Microsoft Fixes Copilot Audit Records
After a report to the MSRC about some missing file data from Copilot audit records, Microsoft fixed the problem and audit records now contain details about the SharePoint Online files reviewed by Copilot to construct answers to user prompts. Having solid audit and compliance data is a good thing, unless you’re a lawyer charged with defending an eDiscovery action who might be asked to produce the files. https://office365itpros.com/2025/08/22/copilot-audit-records-fixed/
Purview and auditing file modifications
I have full M365 E5 license and use Purview auditing a lot for investigations. I noticed is reports file modified which is create but some of my files would get modified constantly. I'm curious if it can log and provide a report on what exactly was modified. For example: If text was added or deleted, can it tell me what was added or deleted i.e. the actual text and the action (Add\Delete) If an image was pasted into a word document, can it tell me that? If possible, down to a copy of the image that was inserted? If it can't do this level of detail anyone have suggestions of a product that can?
Auditing Resource Bookings
I am once again dealing with overlapped bookings on rooms set to not allow overlapped bookings. I've verified this in PowerShell. I've limited who can make these to 2 users. I've trained these users. They are using Outlook on the web - just in case the app doesn't update. STILL, I am getting bookings on top of each other. One person books something - then another person books something on top of it. I need to audit this. I have enabled resource auditing. I have tried 1) Purview auditing the booking users - everything they do related to Exchange. This returns hundreds of entries for the time periods specified, and I genuinely do not have time to parse all of this. 2) using purview to search only for entries on the room resource. These apparently have no data, ever. 3) Using purview to search for activities related to booking.. Too bad the activity dropdown does not work, and 80% of the entries are repeats. Maybe I can find operation names from the documentation? (no) 4) Maybe Copilot can help me find operation names? (no, he just hallucinates) 6) Abandoning Purview, I open Exchange and head to the Collect Logs entries. I run both Resource Bookings and Calendar logs. Because that is, essentially, exactly what I want. Unfortunately neither of these are even remotely useful to a human - except to confirm this shouldn't be possible. I spend an hour parsing through the endless nigh-identically named fields, to find data relevant to me - What I can find isn't accurate, and isn't useful. 7) I open Outlook, and try to look at the actual mail interactions on that shared mailbox. Unfortunately, there is nothing for these days. No sent, inbox, deleted items referencing the bookings at all. 8) I open powershell, i try commands microsoft gives. These are deprecated. This should really not be this hard. In fact, it should be REALLY EASY to see when bookings came in and out. I am really close to looking for a 3rd party solution just so i don't have to waste any more time on thisUse Audit Data to Improve Finding Inactive Copilot Users
A previous article explained how Microsoft 365 usage report data can highlight inactive Copilot users. If we add audit data to the mix, the analysis becomes much richer because we can see exactly what use people make of different Copilot apps, like Word, Chat, Outlook, and so on. Better data means better decisions! https://practical365.com/inactive-copilot-users/
Report all active users in tenant and their installed integrated apps
Our security team has requested that we block the install of any Copilot apps until our AI policy is in place. Before we do this, I'd like to know what apps from Microsoft 365 admin center > Settings > Integrated apps > Available apps are currently installed by our users. I don't see any way that the UI offers this capability, so I believe it will be PowerShell. I did already run the following script, but it returns only 2 apps, which are apps we have deployed to our users. It's possible our 2600 users haven't installed anything else, but not probable. Install-Module O365CentralizedAddInDeployment Import-Module -Name O365CentralizedAddInDeployment Connect-OrganizationAddInService Get-OrganizationAddIn If the above isn't possible, it would also be useful to find a script that would give me a list of users who have a given app (from 365 Integrated apps > Available apps) installed, such as CopilotForce or Microsoft Copilot Studio.Purview Retires Events Alert Capability from Unified Audit Log
Audit-based alerts are a way for tenants to mark audit events that they want to be notified about through email when these events appear in the unified audit log. It’s a way for administrators to monitor what happens in a tenant. Time has run out for activity alerts because better ways exist to monitor audit events. The only problem is deciding which approach to take. https://office365itpros.com/2025/02/17/audit-based-alerts-retirement/Search-UnifiedAuditLog Gets High Completeness Capability
A new preview feature supports high completeness audit log searches. These searches are optimized to make sure that they find every matching audit instead of finishing as quickly as possible. High completeness audit log searches do take more time but their results are accurate and they find more records than Search-UnifiedAuditLog was able to in the past. Looks like a good new feature. https://office365itpros.com/2024/03/26/high-completeness-audit-log/Using the Audit Log to Generate a Daily Action Summary for a User
This article describes how to report the audit events for a user over a single day. The task seems simple, but inconsistency in audit payloads make it harder. Workloads don’t help by the variations in audit events. In any case, persistence and knowledge about what the audit event captured for an action helps to decode the data, as illustrated by the script detailed here. https://office365itpros.com/2024/12/03/audit-events-for-a-user/Use the Audit Log to Find the Last Accessed Date for SharePoint Documents
The unified audit log is full of interesting information about who did what and when they did it. In this article, I describe how to use file operations audit events to find the last accessed date for documents in a SharePoint Online site. It’s data that isn’t available in the Microsoft Graph, but it is in the unified audit log. https://office365itpros.com/2024/11/15/file-operations-audit-events/The Problem with Scoped Audit Log Searches
Microsoft Purview and the Exchange Online Search-UnifiedAuditLog cmdlet both perform searches of the Microsoft 365 unified audit log. Both mechanisms support the concept of scoped searches to limit audit records returned by searches to the administrative units an account can manage. But the permissions assigned by the two mechanisms aren’t synchronized, which can lead to complications. https://office365itpros.com/2024/08/27/scoped-audit-log-searches/
