Audit changes to labels and policies in Azure Information Protection

%3CLINGO-SUB%20id%3D%22lingo-sub-327498%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20changes%20to%20labels%20and%20policies%20in%20Azure%20Information%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327498%22%20slang%3D%22en-US%22%3E%3CP%3EWhoops%2C%20I%20guess%20I've%20misunderstood%20you%20then.%20I'm%20not%20aware%20of%20any%20logs%20that%20list%20label%20operations%2C%20but%20if%20the%20label%20is%20associated%20with%20a%20corresponding%20Azure%20RMS%20template%2C%20you%20can%20use%20the%20RMS%20audit%20logs%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Flog-analyze-usage%23how-to-access-and-use-your-azure-rights-management-usage-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Flog-analyze-usage%23how-to-access-and-use-your-azure-rights-management-usage-logs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327136%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20changes%20to%20labels%20and%20policies%20in%20Azure%20Information%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327136%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20link%20you%20sent%20me%20tells%20me%20how%20labels%20are%20used.%26nbsp%3B%26nbsp%3B%20What%20I%20was%20looking%20for%20is%20the%20actions%20of%20labels%20in%20the%20Azure%20Portal.%26nbsp%3B%26nbsp%3B%20Who%20creates%20a%20label%2C%20who%20modifies%20a%20label%20properties%2C%20etc%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20seem%20to%20find%20that%20information.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-326135%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20changes%20to%20labels%20and%20policies%20in%20Azure%20Information%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-326135%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20operations%20are%20only%20audited%20client-side%2C%20unfortunately.%20So%20you%20will%20need%20to%20collect%20them%20centrally%20from%20each%20workstation%2C%20if%20you%20even%20have%20access%20to%20it.%20This%20article%20can%20get%20you%20started%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Frms-client%2Fclient-admin-guide-files-and-logging%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Frms-client%2Fclient-admin-guide-files-and-logging%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-325935%22%20slang%3D%22en-US%22%3EAudit%20changes%20to%20labels%20and%20policies%20in%20Azure%20Information%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-325935%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20looking%20for%20a%20way%20to%20audit%20or%20monitor%20changes%2Fdeletions%2Fcreations%20of%20labels%20in%20Azure%20Information%20Protection.%26nbsp%3B%26nbsp%3B%26nbsp%3B%20I've%20enabled%20log%20workspace%20and%20all%20the%20logging%20through%20PowerShell%20module.%26nbsp%3B%26nbsp%3BI%20made%20sure%20the%20admin%20is%20allowed%20access%20(thick%20at%20the%20button)%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYet%20...%20when%20I%20delete%20a%20label%2C%20I%20cannot%20seem%20to%20find%20out%20which%20user%20it%20was%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20or%20tips%3F%26nbsp%3B%26nbsp%3B%20Thanks%26nbsp%3B%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello

 

I've been looking for a way to audit or monitor changes/deletions/creations of labels in Azure Information Protection.    I've enabled log workspace and all the logging through PowerShell module.  I made sure the admin is allowed access (thick at the button)   

 

Yet ... when I delete a label, I cannot seem to find out which user it was? 

 

Any ideas or tips?   Thanks  :)

3 Replies

Those operations are only audited client-side, unfortunately. So you will need to collect them centrally from each workstation, if you even have access to it. This article can get you started: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-files-an...

Hi Vasil

 

The link you sent me tells me how labels are used.   What I was looking for is the actions of labels in the Azure Portal.   Who creates a label, who modifies a label properties, etc ...

 

I can't seem to find that information.  

Whoops, I guess I've misunderstood you then. I'm not aware of any logs that list label operations, but if the label is associated with a corresponding Azure RMS template, you can use the RMS audit logs: https://docs.microsoft.com/en-us/azure/information-protection/log-analyze-usage#how-to-access-and-us...