Audit Log, what is TokenIssuedAtTime?
I used audit log to search user delete MS Teams files, by using Recycled File and Recycled Folder, I got the log file. Why the TokenIssuedAtTime and the CreationTime are so much different? Below is one of the log record {"AppAccessContext":{"AADSessionId":"8f382a1d-b233-425c-92f4-3cf9ed395c9e","CorrelationId":"ae68fba0-40db-2000-ce07-a7bde7727c3f","TokenIssuedAtTime":"2023-12-23T00:47:57","UniqueTokenId":"U4m5SFCmckOiN_QLrysqAQ"},"CreationTime":"2023-12-26T04:24:52","Id":"7a3dc23c-2699-485b-0a87-08dc05ca9b40","Operation":"FolderRecycled","OrganizationId":"7cf9c29c-c6af-4790-b98b-4eff7637f9be","RecordType":6,"UserKey":"i:0h.f|membership|email address removed for privacy reasons","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"2001:d08:e2:58d:61cb:e4bc:c451:aef9","UserId":"email address removed for privacy reasons","AuthenticationType":"FormsCookieAuth","BrowserName":"","BrowserVersion":"","CorrelationId":"ae68fba0-40db-2000-ce07-a7bde7727c3f","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"Folder","ListId":"33880cd7-1db1-450f-9cd0-5c437c0ccaee","ListItemUniqueId":"184cd92b-40cf-4fa1-82aa-ad5fa61a2a05","Platform":"WinDesktop","Site":"f1bb631d-8ff4-4411-b49f-066e20be905c","UserAgent":"Microsoft SkyDriveSync 23.246.1127.0002 ship; Windows NT 10.0 (19045)","WebId":"aa607282-8b47-47d1-938b-c0cde8e2d87d","DeviceDisplayName":"2a01:111:2055:202:4701:ee31:fe3f:156","CrossScopeSyncDelete":false,"HighPriorityMediaProcessing":false,"SharingType":"","SourceFileExtension":"","SiteUrl":"https://mysharepoint.sharepoint.com/sites/mysite/","SourceRelativeUrl":"Shared Documents/test/MyFolder","SourceFileName":"Quotation","ObjectId":"https://mysharepoint.sharepoint.com/sites/mysite/Shared Documents/test/MyFolder/Test1"}
Language defaults audit for everything M365
We are struggling to find where and how the wrong language is being used for various parts of the M365 platform. We have Swedish set as default, but still English is used for a number of places which often are only realized as a consequence by a user. For example, in Viva Engage language is set to Swedish, and for the SharePoint as well. But: When a new user logs on VE is in English While the SharePoint web part is in Swedish, the link text have for some time ended with "- Home" (English) instead of as it was when we started 2+ years ago " - Startsida" (Swedish) Then when creating a VE group Event (Teams-meeting) default language is also English Tracking down what and where is making the wrong language being used is hard. I would be very grateful if pointed to a resource that give an as complete as possible overview of everything in M365 that we need to look over for making sure that the correct language is default everywhere it should be.Microsoft Fixes Copilot Audit Records
After a report to the MSRC about some missing file data from Copilot audit records, Microsoft fixed the problem and audit records now contain details about the SharePoint Online files reviewed by Copilot to construct answers to user prompts. Having solid audit and compliance data is a good thing, unless you’re a lawyer charged with defending an eDiscovery action who might be asked to produce the files. https://office365itpros.com/2025/08/22/copilot-audit-records-fixed/
Purview and auditing file modifications
I have full M365 E5 license and use Purview auditing a lot for investigations. I noticed is reports file modified which is create but some of my files would get modified constantly. I'm curious if it can log and provide a report on what exactly was modified. For example: If text was added or deleted, can it tell me what was added or deleted i.e. the actual text and the action (Add\Delete) If an image was pasted into a word document, can it tell me that? If possible, down to a copy of the image that was inserted? If it can't do this level of detail anyone have suggestions of a product that can?
Auditing Resource Bookings
I am once again dealing with overlapped bookings on rooms set to not allow overlapped bookings. I've verified this in PowerShell. I've limited who can make these to 2 users. I've trained these users. They are using Outlook on the web - just in case the app doesn't update. STILL, I am getting bookings on top of each other. One person books something - then another person books something on top of it. I need to audit this. I have enabled resource auditing. I have tried 1) Purview auditing the booking users - everything they do related to Exchange. This returns hundreds of entries for the time periods specified, and I genuinely do not have time to parse all of this. 2) using purview to search only for entries on the room resource. These apparently have no data, ever. 3) Using purview to search for activities related to booking.. Too bad the activity dropdown does not work, and 80% of the entries are repeats. Maybe I can find operation names from the documentation? (no) 4) Maybe Copilot can help me find operation names? (no, he just hallucinates) 6) Abandoning Purview, I open Exchange and head to the Collect Logs entries. I run both Resource Bookings and Calendar logs. Because that is, essentially, exactly what I want. Unfortunately neither of these are even remotely useful to a human - except to confirm this shouldn't be possible. I spend an hour parsing through the endless nigh-identically named fields, to find data relevant to me - What I can find isn't accurate, and isn't useful. 7) I open Outlook, and try to look at the actual mail interactions on that shared mailbox. Unfortunately, there is nothing for these days. No sent, inbox, deleted items referencing the bookings at all. 8) I open powershell, i try commands microsoft gives. These are deprecated. This should really not be this hard. In fact, it should be REALLY EASY to see when bookings came in and out. I am really close to looking for a 3rd party solution just so i don't have to waste any more time on this
Interface Views in Microsoft 365 Admin Center
1. Simplified View Purpose: Designed for small businesses or organizations with limited IT resources. Features: Streamlined dashboard with essential tasks like user management, license assignment, and password resets. Minimal configuration options to reduce complexity. Quick access to support and basic service health info. Use Case: Ideal for admins who need to perform routine tasks without diving into advanced settings. 2. Dashboard View (Advanced View) Purpose: Tailored for medium to large enterprises with complex IT environments. Features: Full access to all admin centers (Exchange, SharePoint, Teams, etc.). Advanced analytics, reporting, and configuration tools. Role-based access control and security management. Customizable widgets and navigation for personalized workflows. Use Case: Suitable for IT teams managing multiple services, users, and compliance requirements. Customization Needs Are there specific tasks we perform frequently that can be automated in the dashboard?
Obtain Deleted Stats (SharePoint) by Retention Policy
I've scoured: https://learn.microsoft.com/en-us/purview/retention-cmdlets and the Unified Audit Log (https://www.meetingroom365.com/blog/search-unifiedauditlog-powershell/, https://theitbros.com/query-microsoft-365-audit-logs-using-powershell/#penci-Search_the_SharePoint_Online_Audit_Log) to see if I can come up with a method to obtain some statistics regarding how many files and space (storage) has been freed up with the use of retention policies being enabled. I'm drawing a blank. In an ideal world, I'd like know how many files have been deleted by the system (the system enforcing a 5 Year from last modified Date and Delete Policy) for the last year or 6 month intervals. If possible the corresponding volume of storage space recovered from these deletions. Any ideas?Use Audit Data to Improve Finding Inactive Copilot Users
A previous article explained how Microsoft 365 usage report data can highlight inactive Copilot users. If we add audit data to the mix, the analysis becomes much richer because we can see exactly what use people make of different Copilot apps, like Word, Chat, Outlook, and so on. Better data means better decisions! https://practical365.com/inactive-copilot-users/
Report all active users in tenant and their installed integrated apps
Our security team has requested that we block the install of any Copilot apps until our AI policy is in place. Before we do this, I'd like to know what apps from Microsoft 365 admin center > Settings > Integrated apps > Available apps are currently installed by our users. I don't see any way that the UI offers this capability, so I believe it will be PowerShell. I did already run the following script, but it returns only 2 apps, which are apps we have deployed to our users. It's possible our 2600 users haven't installed anything else, but not probable. Install-Module O365CentralizedAddInDeployment Import-Module -Name O365CentralizedAddInDeployment Connect-OrganizationAddInService Get-OrganizationAddIn If the above isn't possible, it would also be useful to find a script that would give me a list of users who have a given app (from 365 Integrated apps > Available apps) installed, such as CopilotForce or Microsoft Copilot Studio.Purview Retires Events Alert Capability from Unified Audit Log
Audit-based alerts are a way for tenants to mark audit events that they want to be notified about through email when these events appear in the unified audit log. It’s a way for administrators to monitor what happens in a tenant. Time has run out for activity alerts because better ways exist to monitor audit events. The only problem is deciding which approach to take. https://office365itpros.com/2025/02/17/audit-based-alerts-retirement/
