Obtain Deleted Stats (SharePoint) by Retention Policy
I've scoured: Identify the available PowerShell cmdlets for retention | Microsoft Learn and the Unified Audit Log (Using Search-UnifiedAuditLog in Powershell: All You Need To Know, How to Query Microsoft 365 Audit Logs using PowerShell – TheITBros) to see if I can come up with a method to obtain some statistics regarding how many files and space (storage) has been freed up with the use of retention policies being enabled. I'm drawing a blank. In an ideal world, I'd like know how many files have been deleted by the system (the system enforcing a 5 Year from last modified Date and Delete Policy) for the last year or 6 month intervals. If possible the corresponding volume of storage space recovered from these deletions. Any ideas?Use Audit Data to Improve Finding Inactive Copilot Users
A previous article explained how Microsoft 365 usage report data can highlight inactive Copilot users. If we add audit data to the mix, the analysis becomes much richer because we can see exactly what use people make of different Copilot apps, like Word, Chat, Outlook, and so on. Better data means better decisions! https://practical365.com/inactive-copilot-users/
Report all active users in tenant and their installed integrated apps
Our security team has requested that we block the install of any Copilot apps until our AI policy is in place. Before we do this, I'd like to know what apps from Microsoft 365 admin center > Settings > Integrated apps > Available apps are currently installed by our users. I don't see any way that the UI offers this capability, so I believe it will be PowerShell. I did already run the following script, but it returns only 2 apps, which are apps we have deployed to our users. It's possible our 2600 users haven't installed anything else, but not probable. Install-Module O365CentralizedAddInDeployment Import-Module -Name O365CentralizedAddInDeployment Connect-OrganizationAddInService Get-OrganizationAddIn If the above isn't possible, it would also be useful to find a script that would give me a list of users who have a given app (from 365 Integrated apps > Available apps) installed, such as CopilotForce or Microsoft Copilot Studio.Purview Retires Events Alert Capability from Unified Audit Log
Audit-based alerts are a way for tenants to mark audit events that they want to be notified about through email when these events appear in the unified audit log. It’s a way for administrators to monitor what happens in a tenant. Time has run out for activity alerts because better ways exist to monitor audit events. The only problem is deciding which approach to take. https://office365itpros.com/2025/02/17/audit-based-alerts-retirement/Where do I manage old audit activity alerts?
I have an audit activity alert that, I assume, was created in Office 365 before it became Microsoft 365. My problem is trying to find where to manage this alert. Does anyone recognize this alert and know where I go to manage it? I have spent time looking through the Compliance port at Alerts and alert policies, but there is nothing there to manage.Search-UnifiedAuditLog Gets High Completeness Capability
A new preview feature supports high completeness audit log searches. These searches are optimized to make sure that they find every matching audit instead of finishing as quickly as possible. High completeness audit log searches do take more time but their results are accurate and they find more records than Search-UnifiedAuditLog was able to in the past. Looks like a good new feature. https://office365itpros.com/2024/03/26/high-completeness-audit-log/Using the Audit Log to Generate a Daily Action Summary for a User
This article describes how to report the audit events for a user over a single day. The task seems simple, but inconsistency in audit payloads make it harder. Workloads don’t help by the variations in audit events. In any case, persistence and knowledge about what the audit event captured for an action helps to decode the data, as illustrated by the script detailed here. https://office365itpros.com/2024/12/03/audit-events-for-a-user/Use the Audit Log to Find the Last Accessed Date for SharePoint Documents
The unified audit log is full of interesting information about who did what and when they did it. In this article, I describe how to use file operations audit events to find the last accessed date for documents in a SharePoint Online site. It’s data that isn’t available in the Microsoft Graph, but it is in the unified audit log. https://office365itpros.com/2024/11/15/file-operations-audit-events/The Problem with Scoped Audit Log Searches
Microsoft Purview and the Exchange Online Search-UnifiedAuditLog cmdlet both perform searches of the Microsoft 365 unified audit log. Both mechanisms support the concept of scoped searches to limit audit records returned by searches to the administrative units an account can manage. But the permissions assigned by the two mechanisms aren’t synchronized, which can lead to complications. https://office365itpros.com/2024/08/27/scoped-audit-log-searches/Better Copilot Audit Records and Copilot Chat Appears in Classic Outlook
Copilot audit records generated for the Microsoft 365 audit log capture details of the resources (files, emails, and documents) used by Copilot in its answers. This doesn’t sound very exciting, but it is important for forensic investigators who need to understand what information is consumed to generate AI answers. In another development, the Copilot for Microsoft 365 chat app is now available in Outlook classic. https://office365itpros.com/2024/05/31/copilot-audit-records-resources/
