Delayed or Missing AIP Audit Logs for Protected Files

Question

Subject: Delayed or Missing AIP Audit Logs for Protected Files

Affected System/Service: Azure Information Protection (AIP)
Impact: Delays of 20–40 minutes, or complete absence, of audit logs for file access events (e.g., file open, access denied)
Priority Level: Medium

Description of the Issue

We are experiencing significant delays and missing entries in the Azure Information Protection (AIP) audit logs for protected files.
Recent testing shows that file access events, such as file opens or access denials, are either delayed by 20–40 minutes or do not appear at all in the logs.

This issue affects our ability to monitor access attempts in real time, which is critical for security compliance and incident response.

Steps to Reproduce

Protect a file using Azure Information Protection.

Attempt to open the file or trigger an access denial event.

Check the AIP audit logs in [Insert Azure Portal Path].

Observe the delay or absence of the expected log entry.

How we are fetching the logs

We are using the next script to fetch logs:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
$ErrorActionPreference = "Stop"
Import-Module AIPService
$Path = $args[0]
$TodayDate =  [DateTime](Get-Date)
$YesterdayDate = $TodayDate.AddDays(-1)
$TomorrowDate = $TodayDate.AddDays(+1)
Get-AipServiceUserLog -Verbose -Path $Path -fromdate $YesterdayDate -todate $TomorrowDate -Force

Expected Behavior

AIP audit logs should record file access events within a reasonable time frame (preferably within minutes).

Logs should consistently capture all access attempts, including successful opens and denied access attempts.

Actual Behavior

• Some access events appear in the logs with significant delays (20–40 minutes).
• Other access events do not appear in the logs at all.

Troubleshooting Steps Already Taken

Verified that audit logging is enabled in AIP settings.

Checked Azure service health for reported incidents.

Confirmed that affected users have appropriate logging permissions.

Tested across different file types.

Attempted to replicate the issue in multiple tenant environments.

Request for Microsoft Support

We require Microsoft’s assistance in:

Investigating the root cause of delayed/missing AIP audit logs.

Providing recommendations or fixes to ensure audit logs are timely and complete.

Contact Information

Primary Contact: [support-at-specterx-dot-com]

Answer 1

Hi @eylon
Welcome to Microsoft Q&A platform and thanks for posting your query here.
I'm sorry to hear you're experiencing delays and missing entries in your Azure Information Protection (AIP) audit logs. Let's address your concerns step by step.

Historically, AIP provided audit logs to monitor activities like file access events. However, as of September 30, 2022, Microsoft retired the AIP audit logs and analytics feature. This means that the traditional AIP audit logs are no longer available or updated.

Here are a few things to check and try:

1. AIP Audit Logs Retirement – Microsoft has phased out AIP-specific audit logs, so some logging may not work as expected. Instead, logs are now part of Microsoft Purview (formerly Compliance Center).
2. Check the Unified Audit Log – If you haven't already, try searching for the logs in the Microsoft 365 Unified Audit Log using Search-UnifiedAuditLog in PowerShell or through the Microsoft 365 Compliance Center.
3. Log Delay Considerations – Audit logs in Microsoft 365 can sometimes have a delay (typically 15 minutes but can be longer). This delay might be causing the issue.
4. Update the Logging Script – The PowerShell cmdlet Get-AipServiceUserLog is outdated. You may need to update your method to fetch logs via the Microsoft Purview API or the Unified Audit Log.

For more information, please refer the below articles:

• Logging and analyzing the protection usage from AIP
• Removed and retired services

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.