbox audit logging for all users in your organization. In this case, no mailbox actions for any user are logged. For more information, see Manage mailbox auditing.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

You can also search for mailbox activities by using the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell.

Friendly name Operation Description
Accessed mailbox items MailItemsAccessed Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. Analyzing audit records for this activity is useful when investigating compromised email account.
Added delegate mailbox permissions Add-MailboxPermission An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see System accounts in Exchange mailbox audit records.
Added or removed user with delegate access to calendar folder UpdateCalendarDelegation A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.
Added permissions to folder AddFolderPermissions A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
Copied messages to another folder Copy A message was copied to another folder.
Created mailbox item Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.
Created new inbox rule in Outlook web app New-InboxRule A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.
Deleted messages from Deleted Items folder SoftDelete A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete.
Labeled message as a record ApplyRecordLabel A message was classified as a record. Occurs when a retention label that classifies content as a record is manually or automatically applied to a message.
Moved messages to another folder Move A message was moved to another folder.
Moved messages to Deleted Items folder MoveToDeletedItems A message was deleted and moved to the Deleted Items folder.
Modified folder permission UpdateFolderPermissions A folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder.
Modified inbox rule from Outlook web app Set-InboxRule A mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app.
Purged messages from the mailbox HardDelete A message was purged from the Recoverable Items folder (permanently deleted from the mailbox).
Removed delegate mailbox permissions Remove-MailboxPermission An administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it.
Removed permissions from folder RemoveFolderPermissions A folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
Sent message Send A message was sent, replied to or forwarded.
Sent message using Send As permissions SendAs A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.
Sent message using Send On Behalf permissions SendOnBehalf A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message.
Updated inbox rules from Outlook client UpdateInboxRules A mailbox owner or other user with access to the mailbox created, modified, or removed an inbox rule by using the Outlook client.
Updated message Update A message or its properties was changed.
User signed in to mailbox MailboxLogin The user signed in to their mailbox.
Label message as a record A user applied a retention label to an email message and that label is configured to mark the item as a record.

System accounts in Exchange mailbox audit records

In audit records for some mailbox activities (especially Add-MailboxPermissions), you may notice the user who performed the activity (and is identified in the User and UserId fields) is NT AUTHORITY\SYSTEM or NT AUTHORITY\SYSTEM(Microsoft.Exchange.Servicehost). This indicates that the "user" who performed the activity was a system account in Exchange service in the Microsoft cloud. This system account often performs scheduled maintenance tasks on behalf of your organization. For example, a common audited activity performed by the NT AUTHORITY\SYSTEM(Microsoft.Exchange.ServiceHost) account is to update the permissions on the DiscoverySearchMailbox, which is a system mailbox. The purpose of this update is to verify that the FullAccess permission (which is the default) is assigned to the Discovery Management role group for the DiscoverySearchMailbox. Ensures that eDiscovery administrators can perform necessary tasks in their organization.

Another system user account that may be identified in an audit record for Add-MailboxPermission is Administrator@apcprd03.prod.outlook.com. This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the Administrator@apcprd03.prod.outlook.com account are typically triggered when Microsoft support personnel run a role-based access control diagnostic tool on behalf of your organization.

File and page activities

The following table describes the file and page activities in SharePoint Online and OneDrive for Business.

Friendly name Operation Description
Accessed file FileAccessed User or system account accesses a file. Once a user accesses a file, the FileAccessed event isn't logged again for the same user for same file for the next five minutes.
(none) FileAccessedExtended This is related to the "Accessed file" (FileAccessed) activity. A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period (up to 3 hours).

The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileAccessed event.
Changed retention label for a file ComplianceSettingChanged A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.
Changed record status to locked LockRecord The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Changed record status to unlocked UnlockRecord The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Checked in file FileCheckedIn User checks in a document that they checked out from a document library.
Checked out file FileCheckedOut User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.
Copied file FileCopied User copies a document from a site. The copied file can be saved to another folder on the site.
Deleted file FileDeleted User deletes a document from a site.
Deleted file from recycle bin FileDeletedFirstStageRecycleBin User deletes a file from the recycle bin of a site.
Deleted file from second-stage recycle bin FileDeletedSecondStageRecycleBin User deletes a file from the second-stage recycle bin of a site.
Deleted file marked as a record RecordDelete A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
Detected document sensitivity mismatch DocumentSensitivityMismatchDetected User uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled Confidential is uploaded to a site labeled General.

This event isn't triggered if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential. For more information about sensitivity label priority, see Label priority (order matters).
Detected malware in file FileMalwareDetected SharePoint anti-virus engine detects malware in a file.
Discarded file checkout FileCheckOutDiscarded User discards (or undoes) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
Downloaded file FileDownloaded User downloads a document from a site.
Modified file FileModified User or system account modifies the content or the properties of a document on a site. The system waits five minutes before it logs another FileModified event when the same user modifies the content or properties of the same document.
(none) FileModifiedExtended This is related to the "Modified file" (FileModified) activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period (up to 3 hours).

The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified. This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileModified event.
Moved file FileMoved User moves a document from its current location on a site to a new location.
(none) FilePreviewed User previews files on a SharePoint or OneDrive for Business site. These events typically occur in high volumes based on a single activity, such as viewing an image gallery.
Performed search query SearchQueryPerformed User or system account performs a search in SharePoint or OneDrive for Business. Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and autoapplying retention or sensitivity labels to site content. To enable logging for this activity, see Get started with auditing solutions.
Recycled a file FileRecycled User moves a file into the SharePoint Recycle Bin.
Recycled a folder FolderRecycled User moves a folder into the SharePoint Recycle Bin.
Recycled all minor versions of file FileVersionsAllMinorsRecycled User deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
Recycled all versions of file FileVersionsAllRecycled User deletes all versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
Recycled version of file FileVersionRecycled User deletes a version from the version history of a file. The deleted version is moved to the site's recycle bin.
Renamed file FileRenamed User renames a document.
Restored file FileRestored User restores a document from the recycle bin of a site.
Uploaded file FileUploaded User uploads a document to a folder on a site.
Viewed page PageViewed User views a page on a site. This doesn't include using a Web browser to view files located in a document library. Once a user views a page, the PageViewed event isn't logged again for the same user for same page for the next five minutes.
(none) PageViewedExtended This is related to the "Viewed page" (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period (up to 3 hours).

The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed. This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.
View signaled by client ClientViewSignaled A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page.

NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. The system waits five minutes before it logs the same event when the same user's client signals that the page has been viewed again by the user.
(none) PagePrefetched A user's client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page.

When the page content is rendered by the client (as per the user's request) a ClientViewSignaled event should be generated. Not all clients support indicating a prefetch, and therefore some prefetched activities might instead be logged as PageViewed events.

Frequently asked questions about FileAccessed and FilePreviewed events

Could any non-user activities trigger FilePreviewed audit records that contain a user agent like "OneDriveMpc-Transform_Thumbnail"?

We aren't aware of scenarios where nonuser actions generate events like these. User actions like opening a user profile card (by selecting their name or email address in a message in Outlook on the web) would generate similar events.

Are calls to the OneDriveMpc-Transform_Thumbnail always intentionally being triggered by the user?

No. But similar events can be logged as a result of browser prefetch.

If we see a FilePreviewed event coming from a Microsoft-registered IP address, does that mean that the preview was displayed on the screen of the user's device?

No. The event might have been logged as a result of browser prefetch.

Are there scenarios where a user previewing a document generates FileAccessed events?

Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). While these events are intended to align with preview vs. access intention, the event distinction isn't a guarantee of the user's intent.

The app@sharepoint user in audit records

In audit records for some file activities (and other SharePoint-related activities), you may notice the user who performed the activity (identified in the User and UserId fields) is app@sharepoint. This indicates that the "user" who performed the activity was an application. In this case, the application was granted permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. This process of giving permissions to an application is called SharePoint App-Only access. This indicates that the authentication presented to SharePoint to perform an action was made by an application, instead of a user. This is why the app@sharepoint user is identified in certain audit records. For more information, see Grant access using SharePoint App-Only.

For example, app@sharepoint is often identified as the user for "Performed search query" and "Accessed file" events. That's because an application with SharePoint App-Only access in your organization performs search queries and accesses files when applying retention policies to sites and OneDrive accounts.

Here are a few other scenarios where app@sharepoint may be identified in an audit record as the user who performed an activity:

  • Microsoft 365 Groups. When a user or admin creates a new group, audit records are generated for creating a site collection, updating lists, and adding members to a SharePoint group. These tasks are performed an application on behalf of the user who created the group.
  • Microsoft Teams. Similar to Microsoft 365 Groups, audit records are generated for creating a site collection, updating lists, and adding members to a SharePoint group when a team is created.
  • Compliance features. When an admin implements compliance features, such as retention policies, eDiscovery holds, and autoapplying sensitivity labels.

In these and other scenarios, you'll also notice that multiple audit records with app@sharepoint as the specified user were created within a short time frame, often within a few seconds of each other. This also indicates they were probably triggered by the same user-initiated task. Also, the ApplicationDisplayName and EventData fields in the audit record may help you identify the scenario or application that triggered the event.

Folder activities

The following table describes the folder activities in SharePoint Online and OneDrive for Business. As previously explained, audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Friendly name Operation Description
Copied folder FolderCopied User copies a folder from a site to another location in SharePoint or OneDrive for Business.
Created folder FolderCreated User creates a folder on a site.
Deleted folder FolderDeleted User deletes a folder from a site.
Deleted folder from recycle bin FolderDeletedFirstStageRecycleBin User deletes a folder from the recycle bin on a site.
Deleted folder from second-stage recycle bin FolderDeletedSecondStageRecycleBin User deletes a folder from the second-stage recycle bin on a site.
Modified folder FolderModified User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.
Moved folder FolderMoved User moves a folder to a different location on a site.
Renamed folder FolderRenamed User renames a folder on a site.
Restored folder FolderRestored User restores a deleted folder from the recycle bin on a site.

Information barriers activities

The following table lists the activities in information barriers that are logged in the Microsoft 365 audit log. For more information about information barriers, see Learn about information barriers in Microsoft 365.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name Operation Description
Changed AppBypassInformationBarrier setting for the tenant AppBypassInformationBarrier A SharePoint or global administrator has changed apps access for SharePoint sites.
Applied information barrier mode to site SiteIBModeSet A SharePoint or global administrator has applied a mode to the site.
Applied segments to site SiteIBSegmentsSet A SharePoint, global administrator, or site owner added one or more information barriers segments to a site.
Changed information barrier mode of site SiteIBModeChanged A SharePoint or global administrator has updated the mode of the site.
Changed segments of site SiteIBSegmentsChanged A SharePoint or global administrator changed one or more information barriers segments for a site.
Disabled information barriers for SharePoint and OneDrive SPOIBIsDisabled A SharePoint or global administrator has disabled information barriers for SharePoint and OneDrive in the organization.
Enabled information barriers for SharePoint and OneDrive SPOIBIsEnabled A SharePoint or global administrator has disabled information barriers for SharePoint and OneDrive in the organization.
Information barriers insights report completed InformationBarriersInsightsReportCompleted System completes build of the information barriers insights report.
Information barriers insights report OneDrive section queried InformationBarriersInsightsReportOneDriveSectionQueried An administrator queries the information barriers insights report for OneDrive accounts.
Information barriers insights report scheduled InformationBarriersInsightsReportSchedule An administrator schedules the information barriers insights report.
Information barriers insights report SharePoint section queried InformationBarriersInsightsReportSharePointSectionQueried An administrator queries the information barriers insights report for Sharepoint sites.
Removed segment from site SiteIBSegmentsRemoved A SharePoint or global administrator removed one or more information barriers segments from a site.

Microsoft 365 Apps Admin Services cloud update activities

The following table lists the activities for configuration changes and triggered actions in the Cloud Update service which are captured in the Microsoft 365 Audit log.

Friendly Name Operation Description
Device configuration updated updateddeviceconfiguration An action for a device managed by Cloud Update has been triggered. This includes triggering a rollback, resuming a rolled back device, or changing the update channel.
Profile configuration updated updatedprofileconfiguration A Cloud Update profile's configuration has changed. This includes changes to the profile's state, set deadline, Update Validation enablement, and configured waves and wave delay.
Tenant configuration updated updatedtenantconfiguration The Cloud Update's tenant-wide configuration has changed. This includes changing exclusions, exclusion windows, and generating a new Tenant Association Key (TAK).

Microsoft 365 Apps Admin Services cloud policy activities

The following table lists the activities for policy configuration changes in the Cloud Policy service which are captured in the Microsoft 365 Audit log.

Friendly Name Operation Description
Created policy configuration CreatedPolicyConfig A new policy configuration was created.
Deleted policy configuration DeletedPolicyConfig A policy configuration was deleted.
Updated policy configuration UpdatedPolicyConfig An existing policy configuration was updated, for example by adding, changing, or removing policy settings, or by changing the policy configuration's name, description, or scope.
Updated policy configuration priority UpdatedPolicyConfigPriority The priority of a policy configuration was changed.

Microsoft 365 Backup activities

The following table lists the activities in Microsoft 365 Backup that are logged in the Microsoft 365 audit log. Microsoft 365 Backup is designed to ensure your organization’s data is always protected and easily recoverable. For more information about Microsoft 365 Backup, see Overview of Microsoft 365 Backup.

Friendly name Operation Description
Activated a Backup Policy BackupPolicyActivated A Microsoft 365 Backup policy is activated from an inactive state.
Activated Draft Restore Task RestoreTaskActivated A draft restore task for Microsoft 365 Backup is activated. It is a long running operation.
Backup Item Created BackupItemAdded One or more backup items are added to a Microsoft 365 Backup policy.
Backup Item Removed BackupItemRemoved One or more backup items is/are removed from a Microsoft 365 Backup policy.
Completed Restore Task RestoreTaskCompleted A restore task is completed in Microsoft 365 Backup.
Created Draft Restore Task DraftRestoreTaskCreated A restore task is created in Microsoft 365 Backup. By default, the restore task is created as draft.
Created new Backup policy NewBackupPolicyCreated A new Microsoft 365 Backup policy has been created by a Global Admin. By default, a backup policy is created in an inactive state.
Deleted a Backup Policy BackupPolicyDeleted A Microsoft 365 Backup policy is deleted.
Deleted Draft Restore Task DraftRestoreTaskDeleted A draft restore task is deleted in Microsoft 365 Backup.
Edited a Backup Policy BackupPolicyEdited A Microsoft 365 Backup policy is updated. Backup policies are updated by any of the following actions:

1. Renaming the policy.
2. Add one or more protection units.
3. Removing one or more protection units.
Edited Draft Restore Task DraftRestoreTaskEdited A draft restore task is edited in Microsoft 365 Backup.
Paused a Backup Policy BackupPolicyPaused A Microsoft 365 Backup policy is paused from active state.
Programatically got Backup Item GetBackupItem User requests the protection unit backed up using Microsoft 365 Backup programmatically.
Programmatically got Details of Backup Policy ViewBackupPolicyDetails Details of a Microsoft 365 Backup policy are accessed programmatically.
Programmatically got Details of Restore Task GetRestoreTaskDetails A user requests details of restore task by its identifier in Microsoft 365 Backup.
Programmatically got list of all Backup Policies ListAllBackupPolicies A user programmatically gets the list of all backup policies backed up using Microsoft 365 Backup.
Programmatically got list of Backup Items in Backup Policies ListAllBackupItemsInPolicies A list of all protection units present in a backup policy in Microsoft 365 Backup is requested programmatically.
Programmatically got list of Backup Items in Tenant ListAllBackupItemsInTenant A user programmatically gets list of all protection units in the organization backed up using Microsoft 365 Backup.
Programmatically got list of Backup Items in Workload ListAllBackupItemsInWorkload A user programmatically gets list of all protection units in workload (SharePoint, OneDrive, or Exchange) backed up using Microsoft 365 Backup.
Programmatically got list of Restore Items in Restore Task GetAllRestoreArtifactsInTask A user programmatically gets all artifacts in a restore task in Microsoft 365 Backup.
Programmatically got list of Restore Points ListAllRestorePoints A user programmatically gets all restore points in Microsoft 365 Backup. Restore Points represent the timestamp when an artifact is protected (per Protection Policy). Only Global Admins have access.
Programmatically got list of Restore Tasks ListAllRestoreTasks A user programmatically gets the list of existing restore sessions in Microsoft 365 Backup. This includes the restore session created for every service type enrolled in the organization.
Restore item restoration complete BackupItemRestoreCompleted The restoration of an item backed up by Microsoft 365 Backup is completed.
Restore item restoration triggered BackupItemRestoreTriggered Restore is triggered for an item backed up with Microsoft 365 Backup.

Microsoft Defender for Endpoint general settings activities

The following table lists the activities for Microsoft Defender for Endpoint general settings that are logged in the Microsoft 365 audit log. For more information about the settings Microsoft Defender for Endpoint, see Configure general Defender for Endpoint settings.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Downloaded offboarding package DownloadOffboardingPkg Downloaded the package used to remove devices from Defender for Endpoint.
Downloaded onboarding package DownloadOnboardingPkg Downloaded the package used to onboard devices to Defender for Endpoint.
Changed data retention ChangeDataRetention Edited the data retention settings for Defender for Endpoint.
Set advanced features SetAdvancedFeatures Changed advanced features in Defender for Endpoint, enabling more precise controls during an incident. Only settings for advanced features that are generally available are logged in the Microsoft 365 audit log.

Microsoft Defender for Endpoint indicator settings activities

The following table lists the activities for Microsoft Defender for Endpoint indicator settings that are logged in the Microsoft 365 audit log. For more information about Microsoft Defender for Endpoint indicators, see Manage indicators.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Added indicator AddIndicator Created a new Indicator of compromise you can use to track attacks and events.
Edited indicator EditIndicator Edited an Indicator of compromise.
Deleted indicator DeleteIndicator Removed an Indicator of compromise.

Microsoft Defender for Endpoint response actions activities

The following table lists the activities for Microsoft Defender for Endpoint response actions, including Live response, that are logged in the Microsoft 365 audit log. For more information about Microsoft Defender for Endpoint response actions, see Take response actions on a device.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Collected investigation package CollectInvestigationPackage Collected information about a device that's used to understand attack tools and techniques.
Ran Antivirus scan RunAntiVirusScan Ran Microsoft Defender Antivirus scan on a device.
Restricted app execution RestrictAppExecution Prevent a malicious app from running.
Removed app restrictions RemoveAppRestrictions Allow an app to run.
Isolated device IsolateDevice Isolated a device from the network, helping prevent attacks from spreading.
Released from isolation ReleaseFromIsolation Added an isolated device back onto the network.
Stopped and quarantined file StopAndQuarantineFile Quarantined a suspicious file for further analysis.
Downloaded file DownloadFile Downloaded a suspicious file for further investigation.
Offboarded device DeviceOffBoarding Removed a device from Defender for Endpoint.
Ran Live response API RunLiveResponseApi Opened a Live response session via an API call, opening a remote shell into a device.
Collected Logs LogsCollection Collected log information about Defender for Endpoint.
Ran get Live response file link LiveResponseGetFile Opened a Live response session, opening a remote shell into a device.
Ran Live response session RunLiveResponseSession Ran a Live response session, opening a remote shell into a device.

Microsoft Defender for Endpoint roles settings activities

The following table lists the activities for Microsoft Defender for Endpoint role settings that are logged in the Microsoft 365 audit log. For more information about roles in Microsoft Defender for Endpoint, see Create and manage roles for role-based access control.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
AddRole Added role Added new security role and permissions.
EditRole Edited role Edited security roles and permissions.
DeleteRole Deleted role Removed security roles and permissions.

Microsoft Defender for Experts activities

The following table lists the activities in Microsoft Defender Experts that are logged into the Microsoft 365 audit log. For more information about Microsoft Defender Experts, see Learn about Microsoft Defender Experts for XDR and Learn about Microsoft Defender Experts for Hunting

Friendly name Operation Description
Defender Experts analyst permission created DefenderExpertsAnalystPermissionCreated An administrator granted one or more role permissions to Defender Experts analysts to investigate incidents or remediate threats.
Defender Experts analyst permission modified DefenderExpertsAnalystPermissionModified An administrator modified role permissions for Defender Experts analysts to investigate incidents or remediate threats.

Microsoft Defender for Identity activities

The following table lists the activities for Microsoft Defender for Identity that are logged in the Microsoft 365 audit log.

To view Microsoft Defender for Identity activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Updated entity tags TaggingConfigurationUpdated A tag was added or removed from an entity.
Added exclusions configuration ExclusionConfigurationAdded A global exclusion was added for an alert or for an entity.
Updated exclusions configuration ExclusionConfigurationUpdated A global exclusion was updated for an alert or for an entity.
Deleted exclusions configuration ExclusionConfigurationDeleted A global exclusion was deleted for an alert or for an entity.
Updated alert threshold configuration WorkspaceAlertThresholdLevelUpdated The alerts thresholds configuration was updated.
Downloaded security alert Excel AlertExcelDownloaded The detailed Excel file of an alert was downloaded.
Added remediation action RemediationActionAdded A remediation action was added to the queue.
Updated remediation action RemediationActionUpdated A remediation action was completed.
Updated sensor configuration SensorConfigurationUpdated A sensor's configuration was updated.
Added sensor SensorCreated A new sensor was added.
Removed sensor SensorDeleted A sensor was deleted.
Retrieved sensor deployment key SensorDeploymentAccessKeyReceived The sensors access key was retrieved.
Regenerated sensor deployment key SensorDeploymentAccessKeyUpdated The sensors access key was regenerated.
Updated sensors activation mode SensorActivationMethodConfigurationUpdated The sensors activation mode was modified.
Downloaded Domain Controller coverage Excel DomainControllerCoverageExcelDownloaded The Domain Controller coverage Excel file was downloaded.
Updated directory services account configuration DirectoryServicesAccountConfigurationUpdated The Directory services accounts set was modified.
Updated remediation action configuration RemediationActionConfigurationUpdated The Manage action accounts set was modified.
Updated entity remediation configuration EntityRemediatorConfigurationUpdated The Manage action accounts mode was modified.
Updated health issue MonitoringAlertUpdated A health issue was modified.
Downloaded report ReportDownloaded A report was downloaded.
Updated reporter configuration ReporterConfigurationUpdated A report's scheduling was modified.
Updated syslog forwarding configuration SyslogServiceConfigurationUpdated The syslog forwarding configuration was modified.
Updated security notification configuration NotificationConfigurationUpdated The security alerts or health issues notifications configuration was modified.
Added alert notification recipient AlertNotificationsRecipientAdded A recipient was added to the security alerts notification configuration.
Deleted alert notification recipient AlertNotificationsRecipientDeleted A recipient was removed from the security alerts notification configuration.
Added health issues notification recipient MonitoringAlertNotificationRecipientAdded A recipient was added to the health issues notification configuration.
Deleted health issues notification recipient MonitoringAlertNotificationRecipientDeleted A recipient was removed from the heath issues notification configuration.
Updated VPN configuration VpnConfigurationUpdated The VPN (radius accounting) configuration was modified.
Updated Unified RBAC configuration URbacAuthorizationStatusChanged The Unified Role Based Access Control configuration was modified.
Created workspace WorkspaceCreated The workspace was created.
Deleted workspace WorkspaceDeleted The workspace was deleted.

Microsoft Defender XDR custom detection activities

The following table lists the custom detection activities for Microsoft Defender XDR that are logged in the Microsoft 365 audit log. For more information about Microsoft Defender XDR custom detections, see Create and manage custom detections rules.

To view Microsoft Defender XDR activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Created custom detection rule CreateCustomDetection A new custom detection rule was created.
Edited custom detection rule EditCustomDetection A custom detection rule was modified.
Changed custom detection rule status ChangeCustomDetectionRuleStatus A custom detection rule was turned off or on.
Ran custom detection rule RunCustomDetection A custom detection rule was manually run.
Deleted custom detection rule DeleteCustomDetection A custom detection rule was removed.

Microsoft Defender XDR incident activities

The following table lists the incident activities for Microsoft Defender XDR that are logged in the Microsoft 365 audit log. For more information about incidents in Microsoft Defender XDR, see Incidents overview.

To view Microsoft Defender XDR activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Added comment to incident AddCommentToIncident. Added comment to incident.
Assigned user to incident AssignUserToIncident Assigned user to incident.
Unassigned user to incident UnAssignUserFromIncident Unassigned user to incident.
Updated incidents status UpdateIncidentStatus Updated incidents status.
Edit incident classification EditIncidentClassification Edit incident classification.
Added tags to incident AddTagsToIncident Added tags to incident.
Removed tags from incident RemoveTagsFromIncident Removed tags from incident.

Microsoft Defender XDR suppression rule activities

The following table lists the activities for suppression rules for Microsoft Defender XDR that are logged in the Microsoft 365 audit log. For more information about suppression rules in Microsoft Defender XDR, see Manage suppression rules.

To view Microsoft Defender XDR activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name Operation Description
Created suppression rule CreateSuppressionRule Created alert suppression rule.
Edited suppression rule EditSuppressionRule Deleted alert suppression rule.
Enabled suppression rule EnableSuppressionRule Enabled alert suppression rule.
Disabled suppression rule DisableSuppressionRule Disabled alert suppression rule.
Deleted suppression rule DeleteSuppressionRule Deleted alert suppression rule.

Microsoft Entra group administration activities

The following table lists group administration activities that are logged when an admin or a user creates or changes a Microsoft 365 group or when an admin creates a security group by using the Microsoft 365 admin center or the Azure management portal. For more information about groups in Microsoft 365, see View, create, and delete Groups in the Microsoft 365 admin center.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name Operation Description
Added group Add group. A group was created.
Added member to group Add member to group. A member was added to a group.
Deleted group Delete group. A group was deleted.
Removed member from group Remove member from group. A member was removed from a group.
Updated group Update group. A property of a group was changed.

Microsoft Fabric activities

You can search the audit log for activities in Power BI. For information about audit settings, see Audit and usage tenant settings.

Audit logging is turned on by default for Microsoft 365 organizations. If auditing isn't turned on for your organization, a banner appears that prompts you to start recording user and admin activity. For instructions, see Turn on auditing.

Microsoft Forms activities

The tables in this section the user and admin activities in Microsoft Forms that are logged in the audit log. Microsoft Forms is a forms/quiz/survey tool used to collect data for analysis. Where noted below in the descriptions, some operations contain additional activity parameters.

If a Forms activity is performed by a coauthor or an anonymous responder, it's logged slightly differently. For more information, see the Forms activities performed by coauthors and anonymous responders section.

Friendly name Operation Description
Created comment CreateComment Form owner adds comment or score to a quiz.
Created form CreateForm Form owner creates a new form.

Property DataMode:string indicates the current form is set to sync with a new or existing Excel workbook if the property value equals DataSync. Property ExcelWorkbookLink:string indicates the associated Excel workbook ID of the current form.
Edited form EditForm Form owner edits a form such as creating, removing, or editing a question. The property EditOperation:string indicates the edit operation name. The possible operations are:
- CreateQuestion
- CreateQuestionChoice
- DeleteQuestion
- DeleteQuestionChoice
- DeleteFormImage
- DeleteQuestionImage
- UpdateQuestion
- UpdateQuestionChoice
- UploadFormImage/Bing/Onedrive
- UploadQuestionImage
- ChangeTheme

FormImage includes any place within Forms that user can upload an image, such as in a query or as a background theme.
Moved form MoveForm Form owner moves a form.

Property DestinationUserId:string indicates the user ID of the person who moved the form. Property NewFormId:string is the new ID for the newly copied form. Property IsDelegateAccess:boolean indicates the current form move action is performed through the admin delegate page.
Deleted form DeleteForm Form owner deletes a form. This includes SoftDelete (delete option used and form moved to recycle bin) and HardDelete (Recycle bin is emptied).
Viewed form (design time) ViewForm Form owner opens an existing form for editing.

Property AccessDenied:boolean indicates access of current form is denied due to permission check. Property FromSummaryLink:boolean indicates current request comes from the summary link page.
Previewed form PreviewForm Form owner previews a form using the Preview function.
Exported form ExportForm Form owner exports results to Excel.

Property ExportFormat:string indicates if the Excel file is Download or Online.
Allowed share form for copy AllowShareFormForCopy Form owner creates a template link to share the form with other users. This event is logged when the form owner selects to generate template URL.
Disallowed share form for copy DisallowShareFormForCopy Form owner deletes template link.
Added form coauthor AddFormCoauthor A user uses a collaboration link to help design for/view responses. This event is logged when a user uses a collab URL (not when collab URL is first generated).
Removed form coauthor RemoveFormCoauthor Form owner deletes a collaboration link.
Viewed response page ViewRuntimeForm User has opened a response page to view. This event is logged regardless of whether the user submits a response or not.
Created response CreateResponse Similar to receiving a new response. A user has submitted a response to a form.

Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.

For an anonymous responder, the ResponderId property is null.
Updated response UpdateResponse Form owner has updated a comment or score on a quiz.

Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.

For an anonymous responder, the ResponderId property is null.
Deleted all responses DeleteAllResponses Form owner deletes all response data.
Deleted Response DeleteResponse Form owner deletes one response.

Property ResponseId:string indicates the response being deleted.
Viewed responses ViewResponses Form owner views the aggregated list of responses.

Property ViewType:string indicates whether form owner is viewing Detail or Aggregate
Viewed response ViewResponse Form owner views a particular response.

Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.

For an anonymous responder, the ResponderId property is null.
Created summary link GetSummaryLink Form owner creates summary results link to share results.
Deleted summary link DeleteSummaryLink Form owner deletes summary results link.
Updated form phishing status UpdatePhishingStatus This event is logged whenever the detailed value for the internal security status was changed, regardless of whether this changed the final security state (for example, form is now Closed or Opened). This means you may see duplicate events without a final security state change. The possible status values for this event are:
- Take Down
- Take Down by Admin
- Admin Unblocked
- Auto Blocked
- Auto Unblocked
- Customer Reported
- Reset Customer Reported
Updated user phishing status UpdateUserPhishingStatus This event is logged whenever the value for the user security status was changed. The value of the user status in the audit record is Confirmed as Phisher when the user created a phishing form that was taken down by the Microsoft Online safety team. If an admin unblocks the user, the value of the user's status is set to Reset as Normal User.
Sent Forms Pro invitation ProInvitation User selects to activate a Pro trial.
Updated form setting UpdateFormSetting Form owner updates one or multiple form settings.

Property FormSettingName:string indicates updated sensitive settings' name. Property NewFormSettings:string indicates updated settings' name and new value. Property thankYouMessageContainsLink:boolean indicates updated thank-you message contains a URL link.
Updated user setting UpdateUserSetting Form owner updates a user setting.

Property UserSettingName:string indicates the setting's name and new value
Listed forms ListForms Form owner is viewing a list of forms.

Property ViewType:string indicates which view the form owner is looking at: All Forms, Shared with Me, or Group Forms
Submitted response SubmitResponse A user submits a response to a form.

Property IsInternalForm:boolean indicates if the responder is within the same organization as the form owner.
Enabled anyone can respond setting AllowAnonymousResponse Form owner turns on the setting allowing any one to respond to the form.
Disabled anyone can respond setting DisallowAnonymousResponse Form owner turns off the setting allowing any one to respond to the form.
Enabled specific people can respond setting EnableSpecificResponse Form owner turns on the setting allowing only specific people or specific groups in the current organization to respond to the form.
Disabled specific people can respond setting DisableSpecificResponse Form owner turns off the setting allowing only specific people or specific groups in the current organization to respond to the form.
Added specific responder AddSpecificResponder Form owner adds a new user or group to the specific responders list.
Removed specific responder RemoveSpecificResponder Form owner removes a user or group from the specific responders list.
Disabled collaboration DisableCollaboration Form owner turns off the setting of collaboration on the form.
Enabled Office 365 work or school account collaboration EnableWorkOrSchoolCollaboration Form owner turns on the setting allowing users with a Microsoft 365 work or school account to view and edit the form.
Enabled people in my organization collaboration EnableSameOrgCollaboration Form owner turns on the setting allowing users in the current organization to view and edit the form.
Enabled specific people collaboration EnableSpecificCollaboaration Form owner turns on the setting allowing only specific people or specific groups in the current organization to view and edit the form.
Connected to Excel workbook ConnectToExcelWorkbook Connected the form to an Excel workbook.

Property ExcelWorkbookLink:string indicates the associated Excel workbook ID of the current form.
Created a collection CollectionCreated Form owner created a collection.
Updated a collection CollectionUpdated Form owner updated a collection property.
Deleted collection from the Recycle Bin CollectionHardDeleted Form owner hard-deleted a collection from the Recycle Bin.
Moved collection to the Recycle Bin CollectionSoftDeleted Form owner moved a collection to the Recycle Bin.
Renamed a collection CollectionRenamed Form owner changed the name of a collection.
Moved a form into collection MovedFormIntoCollection Form owner moved a form into a collection.
Moved a form out of collection MovedFormOutofCollection Form owner moved a form out of a collection.

Forms activities performed by coauthors and anonymous responders

Forms supports collaboration when forms are designed and when analyzing responses. A form collaborator is known as a coauthor. Coauthors can do everything a form owner can do, except delete or move a form. Forms also allows you to create a form that can be responded to anonymously. This means the responder doesn't have to be signed into your organization to respond to a form.

The following table describes the auditing activities and information in the audit record for activities performed by coauthors and anonymous responders.

Activity type Internal or external user User ID that's logged Organization logged in to Forms user type
Coauthoring activities Internal UPN Form owner's org Coauthor
Coauthoring activities External UPN
Coauthor's org
Coauthor
Coauthoring activities External urn:forms:coauthor#a0b1c2d3@forms.office.com
(The second part of the ID is a hash, which will differ for different users)
Form owner's org
Coauthor
Response activities External UPN
Responder's org
Responder
Response activities External urn:forms:external#a0b1c2d3@forms.office.com
(The second part of the User ID is a hash, which will differ for different users)
Form owner's org Responder
Response activities Anonymous urn:forms:anonymous#a0b1c2d3@forms.office.com
(The second part of the User ID is a hash, which will differ for different users)
Form owner's org Responder

Microsoft Graph Data Connect

The following table lists the user and admin activities in Microsoft Graph Data Connect that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Friendly name Operation Description
Approved or denied an app ConsentModificationRequest A user performed a consent modification request.
Extraction ran DataAccessRequestOperation A user performed an extraction. Partner datasets and ISV runs are excluded.

Microsoft Planner activities

The following table lists the user and admin activities in Microsoft Planner that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Note

Portfolio activity in Planner is logged with Microsoft Project for web roadmap activity. For details, see the Microsoft Project for the web activities section.

Friendly name Operation Description
Read a plan PlanRead A plan is read by a user or an app. If the read operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ContainerType indicates ContainerType.Invalid and ContainerId indicates null.
Created a plan PlanCreated A plan is created by a user or an app. If the create operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates null, ContainerType indicates ContainerType.Invalid and ContainerId indicates null.
Modified a plan PlanModified A plan is modified by a user or an app.
Deleted a plan PlanDeleted A plan is deleted by a user or an app.
Copied a plan PlanCopied A plan is copied by a user or an app. If the copy operation is a ResultStatus.Failure or ResultStatus.Failure, newPlanId indicates null, newContainerType indicates ContainerType.Invalid, and newContainerId indicates null.
Read a task TaskRead A task is read by a user or an app. If the read operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, PlanId indicates null.
Created a task TaskCreated A task is created by a user or an app. If the create operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates null and PlanId indicates null.
Modified a task TaskModified A task is modified by a user or an app.
Deleted a task TaskDeleted A task is deleted by a user or an app.
Assigned a task TaskAssigned A task's assignee is modified by a user or an app. This can be an unassigned task getting assigned or an assigned task has a new assignee.
Completed a task TaskCompleted A task is marked completed by a user or an app.
Created a roster RosterCreated A roster is created by a user or an app. If the create operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates null, MemberIds indicates an empty string.
Deleted a roster RosterDeleted A roster is deleted by a user or an app.
Added a member(s) to a roster RosterMemberAdded A member(s) is added to a roster. If the add operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, MemberIds indicates the list of member IDs attempted.
Removed a member(s) to a roster RosterMemberDeleted A member(s) is removed from a roster. If the remove operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, MemberIds indicates the list of member IDs attempted.
Read a list of plans PlanListRead A list of plans is queried by a user or an app. If the query operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, PlanList indicates an empty string.
Read a list of tasks TaskListRead A list of tasks is queried by a user or an app. If the query operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, TaskList indicates an empty string.
Updated tenant settings TenantSettingsUpdated Tenant settings are updated by a tenant admin. If the update operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates the original settings, and TenantSettings indicates the tenant settings attempted.
Updated a roster's sensitivity label RosterSensitivityLabelUpdated A user or an app updates a roster's sensitivity label.

Microsoft Power Apps activities

You can search the audit log for app-related activities in Power Apps. These activities include creating, launching, and publishing an app. Assigning permissions to apps is also audited. For a description of all Power Apps activities, see Activity logging for Power Apps.

Note

Alert Policies (Protection Alert) audit events (RecordType:45) aren't currently supported for PowerApps.

Microsoft Power Automate activities

You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog Power Automate audit events now available in compliance portal.

Microsoft Project for the web activities

You can search the audit log for activities in Microsoft Project for the web. Microsoft Project for the web is built on the Microsoft Dataverse and has an associated Project Power App. To enable auditing for scenarios where the user is using the Microsoft Dataverse or the Project Power App, see the System Settings Auditing tab guidance. For a list of entities related to Project for the web, see the Export user data from Project for the web guidance.

For information about Microsoft Project for the web, see Microsoft Project for the web.

Note

Auditing events for Microsoft Project for the web activities requires a paid Project Plan 1 license (or higher).

Friendly name Operation Description
Created project ProjectCreated A project is created by a user or app.
Created roadmap RoadmapCreated A roadmap or portfolio is created by a user or app.
Created roadmap item RoadmapItemCreated A roadmap or portfolio item is created by a user or app.
Created task TaskCreated A task is created by a user or app.
Deleted project ProjectDeleted A project is deleted by a user or app.
Deleted roadmap RoadmapDeleted A roadmap or portfolio is deleted by a user or app.
Deleted roadmap item RoadmapItemDeleted A roadmap or portfolio item is deleted by a user or app.
Deleted task TaskDeleted A task is deleted by a user or app.
Project accessed ProjectAccessed A project is read or app.
Project home accessed ProjectListAccessed A list of projects and/or roadmaps is queried by a user.
Roadmap accessed RoadmapAccessed A roadmap or portfolio is read by a user or app.
Roadmap item accessed RoadmapItemAccessed A roadmap or portfolio item is read by a user or app.
Task accessed TaskAccessed A task is read by a user or app.
Updated project settings ProjectForTheWebProjectSettings Project settings are updated by an admin.
Updated roadmap RoadmapUpdated A roadmap or portfolio is modified by a user or app.
Updated roadmap item RoadmapItemUpdated A roadmap or portfolio item is modified by a user or app.
Updated roadmap settings ProjectForTheWebRoadmaptSettings Roadmap or portfolio settings are updated by an admin.
Updated task TaskUpdated A task is modified by a user or app.
Updated project ProjectUpdated A project is modified by a user or app.

Microsoft Purview Audit solution activities

The following table lists activities associated with audit solutions in the Microsoft Purview portal, the Microsoft Purview compliance portal, and the Audit Search Graph API. These activities are audited under the SecurityComplianceCenter workload. For more information, see Search the audit log.

Audit search and export activities performed using Search-UnifiedAuditLog aren't audited.

Friendly name Operation Description
Audit search created AuditSearchCreated A new audit search request is submitted.
Audit search completed AuditSearchCompleted An audit search job is completed.
Audit search canceled AuditSearchCancelled An audit search job is canceled.
Audit search deleted AuditSearchDeleted An audit search job is deleted.
Audit search export job created AuditSearchExportJobCreated An export job is created to export the search results of an audit search query.
Audit search export job completed AuditSearchExportJobCompleted The export job to export the search results of an audit search query is completed.
Audit search export results downloaded AuditSearchExportResultsDownloaded The search results from an audit search query were downloaded.

Microsoft Purview governance activities

The following table lists Microsoft Purview governance activities that are logged in the Microsoft 365 audit log. For more information, see Microsoft Purview governance solutions.

Friendly name Operation Description
Asset or entity created EntityCreated A new asset or entity is created or added to an existing asset.
Classification added ClassificationAdded Add classifications to asset entity.
Classification definition created ClassificationDefinitionCreated Create a classification type.
Classification definition deleted ClassificationDefinitionDeleted Delete a classification type.
Classification definition updated ClassificationDefinitionUpdated Update a classification type.
Classification deleted ClassificationDeleted Delete classifications from asset entity.
Classification updated ClassificationUpdated Update classifications on asset entity.
Entity deleted EntityDeleted An asset or entity is deleted from an existing asset.
Entity updated EntityUpdated Includes: attribute update, business attribute update, collection info (only include collection ID), contacts update, customAttributes, hierarchy, homeId, labels, sourceDetails
Glossary term assigned GlossaryTermAssigned Assign terms to asset entity.
Glossary term created GlossaryTermCreated Create a term.
Glossary term deleted GlossaryTermDeleted Delete a term.
Glossary term disassociated GlossaryTermDisassociated Disassociate terms from asset entity.
Glossary term updated GlossaryTermUpdated Update a term.
Sensitivity label changed SensitivityLabelChanged Sensitivity label is added/updated/deleted.

Microsoft Stream activities

You can search the audit log for activities in Microsoft Stream. These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. For a description of these activities, see the "Actions logged in Stream" section in Audit Logs in Microsoft Stream.

Microsoft Teams activities

The following table lists Microsoft Teams activities that are logged in the Microsoft 365 audit log. You can search the audit log for user and admin activities in Microsoft Teams. Teams is a chat-centered workspace in Microsoft 365. It brings a team's conversations, meetings, files, and notes together into a single place. For more detailed search guidance, see Search the audit log for events in Microsoft Teams.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name Operation Description
Added bot to team BotAddedToTeam A user adds a bot to a team.
Added channel ChannelAdded A user adds a channel to a team.
Added connector ConnectorAdded A user adds a connector to a channel.
Added details about Teams meeting 9 MeetingDetail Teams added information about a meeting, including the start time, the end time, and the URL to join the meeting.
Added information about meeting participants 9 MeetingParticipantDetail Teams added information about the participants of a meeting, including the user ID of each participant, the time a participant joined the meeting, and the time a participant left the meeting.
Added members 6, 8 MemberAdded A team owner adds members to a team, channel, or group chat.
Added tab TabAdded A user adds a tab to a channel.
Applied sensitivity label SensitivityLabelApplied A user or meeting organizer applied a sensitivity label to a Teams meeting.
Changed channel setting ChannelSettingChanged The ChannelSettingChanged operation is logged when the following activities are performed by a team member. For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the Item column in the audit log search results.
  • Changes name of a team channel (Channel name)
  • Changes description of a team channel (Channel description)
Changed organization setting TeamsTenantSettingChanged The TeamsTenantSettingChanged operation is logged when the following activities are performed by a global admin in the Microsoft 365 admin center. These activities affect org-wide Teams settings. To learn more, see Manage Teams settings for your organization.
For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the Item column in the audit log search results.
  • Enables or disables Teams for the organization (Microsoft Teams).
  • Enables or disables interoperability between Microsoft Teams and Skype for Business for the organization (Skype for Business interoperability).
  • Enables or disables the organizational chart view in Microsoft Teams clients (Org chart view).
  • Enables or disables the ability for team members to schedule private meetings (Private meeting scheduling).
  • Enables or disables the ability for team members to schedule channel meetings (Channel meeting scheduling).
  • Enables or disables video calling in Teams meetings (Video for Skype meetings).
  • Enables or disables screen sharing in Microsoft Teams meetups for the organization (Screen sharing for Skype meetings).
  • Enables or disables that ability to add animated images (called Giphys) to Teams conversations (Animated images).
  • Changes the content rating setting for the organization (Content rating). The content rating restricts the type of animated image that can be displayed in conversations.
  • Enables or disables the ability for team members to add customizable images (called custom memes) from the internet to team conversations (Customizable images from the Internet).
  • Enables or disables the ability for team members to add editable images (called stickers) to team conversations (Editable images).
  • Enables or disables that ability for team members to use bots in Microsoft Teams chats and channels (Org-wide bots).
  • Enables specific bots for Microsoft Teams. This doesn't include the T-Bot, which is Teams help bot that's available when bots are enabled for the organization (Individual bots).
  • Enables or disables the ability for team members to add extensions or tabs (Extensions or tabs).
  • Enables or disables the side-loading of proprietary bots for Microsoft Teams (Side loading of Bots).
  • Enables or disables the ability for users to send email messages to a Microsoft Teams channel (Channel email).
Changed role of members in team MemberRoleChanged A team owner changes the role of members in a team. The following values indicate the role type assigned to the user.

1 - Indicates the Member role.
2 - Indicates the Owner role.
3 - Indicates the Guest role.

The Members property also includes the name of your organization and the member's email address.
Changed team setting TeamSettingChanged The TeamSettingChanged operation is logged when the following activities are performed by a team owner. For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the Item column in the audit log search results.
  • Changes the access type for a team. Teams can be set as private or public (Team access type). When a team is private (the default setting), users can access the team only by invitation. When a team is public, it's discoverable by anyone.
  • Changes the information classification of a team (Team classification). For example, team data can be classified as high business impact, medium business impact, or low business impact.
  • Changes the name of a team (Team name).
  • Changes the team description (Team description).
  • Changes made to team settings. To access these settings, a team owner can right-click a team, select Manage team, and then select the Settings tab. For these activities, the name of the setting that was changed is displayed in the Item column in the audit log search results.
Changed sensitivity label SensitivityLabelChanged A user changed a sensitivity label on a Teams meeting.
Created a chat 1, 6 ChatCreated A Teams chat was created.
Created team TeamCreated A user creates a team.
Deleted a message 2 MessageDeleted A message in a chat or channel was deleted.
Deleted all organization apps DeletedAllOrganizationApps Deleted all organization apps from the catalog.
Deleted app AppDeletedFromCatalog An app has been deleted from the catalog.
Deleted channel ChannelDeleted A user deletes a channel from a team.
Deleted team TeamDeleted A team owner deletes a team.
Edited a message with a URL link in Teams MessageEditedHasLink A user edits a message and adds a URL link to it in Teams.
Exported messages 1, 2 MessagesExported Chat or channel messages were exported.
Exported recordings 1 RecordingExported Chat recordings were exported.
Exported transcripts 1 TranscriptsExported Chat transcripts were exported.
Failed to validate invitation to shared channel 3 FailedValidation A user responds to an invitation to a shared channel but the invitation failed validation.
Fetched chat 1 ChatRetrieved A Microsoft Teams chat was retrieved.
Fetched all hosted content of a message1 MessageHostedContentsListed All hosted content in a message, such as images or code snippets, was retrieved.
Installed app AppInstalled An app was installed.
Performed action on card PerformedCardAction A user took action on an adaptive card within a chat. Adaptive cards are typically used by bots to allow the rich display of information and interaction in chats.

Note: Only inline input actions on an adaptive card inside a chat will be available in the audit log. For example, when a user submits a poll response in a channel conversation on an adaptive card generated by a Poll bot. User actions such as "View result", which will open a dialog, or user actions inside dialogs won't be available in the audit log.
Posted a new message 1, 6, 8 MessageSent A new message was posted to a chat or channel.
Populate AI-generated notes in chat AINotesUpdate AI-generated notes have been populated for a group chat.
Populate AI-generated notes in live meetings LiveNotesUpdate AI-generated notes have been populated for a live meeting.
Published app AppPublishedToCatalog An app was added to the catalog.
Read a message 1 MessageRead A message of a chat or channel was retrieved.
Read hosted content of a message 1 MessageHostedContentRead Hosted content in a message, such as an image or a code snippet, was retrieved.
Removed bot from team BotRemovedFromTeam A user removes a bot from a team.
Removed connector ConnectorRemoved A user removes a connector from a channel.
Removed members 6, 8 MemberRemoved A team owner removes members from a team, channel, or group chat.
Removed sensitivity label SensitivityLabelRemoved A user removed a sensitivity label from a Teams meeting.
Removed sharing of team channel 3 TerminatedSharing A team or channel owner disabled sharing for a shared channel.
Restored sharing of team channel 3 SharingRestored A team or channel owner re-enabled sharing for a shared channel.
Removed tab TabRemoved A user removes a tab from a channel.
Responded to invitation for shared channel 3 InviteeResponded A user responded to a shared channel invitation.
Responded to invitee response to shared channel 3 ChannelOwnerResponded A channel owner responded to a response from a user who responded to a shared channel invitation.
Retrieved messages 1 MessagesListed Messages from a chat or channel were retrieved.
Sent a message with a URL link in Teams MessageCreatedHasLink A user sends a message containing a URL link in Teams.
Sent change notification for message creation 1 MessageCreatedNotification A change notification was sent to notify a subscribed listener application of a new message.
Sent change notification for message deletion 1 MessageDeletedNotification A change notification was sent to notify a subscribed listener application of a deleted message.
Sent change notification for message update 1 MessageUpdatedNotification A change notification was sent to notify a subscribed listener application of an updated message.
Sent invitation for shared channel 3 InviteSent A channel owner or member sends an invitation to a shared channel. Invitations to shared channels can be sent to people outside of your organization if the channel policy is configured to share the channel with external users.
Subscribed to message change notifications 1 SubscribedToMessages A subscription was created by a listener application to receive change notifications for messages.
Uninstalled app AppUninstalled An app was uninstalled.
Updated app AppUpdatedInCatalog An app was updated in the catalog.
Updated a chat 1 ChatUpdated A Teams chat was updated.
Updated a message 1 MessageUpdated A message of a chat or channel was updated.
Updated connector ConnectorUpdated A user modified a connector in a channel.
Updated tab TabUpdated A user modified a tab in a channel.
Upgraded app AppUpgraded An app was upgraded to its latest version in the catalog.
User signed in to Teams TeamsSessionStarted A user signs in to a Microsoft Teams client. This event doesn't capture token refresh activities.
Posted New Message 3, 4, 6, 8 MessageSent A new message was posted to a chat or a channel.

Note

1 An audit record for this event is only logged when the operation is performed by calling a Microsoft Graph API. If the operation is performed in the Teams client, an audit record will not be logged
2 This event is only available in Audit (Premium). That means users must be assigned the appropriate license before these events are logged in the audit log. For more information about activities only available in Audit (Premium), see Audit (Premium) in Microsoft Purview. For Audit (Premium) licensing requirements, see Auditing solutions in Microsoft 365.
3 This event is in public preview.
4This event is generated for chat only if there are guests, federated and/or anonymous users.
5 This event is currently unavailable in Government Community Cloud (GCC), Government Community Cloud High (GCC-High), and Department of Defense (DoD) organizations.
6 This event is included in all participating tenants for federated chats.
7 This event has participating domain info for 1:1 federated chats.
8 This event is included in all chat conversations between external Teams users managed by an organization and external Teams users not managed by an organization.
9 This event is currently unavailable in Government Community Cloud (GCC), but is available in Government Community Cloud High (GCC-High) and Department of Defense (DoD) organizations.

Microsoft Teams Healthcare activities

If your organization is using the Patients application in Microsoft Teams, you can search the audit log for activities related to the using the Patients app. If your environment is configured to support Patients app, an additional activity group for these activities is available in the Activities picker list.

Microsoft Teams Healthcare activities in Activities picker list.

For a description of the Patients app activities, see Audit logs for Patients app.

Microsoft Teams Shifts activities

The following table lists Shift app in Microsoft Teams activities that are logged in the Microsoft 365 audit log. If your organization is using the Shifts app in Microsoft Teams, you can search the audit log for activities related to the using the Shifts app. If your environment is configured to support Shifts apps, an additional activity group for these activities is available in the Activities picker list.

Friendly name Operation Description
Added scheduling group ScheduleGroupAdded A user successfully adds a new scheduling group to the schedule.
Edited scheduling group ScheduleGroupEdited A user successfully edits a scheduling group.
Deleted scheduling group ScheduleGroupDeleted A user successfully deletes a scheduling group from the schedule.
Withdrew schedule ScheduleWithdrawn A user successfully withdraws a published schedule.
Added shift ShiftAdded A user successfully adds a shift.
Edited shift ShiftEdited A user successfully edits a shift.
Deleted shift ShiftDeleted A user successfully deletes a shift.
Added time off TimeOffAdded A user successfully adds time off on the schedule.
Edited time off TimeOffEdited A user successfully edits time off.
Deleted time off TimeOffDeleted A user successfully deletes time off.
Added open shift OpenShiftAdded A user successfully adds an open shift to a scheduling group.
Edited open shift OpenShiftEdited A user successfully edits an open shift in a scheduling group.
Deleted open shift OpenShiftDeleted A user successfully deletes an open shift from a scheduling group.
Shared schedule ScheduleShared A user successfully shared a team schedule for a date range.
Clocked in using Time clock ClockedIn A user successfully clocks in using Time clock.
Clocked out using Time clock ClockedOut A user successfully clocks out using Time clock.
Started break using Time clock BreakStarted A user successfully starts a break during an active Time clock session.
Ended break using Time clock BreakEnded A user successfully ends a break during an active Time clock session.
Added Time clock entry TimeClockEntryAdded A user successfully adds a new manual Time clock entry on Time Sheet.
Edited Time clock entry TimeClockEntryEdited A user successfully edits a Time clock entry on Time Sheet.
Deleted Time clock entry TimeClockEntryDeleted A user successfully deletes a Time clock entry on Time Sheet.
Added shift request RequestAdded A user added a shift request.
Responded to shift request RequestRespondedTo A user responded to a shift request.
Canceled shift request RequestCancelled A user canceled a shift request.
Changed schedule setting ScheduleSettingChanged A user changes a setting in Shifts settings.
Added workforce integration WorkforceIntegrationAdded The Shifts app is integrated with a third-party system.
Accepted off shift message OffShiftDialogAccepted A user acknowledges the off-shift message to access Teams after shift hours.

Microsoft Teams Updates activities

The following table lists Updates app in Microsoft Teams activities that are logged in the Microsoft 365 audit log. If your organization is using the Updates app in Microsoft Teams, you can search the audit log for activities related to the using the Updates app. If your environment is configured to support Updates apps, an additional activity group for these activities is available in the Activities picker list.

Friendly name Operation Description
Create an update request CreateUpdateRequest A user successfully creates an update request.
Edit an update request EditUpdateRequest A user opens the request editing wizard and selects Save to confirm and save any changes, or enables or disables the update request directly.
Submit an update SubmitUpdate A user successfully submits an update.
View the details of one update ViewUpdate A user views the details of the update.

Microsoft To Do activities

The following table lists the activities in Microsoft To Do that are logged in the Microsoft 365 audit log. For more information about Microsoft To Do, see Support for Microsoft To Do.

Note

Auditing events for Microsoft To Do activities requires a paid Project Plan 1 license (or higher) in addition to the relevant Microsoft 365 license that includes entitlements to Audit (Premium).

Friendly name Operation Description
Accepted sharing link on folder AcceptedSharingLinkOnFolder Accepted sharing link for a folder.
Attachment created AttachmentCreated An attachment was created for a task.
Attachment updated AttachmentUpdated An attachment was updated.
Attachment deleted AttachmentDeleted An attachment was deleted.
Folder sharing link shared FolderSharingLinkShared Created a sharing link for a folder.
Linked entity deleted LinkedEntityDeleted A linked entity was deleted.
Linked entity updated LinkedEntityUpdated A linked entity was updated.
Linked entity created LinkedEntityCreated A linked entity of task was created.
SubTask created SubTaskCreated A subtask was created.
SubTask deleted SubTaskDeleted A subtask was deleted.
SubTask updated SubTaskUpdated A subtask was updated.
Task created TaskCreated A task was created.
Task deleted TaskDeleted A task was deleted.
Task read TaskRead A task was read.
Task updated TaskUpdated A task was updated.
TaskList created TaskListCreated A task list was created.
TaskList read TaskListRead A task list was read.
TaskList updated TaskListUpdated A task list was updated.
User invited UserInvited Invited user to a folder.

Microsoft Viva Insights activities

Viva Insights provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Viva Insights. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Viva Insights. For more information, see Introducing Microsoft Viva Insights.

Friendly name Operation Description
Accessed OData link AccessedOdataLink Analyst accessed the OData link for a query.
Added delegate access AddDelegates A user added delegate access for organization insights or Copilot dashboard.
Canceled query CanceledQuery Analyst canceled a running query.
Created meeting exclusion MeetingExclusionCreated Analyst created a meeting exclusion rule.
Deleted result DeletedResult Analyst deleted a query result.
Downloaded report DownloadedReport Analyst downloaded a query result file.
Executed query ExecutedQuery Analyst ran a query.
Removed delegate access RemoveDelegates A user removed delegate access for organization insights or Copilot dashboard.
Updated data access setting UpdatedDataAccessSetting Admin updated data access settings.
Updated privacy setting UpdatedPrivacySetting Admin updated privacy settings; for example, minimum group size.
Uploaded organization data UploadedOrgData Admin uploaded organizational data file.
User logged in* UserLoggedIn A user signed in to their Microsoft 365 user account.
User logged off* UserLoggedOff A user signed out of their Microsoft 365 user account.
Viewed Explore ViewedExplore Analyst viewed visualizations in one or more Explore page tabs.

Note

*a Microsoft Entra sign-in and sign off activity event is created when a user signs in. This activity is logged even if you don't have Viva Insights turned on in your organization. For more information about user sign in activities, see Sign-in logs in Microsoft Entra ID.

Personal insights activities

The following table lists the activities in personal insights that are logged in the Microsoft 365 audit log. For more information about personal insights, see Admin guide for personal insights.

Friendly name Operation Description
Updated organization MyAnalytics settings UpdatedOrganizationMyAnalyticsSettings Admin updates organization-level settings for personal insights.
Updated user MyAnalytics settings UpdatedUserMyAnalyticsSettings Admin updates user settings for personal insights.

Quarantine activities

The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see Quarantine email messages.

Friendly name Operation Description
Deleted quarantine message QuarantineDeleteMessage An admin or user deleted an email message that was deemed to be harmful.
Denied quarantine message release request QuarantineReleaseRequestDeny An admin denial for a release request from a user for an email message that was deemed to be harmful.
Exported quarantine message QuarantineExport An admin or user exported an email message that was deemed to be harmful.
Previewed quarantine message QuarantinePreview An admin or user previewed an email message that was deemed to be harmful.
Released quarantine message QuarantineRelease An admin or user released an email message from quarantine that was deemed to be harmful.
Release request quarantine message QuarantineReleaseRequest A user requested the release of an email message that was deemed to be harmful.
Viewed quarantine message's header QuarantineViewHeader An admin or user viewed the header an email message that was deemed to be harmful.

Report activities

The following table lists the activities for usage reports that are logged in the Microsoft 365 audit log.

Friendly name Operation Description
Updated usage report privacy settings UpdateUsageReportsPrivacySetting Admin updated privacy settings for usage reports.

Retention policy and retention label activities

The following table describes the configuration activities for retention policies and retention labels when they were created, reconfigured, or deleted.

Friendly name Operation Description
Changed adaptive scope membership ApplicableAdaptiveScopeChange Users, sites, or groups were added to or removed from the adaptive scope. These changes are the results of running the scope's query. Because the changes are system-initiated, the reported user displays as a GUID rather than a user account.
Configured settings for a retention policy NewRetentionComplianceRule Administrator configured the retention settings for a new retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the New-RetentionComplianceRule cmdlet.
Created adaptive scope NewAdaptiveScope Administrator created an adaptive scope.
Created retention label NewComplianceTag Administrator created a new retention label.
Created retention policy NewRetentionCompliancePolicy Administrator created a new retention policy.
Deleted adaptive scope RemoveAdaptiveScope Administrator deleted an adaptive scope.
Deleted settings from a retention policy RemoveRetentionComplianceRule
Administrator deleted the configuration settings of a retention policy. Most likely, this activity is logged when an administrator deletes a retention policy or runs the Remove-RetentionComplianceRule cmdlet.
Deleted retention label RemoveComplianceTag Administrator deleted a retention label.
Deleted retention policy RemoveRetentionCompliancePolicy
Administrator deleted a retention policy.
Enabled regulatory record option for retention labels
SetRestrictiveRetentionUI Administrator ran the Set-RegulatoryComplianceUI cmdlet so that an administrator can then select the UI configuration option for a retention label to mark content as a regulatory record.
Retained email item proactively ExchangeDataProactivelyPreserved Adaptive protection automatically applied a retention label to retain an item in Exchange.
Retained file proactively SharePointDataProactivelyPreserved Adaptive protection automatically applied a retention label to retain an item in SharePoint or OneDrive.
Updated adaptive scope SetAdaptiveScope Administrator changed the description or query for an existing adaptive scope.
Updated settings for a retention policy SetRetentionComplianceRule Administrator changed the retention settings for an existing retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the Set-RetentionComplianceRule cmdlet.
Updated retention label SetComplianceTag Administrator updated an existing retention label.
Updated retention policy SetRetentionCompliancePolicy Administrator updated an existing a retention policy. Updates that trigger this event include adding or excluding content locations that the retention policy is applied to.

Role administration activities

The following table lists Microsoft Entra role administration activities that are logged when an admin manages admin roles in the Microsoft 365 admin center or in the Azure management portal.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name Operation Description
Add member to Role Add member to role. Added a user to an admin role in Microsoft 365.
Removed a user from a directory role Remove member from role. Removed a user to from an admin role in Microsoft 365.
Set company contact information Set company contact information. Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.

Sensitive information types activities

The following table describes the audit events for activities involving creation and updating of sensitive information types.

Friendly name Operation Description
Created new sensitive information type CreateRulePackage / EditRulePackage* A new sensitive information type was created. This includes any SITs created by copying an out of the box SIT.

Note: This activity surfaces under the audit activities 'Created rule package' or 'Edited rule package'.

Edited a sensitive information type EditRulePackage An existing sensitive information type was edited. This can include operations like adding/removing a pattern and editing the regex/keyword associated with the sensitive information type.

Note: This activity surfaces under the audit activity "Edited rule package."

Deleted a sensitive information type EditRulePackage / RemoveRulePackage An existing sensitive information type was deleted.

Note: This activity surfaces under the audit activity "Edited rule package" or "Removed rule package."

Sensitivity label activities

The following table lists events that result from using sensitivity labels with sites and items managed by Microsoft Purview. Items include documents, emails, and calendar events. For auto-labeling policies, items also include files and schematized data assets in Microsoft Purview Data Map.

Friendly name Operation Description
Applied sensitivity label to site SiteSensitivityLabelApplied A sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.
Removed sensitivity label from site SiteSensitivityLabelRemoved A sensitivity label was removed from a SharePoint site or Teams site that isn't group-connected.
Applied sensitivity label to file FileSensitivityLabelApplied

SensitivityLabelApplied
A sensitivity label was applied to an item by using Microsoft 365 apps, Office for the web, or an auto-labeling policy.

The operations for this activity are different depending on how the label was applied:
- Office for the web or an auto-labeling policy (FileSensitivityLabelApplied)
- Microsoft 365 apps (SensitivityLabelApplied)
Changed sensitivity label applied to file FileSensitivityLabelChanged

SensitivityLabelUpdated
A different sensitivity label was applied to an item.

The operations for this activity are different depending on how the label was changed:
- Office for the web or an auto-labeling policy (FileSensitivityLabelChanged)
- Microsoft 365 apps (SensitivityLabelUpdated)
Changed sensitivity label on a site SiteSensitivityLabelChanged A different sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.
Removed sensitivity label from file FileSensitivityLabelRemoved

SensitivityLabelRemoved
A sensitivity label was removed from an item by using Microsoft 365 apps, Office for the web, an auto-labeling policy, or the Unlock-SPOSensitivityLabelEncryptedFile cmdlet.

The operations for this activity are different depending on how the label was removed:
- Office for the web or an auto-labeling policy (FileSensitivityLabelRemoved)
- Microsoft 365 apps (SensitivityLabelRemoved)

Additional auditing information for sensitivity labels:

SharePoint list activities

The following table describes activities related to when users interact with lists and list items in SharePoint Online. Audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Friendly name Operation Description
Created list ListCreated A user created a SharePoint list.
Created list column ListColumnCreated A user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists.
Created list content type ListContentTypeCreated A user created a list content type. A list content type is a content type that's attached to one or more SharePoint lists.
Created list item ListItemCreated A user created an item in an existing SharePoint list.
Created site column SiteColumnCreated A user created a SharePoint site column. A site column is a column that isn't attached to a list. A site column is also a metadata structure that can be used by any list in a given web.
Created site content type Site ContentType Created A user created a site content type. A site content type is a content type that's attached to the parent site.
Deleted list ListDeleted A user deleted a SharePoint list.
Deleted list column List Column Deleted A user deleted a SharePoint list column.
Deleted list content type ListContentTypeDeleted A user deleted a list content type.
Deleted list item List Item Deleted A user deleted a SharePoint list item.
Deleted site column SiteColumnDeleted A user deleted a SharePoint site column.
Deleted site content type SiteContentTypeDeleted A user deleted a site content type.
Recycled list item ListItemRecycled A user moved a SharePoint list item to the Recycle Bin.
Restored list ListRestored A user restored a SharePoint list from the Recycle Bin.
Restored list item ListItemRestored A user restored a SharePoint list item from the Recycle Bin.
Updated list ListUpdated A user updated a SharePoint list by modifying one or more properties.
Updated list column ListColumnUpdated A user updated a SharePoint list column by modifying one or more properties.
Updated list content type ListContentTypeUpdated A user updated a list content type by modifying one or more properties.
Updated list item ListItemUpdated A user updated a SharePoint list item by modifying one or more properties.
Updated list view ListViewUpdated A user updated a SharePoint list view by modifying one or more properties.
Updated site column SiteColumnUpdated A user updated a SharePoint site column by modifying one or more properties.
Updated site content type SiteContentTypeUpdated A user updated a site content type by modifying one or more properties.

Sharing and access request activities

The following table describes the user sharing and access request activities in SharePoint Online and OneDrive for Business. For sharing events, the Detail column under Results identifies the name of the user or group the item was shared with and whether that user or group is a member or guest in your organization. For more information, see Use sharing auditing in the audit log.

Note

Users can be either members or guests based on the UserType property of the user object. A member is usually an employee, and a guest is usually a collaborator outside of your organization. When a user accepts a sharing invitation (and isn't already part of your organization), a guest account is created for them in your organization's directory. Once the guest user has an account in your directory, resources may be shared directly with them (without requiring an invitation).

Friendly name Operation Description
Added permission level to site collection PermissionLevelAdded A permission level was added to a site collection.
Accepted access request AccessRequestAccepted An access request to a site, folder, or document was accepted and the requesting user has been granted access.
Accepted sharing invitation SharingInvitationAccepted User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
Blocked sharing invitation SharingInvitationBlocked A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because:
The target user's domain isn't included in the list of allowed domains.
Or
The target user's domain is included in the list of blocked domains.
For more information about allowing or blocking external sharing based on domains, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
Created access request AccessRequestCreated User requests access to a site, folder, or document they don't have permissions to access.
Created a company shareable link CompanyLinkCreated User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't be used by guests.
Created an anonymous link AnonymousLinkCreated User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.
Created secure link SecureLinkCreated A secure sharing link was created to this item.
Created sharing invitation SharingInvitationCreated User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.
Deleted secure link SecureLinkDeleted A secure sharing link was deleted.
Denied access request AccessRequestDenied An access request to a site, folder, or document was denied.
Removed a company shareable link CompanyLinkRemoved User removed a company-wide link to a resource. The link can no longer be used to access the resource.
Removed an anonymous link AnonymousLinkRemoved User removed an anonymous link to a resource. The link can no longer be used to access the resource.
Shared file, folder, or site SharingSet User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest.

This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource.
Updated access request AccessRequestUpdated An access request to an item was updated.
Updated an anonymous link AnonymousLinkUpdated User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
Updated sharing invitation SharingInvitationUpdated An external sharing invitation was updated.
Used an anonymous link AnonymousLinkUsed An anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address.
Unshared file, folder, or site SharingRevoked User (member or guest) unshared a file, folder, or site that was previously shared with another user.
Used a company shareable link CompanyLinkUsed User accessed a resource by using a company-wide link.
Used secure link SecureLinkUsed A user used a secure link.
User added to secure link AddedToSecureLink A user was added to the list of entities who can use a secure sharing link.
User removed from secure link RemovedFromSecureLink A user was removed from the list of entities who can use a secure sharing link.
Withdrew sharing invitation SharingInvitationRevoked User withdrew a sharing invitation to a resource.

Site administration activities

The following table lists events that result from site administration tasks in SharePoint Online. As previously explained, audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name Operation Description
Added allowed data location AllowedDataLocationAdded A SharePoint or global administrator added an allowed data location in a multi-geo environment.
Added exempt user agent ExemptUserAgentSet A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.
Added geo location admin GeoAdminAdded A SharePoint or global administrator added a user as a geo admin of a location.
Allowed user to create groups AllowGroupCreationSet Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
Canceled site geo move SiteGeoMoveCancelled A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Changed a sharing policy SharingPolicyChanged A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperties field in the detailed properties of the event record.
Changed device access policy DeviceAccessPolicyChanged A SharePoint or global administrator changed the unmanaged devices policy for your organization. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organization. Configuring this policy requires an Enterprise Mobility + Security subscription. For more information, see Control access from unmanaged devices.
Changed exempt user agents CustomizeExemptUsers A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form is returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.
Changed network access policy NetworkAccessPolicyChanged A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell. This type of policy controls who can access SharePoint and OneDrive resources in your organization based on authorized IP address ranges that you specify. For more information, see Control access to SharePoint Online and OneDrive data based on network location.
Completed migration job MigrationJobCompleted A migration job was successfully completed.
Completed site geo move SiteGeoMoveCompleted A site geo move that was scheduled by a global administrator in your organization was successfully completed. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Created Sent To connection SendToConnectionAdded A SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
Created site collection SiteCollectionCreated A SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.
Deleted orphaned hub site HubSiteOrphanHubDeleted A SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it. An orphaned hub is likely caused by the deletion of the original hub site.
Deleted Sent To connection SendToConnectionRemoved A SharePoint or global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
Deleted site SiteDeleted Site administrator deletes a site.
Enabled document preview PreviewModeEnabledSet Site administrator enables document preview for a site.
Enabled legacy workflow LegacyWorkflowEnabledSet Site administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
Enabled Office on Demand OfficeOnDemandSet Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires a Microsoft 365 subscription that includes full, installed Office applications.
Enabled result source for People Searches PeopleResultsScopeSet Site administrator creates the result source for People Searches for a site.
Enabled RSS feeds NewsFeedEnabledSet Site administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
Joined site to hub site HubSiteJoined A site owner associates their site with a hub site.
Modified site collection quota SiteCollectionQuotaModified Site administrator modifies the quota for a site collection.
Registered hub site HubSiteRegistered A SharePoint or global administrator creates a hub site. The results are that the site is registered to be a hub site.
Removed allowed data location AllowedDataLocationDeleted A SharePoint or global administrator removed an allowed data location in a multi-geo environment.
Removed geo location admin GeoAdminDeleted A SharePoint or global administrator removed a user as a geo admin of a location.
Renamed site SiteRenamed Site administrator or owner renames a site
Scheduled site geo move SiteGeoMoveScheduled A SharePoint or global administrator successfully schedules a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Set host site HostSiteSet A SharePoint or global administrator changes the designated site to host personal or OneDrive for Business sites.
Set storage quota for geo location GeoQuotaAllocated A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.
Unjoined site from hub site HubSiteUnjoined A site owner disassociates their site from a hub site.
Unregistered hub site HubSiteUnregistered A SharePoint or global administrator unregisters a site as a hub site. When a hub site is unregistered, it no longer functions as a hub site.

Site permissions activities

The following table lists events related to assigning permissions in SharePoint and using groups to give (and revoke) access to sites. As previously explained, audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Friendly name Operation Description
Added site collection admin SiteCollectionAdminAdded Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites. This activity is also logged when an admin gives themselves access to a user's OneDrive account (by editing the user profile in the SharePoint admin center or by using the Microsoft 365 admin center).
Added user or group to SharePoint group AddedToGroup User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.
Broke permission level inheritance PermissionLevelsInheritanceBroken An item was changed so that it no longer inherits permission levels from its parent.
Broke sharing inheritance SharingInheritanceBroken An item was changed so that it no longer inherits sharing permissions from its parent.
Created group GroupAdded Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
Deleted group GroupRemoved User deletes a group from a site.
Modified access request setting WebRequestAccessModified The access request settings were modified on a site.
Modified 'Members Can Share' setting WebMembersCanShareModified The Members Can Share setting was modified on a site.
Modified permission level on a site collection PermissionLevelModified A permission level was changed on a site collection.
Modified site permissions SitePermissionsModified Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group.

NOTE: This operation has been deprecated in SharePoint Online. To find related events, you can search for other permission-related activities such as Added site collection admin, Added user or group to SharePoint group, Allowed user to create groups, Created group, and Deleted group.
Removed permission level from site collection PermissionLevelRemoved A permission level was removed from a site collection.
Removed site collection admin SiteCollectionAdminRemoved Site collection administrator or owner removes a person as a site collection administrator for a site. This activity is also logged when an admin removes themselves from the list of site collection administrators for a user's OneDrive account (by editing the user profile in the SharePoint admin center). To return this activity in the audit log search results, you have to search for all activities.
Removed user or group from SharePoint group RemovedFromGroup User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.
Requested site admin permissions SiteAdminChangeRequest User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.
Restored sharing inheritance SharingInheritanceReset A change was made so that an item inherits sharing permissions from its parent.
Updated group GroupUpdated Site administrator or owner changes the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.

Synchronization activities

The following table lists file synchronization activities in SharePoint Online and OneDrive for Business.

Friendly name Operation Description
Allowed computer to sync files ManagedSyncClientAllowed User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization.

For more information about this feature, see Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
Blocked computer from syncing files UnmanagedSyncClientBlocked User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. The sync relationship isn't allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library.

For information about this feature, see Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
Downloaded files to computer FileSyncDownloadedFull User downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
Downloaded file changes to computer FileSyncDownloadedPartial This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
Uploaded files to document library FileSyncUploadedFull User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
Uploaded file changes to document library FileSyncUploadedPartial This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).

SystemSync activities

The following table lists the activities for SystemSync that are logged in the Microsoft 365 audit log.

Friendly name Operation Description
Data Share Created DataShareCreated When the data export is created by the user.
Data Share Deleted DataShareDeleted When the data export is deleted by the user.
Generate Copy Of Lake Data GenerateCopyOfLakeData When the copy of Lake Data is generated.
Download Copy Of Lake Data DownloadCopyOfLakeData When the copy of Lake Data is downloaded.

User administration activities

The following table lists user administration activities that are logged when an admin adds or changes a user account by using the Microsoft 365 admin center or the Azure management portal.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Activity Operation Description
Added user Add user. A user account was created.
Changed user license Change user license. The license assigned to a user what changed. To see what licenses were changes, see the corresponding Updated user activity.
Changed user password Change user password. A user changes their password. Self-service password reset has to be enabled (for all or selected users) in your organization to allow users to reset their password. You can also track self-service password reset activity in Microsoft Entra ID. For more information, see Reporting options for Microsoft Entra password management.
Deleted user Delete user. A user account was deleted.
Reset user password Reset user password. Administrator resets the password for a user.
Set property that forces user to change password Set force change user password. Administrator set the property that forces a user to change their password the next time the user signs in to Microsoft 365.
Set license properties Set license properties. Administrator modifies the properties of a licensed assigned to a user.
Updated user Update user. Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in Microsoft Entra audit Report Events.

Viva Goals activities

The following table lists the user and admin activities in Viva Goals that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Search the audit log details how you can search for the audit logs from the Microsoft Purview portal and the compliance portal. The user needs to be a global admin or have audit read permissions to access audit logs. You can use the Activities filter to search for specific activities and to list all Viva Goals activities you can choose 'VivaGoals' in the Record type filter. You can also use the date range boxes and the Users list to narrow the search results further.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name Operation Description
Organization created Organization created Admin or the user has created a new organization on Viva Goals.
User added User added A new user has been added to an organization on Viva Goals.
User deactivated User deactivated A user has been deactivated in an organization.
User deleted User deleted A user has been deleted from an organization on Viva Goals.
User logged in User logged in User has logged into Viva Goals.
Team added Team added A new team has been created within an organization on Viva Goals.
Team updated Team updated A team within an organization on Viva Goals has been modified or updated.
Team deleted Team deleted A team within an organization on Viva Goals has been deleted by the user.
Data exported Data exported A user has exported list of OKRs or list of users in an organization on Viva Goals.
Goals policy updated Goals policy updated The global admin has modified the policy or settings at the tenant level on Viva Goals. For example, the global admin has configured who can create organizations on Viva Goals.
Organization settings updated Organization settings updated The user (typically Organization owners or admins) has updated organization specific settings on Viva Goals.
Organization integrations updated Organization integrations updated The user (typically Organization owners or admins) has configured a third party integration or updated an existing third party integration for an organization on Viva Goals.
OKR or Project created OKR or Project created User has created an OKR or Project on Viva Goals.
OKR or Project updated OKR or Project updated An OKR/Project has been modified or a check-in has been made by the user or an integration on Viva Goals.
OKR or Project deleted OKR or Project deleted User has deleted an OKR or Project.
Dashboard created Dashboard created User has created a new dashboard on Viva Goals
Dashboard updated Dashboard updated User has updated a dashboard on Viva Goals
Dashboard deleted Dashboard deleted User has deleted a dashboard on Viva Goals.

Viva Engage activities

The following table lists the user and admin activities in Viva Engage that are logged in the audit log. To return Viva Engage-related activities from the audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results.

Note

Some Viva Engage audit activities are only available in Audit (Premium). That means users must be assigned the appropriate license before these activities are logged in the audit log. For more information, see Audit (Premium). For Audit (Premium) licensing requirements, see Auditing solutions in Microsoft 365.

In the following table, Audit (Premium) activities are highlighted with an asterisk (*).

Friendly name Operation Description
Added corporate communicator AddUserRole A user is assigned as a corporate communicator.
Changed custom usage policy UsagePolicyUpdated A tenant admin updates a custom usage policy.
Changed data retention policy SoftDeleteSettingsUpdated Verified admin updates the setting for the network data retention policy to either Hard Delete or Soft Delete. Only verified admins can perform this operation.
Changed network configuration NetworkConfigurationUpdated Network or verified admin changes the Viva Engage network's configuration. This includes setting the interval for exporting data and enabling chat.
Changed network profile settings ProcessProfileFields Network or verified admin changes the information that appears on member profiles for network users network.
Changed private content mode SupervisorAdminToggled Verified admin turns Private Content Mode on or off. This mode lets an admin view the posts in private groups and view private messages between individual users (or groups of users). Only verified admins only can perform this operation.
Changed security configuration NetworkSecurityConfigurationUpdated Verified admin updates the Viva Engage network's security configuration. This includes setting password expiration policies and restrictions on IP addresses. Only verified admins can perform this operation.
Conversation closed CloseConversation The Viva Engage thread has been closed, preventing users from replying to it. This action can be carried out by an admin, corporate communicator, or a user delegate.
Conversation opened OpenConversation The Viva Engage thread conversation has been opened which allows users to reply to the thread. This action can be performed by an admin, corporate communications, or a user delegate.
Created file FileCreated User uploads a file.
Created group GroupCreation User creates a group.
Created message MessageCreation User creates a message.
Deleted group GroupDeletion A group is deleted from Viva Engage.
Deleted message MessageDeleted User deletes a message.
Downloaded file FileDownloaded User downloads a file.
Exported data DataExport Verified admin exports Viva Engage network data. Only verified admins can perform this operation.
Failed to access file FileAccessFailure User failed to access a file.
Failed to access group GroupAccessFailure User failed to access a group.
Failed to access thread ThreadAccessFailure User failed to access a message thread.
Reacted to message MarkedMessageChanged User reacted to a message.
Removed Corporate Communicator RemoveUserRole A user is removed from the Corporate Communicator role.
Remove curated topic* RemoveCuratedTopic User removes a curated topic.
Shared file FileShared User shares a file with another user.
Suspended network user NetworkUserSuspended Network or verified admin suspends (deactivates) a user from Viva Engage.
Suspended user UserSuspension User account is suspended (deactivated).
Tenant Usage Policy Acceptance UsagePolicyAcceptance A user accepts a tenant-specific usage policy.
Thread Muted AdminThreadMuted A thread has been muted by admin or watch alert (system user). A watch alert occurs when a thread is flagged for a certain theme (set by the admin) and is auto-muted by the system.
Thread Unmuted AdminThreadUnmuted Admin unmuted a thread.
Updated file description FileUpdateDescription User changes the description of a file.
Updated file name FileUpdateName User changes the name of a file.
Updated message MessageUpdated User updates a message.
Updated role assignment for Network Admin NetworkAdminUpdated A user is either promoted or demoted to the Network Admin role.
Updated role assignment for Verified Admin NetworkVerifiedAdminUpdated A user is either promoted or demoted to the Verified Admin role.
Viewed file FileVisited User views a file.
Viewed thread ThreadViewed User views a message thread.

Viva Pulse activities

The following table lists the user and admin activities in Viva Pulse that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Search the audit log details how you can search for the audit logs from the Microsoft Purview portal and the compliance portal. The user needs to be a global admin or have audit read permissions to access audit logs. You can use the Activities filter to search for specific activities and to list all Viva Pulse activities you can choose VivaPulse in the Record type filter. You can also use the date range boxes and the Users list to narrow the search results further.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name Operation Description
User submitted response to a pulse survey PulseSubmit Admin or user provided feedback for a Viva Pulse feedback request.
User created a Pulse survey PulseCreate New Viva Pulse feedback request is created.
User extended their pulse survey deadline PulseExtendDeadline The deadline for the existing Viva Pulse feedback request was extended.
User invited additional users to Pulse survey PulseInvite Additional users were invited to an existing Viva Pulse feedback request.
User canceled a Pulse survey PulseCancel User canceled a Pulse survey.
User shared a pulse report PulseShareResults Viva Pulse feedback result was shared with users.
User created a Pulse draft PulseCreateDraft User created a Pulse draft.
User deleted a Pulse draft PulseDeleteDraft User deleted a Pulse draft.
Admin deleted an user's data PulseDeleteUserData Admin deleted an user's data.
Admin updated tenant's settings PulseTenantSettingsUpdate Admin updated an organization setting for Viva Pulse.

Windows 365 Customer Lockbox activities

The following table lists the user and admin activities in Windows 365 Customer Lockbox that are logged in the audit log. To return Windows 365 Customer Lockbox-related activities from the audit log, select Windows365CustomerLockbox under Record types. Use the date range boxes and the Users list to narrow the search results.

Friendly name Operation Description
Trigger device remediation Trigger device remediation Trigger device remediation.
Upload folder to blob Upload folder to blob Compress and upload customer device's folder to blob.
Check PowerShell Execution Policy Check PowerShell Execution Policy Check PowerShell execution policy.
Install RD agent Install RD agent Install RD agent on the device of the user.
Run hybrid AADJ extension Run hybrid AADJ extension Run hybrid AADJ extension on the device of the user.
Create VmExtension Request Create VmExtention Request Creates VM extension requests to execute VM extension to run custom scripts on the customer device.
Trigger orchestrator Trigger orchestrator Trigger orchestrator for the user.
Trigger generic action by SaaF Trigger generic action by SaaF Trigger device action (Retargeting, EnableRdpAccessForCitrix, DisableRdpAccessFprCitrix) for user.
Trigger generic action Trigger generic action Trigger device action for user.
Trigger generic action with options Trigger generic action with options Trigger device action with option parameters, more powerful than that of trigger generic action.
Create new work items (Scheduler) Create new work items (Scheduler) Create new work items, For example, Provision, Deprovision, Reprovision etc.
Post Remote Action Operation Post Remote Action Operation Post Remote Action, plus polling the result by GetActions operation.
OCE Run Commands on VM OCE Run Commands on VM Run commands by tenantID, deviceID list, and script.
Create LogCollection Request Create LogCollection Request Create log collection request to Cloud PC.
Trigger CMD Agent Canary check. Trigger CMD Agent Canary check. Trigger CMD Agent Canary check on specific device.
Execute AppHealthPlugin Execute AppHealthPlugin Execute AppHealthPlugin.
Backfill CMD Agent AddDevicesToBackfill Operation Backfill CMD Agent on Cloud PC.
Reinstall CMD Agent AddDevicesToReinstall Operation Reinstall CMD Agent on demand.
Bulk reinstall CMD Agent TriggerClientAgentCheckBulkAction Operation Bulk reinstall CMD agent on demand.
Create Remote Action Operation in ActionModeratorService Create Remote Action Operation in ActionModeratorService Create remote action by tenantID, workspaceID, actionType, actionParameters.