Dela via


Audit logs for Copilot and AI activities

This article provides an overview of the audit logs generated for user interactions and admin activities related to Microsoft Copilot and AI applications. These activities are automatically logged as part of Audit (Standard). If auditing is enabled in your organization, additional configuration steps aren’t needed for Copilot and AI application auditing support.

Admin activities with Copilot and AI applications

Audit logs are generated when an administrator performs activities related to Copilot settings, plugins, promptbooks, or workspaces. For more information, see Copilot activities.

User activities with Copilot and AI applications

Audit logs are automatically generated when a user interacts with Copilot or an AI Application. These audit records contain details about which user interacted with Copilot, when and where the interaction took place. Audit records also include references to files, sites, or other resources Copilot and AI applications accessed to generate responses to user prompts.

Commonly used properties in Copilot audit logs

The following are some of the commonly used properties included in audit logs. For more information about the detailed schema of the Copilot Interaction audit log, see Copilot interaction events overview.

  • Operation: Specifies the name of the activity which was audited.
  • RecordType: Identifies the category of Copilot or AI Application which the user interacted with. For example, CopilotInteraction refers to scenarios where a user interacted with a Microsoft-developed Copilot application. ConnectedAIAppInteraction refers to scenarios where a user interacted with a custom-built Copilot or third-party AI application deployed and registered within your organization AIAppInteraction refers to interactions with third-party AI applications which aren't deployed within your organization.
  • Workload: Identifies the app category, similar to RecordType. For example, Copilot, ConnectedAIApp, and AIApp.
  • AppIdentity: A detailed string which allows you to uniquely identify the specific Copilot or AI Application which the user interacted with. It typically follows the structure workloadName.appGroup.appName.
  • AppHost: The same Copilot application could be deployed within multiple host applications. This property helps identify the application which hosted the interaction between a user and Copilot. Some of the common AppHost scenarios are:
    • BizChat: Indicates that the Copilot interaction was performed in the BizChat client (either via Teams, or the app, or via the website microsoft365.com/copilot or microsoft365.com/chat).
    • Bing: Indicates that the Copilot interaction was performed through the Microsoft Edge browser, Office mobile apps, or copilot.cloud.microsoft.com.
    • Office: Indicates that the Copilot interaction was performed through office.com or microsoft365.com.
    • Other application-specific values: Values like Word, Excel, PowerPoint, OneNote, Stream, etc. indicate that the interaction was performed within these applications.

Example Copilot scenarios for user activities

The following tables list some example scenarios and how they appear in the audit log. These example audit logs are created from Copilot activities.

Microsoft Copilot

A user interacts with Microsoft Copilot through the BizChat client.

Operation RecordType AppIdentity AppHost
CopilotInteraction CopilotInteraction Copilot.MicrosoftCopilot.BizChat BizChat

Security Copilot

A user interacts with Security Copilot within Microsoft Defender.

Operation RecordType AppIdentity AppHost
CopilotInteraction CopilotInteraction Copilot.Security.SecurityCopilot Defender

Copilot Studio applications

A user interacts with a custom-built Copilot Studio application (whose appId is the GUID contained in appIdentity). The interaction takes place within Microsoft Teams, where this custom-built application is deployed.

Operation RecordType AppIdentity AppHost
CopilotInteraction CopilotInteraction Copilot.Studio.f4d97b45-1deb-40ce-9004-b473b79eab85 Teams

Microsoft Team Copilot

Microsoft Team Copilot performed an update to AI Notes or Live Notes in Microsoft Teams.

Operation RecordType AppIdentity AppHost
AINotesUpdate TeamCopilotInteraction Copilot.TeamCopilot.AINotes Teams
LiveNotesUpdate TeamCopilotInteraction Copilot.TeamCopilot.LiveNotes Teams

Identifying if Copilot accessed the web

When web search is enabled, Microsoft 365 Copilot and Microsoft Copilot parse user prompts and determine whether web search would improve the quality of the response. To identify if Copilot referenced the public web in a user interaction, review the AISystemPlugin.Id property in the CopilotInteraction audit record. AISystemPlugin.Id contains the value BingWebSearch when user Copilot requests use the public web via Microsoft Bing for additional data.

Accessing Copilot audit logs

Copilot audit logs are accessed using the Microsoft Purview portal and by selecting Audit.

To search for specific Copilot or AI application scenarios, filter the logs using the properties like Operation (using the Activities – operation names field in the Microsoft Purview portal), RecordType, and Workload.

If you need to search for audit logs containing a specific AppIdentity value or set of values, first search and export all relevant Copilot audit logs by filtering by operation name. From the exported search results, apply a filter on the AppIdentity property offline.