Microsoft services that support auditing
You can search the unified audit log for activities performed in different Microsoft services. The following table lists the Microsoft services, apps, and features that are supported in the unified audit log.
| Microsoft service or feature | Record types |
|---|---|
| Microsoft Entra ID | AzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogon |
| Azure Information Protection (For the Microsoft Purview Information Protection client and scanner) |
AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat |
| Communication compliance | ComplianceSupervisionExchange |
| Content explorer | LabelContentExplorer |
| Data connectors | ComplianceConnector |
| Data loss prevention (DLP) | ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint |
| Dynamics 365 | CRM |
| eDiscovery (Standard + Premium) | Discovery, AeD |
| Encrypted message portal | OMEPortal |
| Exact Data Match | MipExactDataMatch |
| Exchange Online | ExchangeAdmin, ExchangeItem, ExchangeItemAggregated |
| Forms | MicrosoftForms |
| Information barriers | InformationBarrierPolicyApplication |
| Microsoft Defender XDR | AirInvestigation, AirManualInvestigation, AirAdminActionInvestigation, MS365DCustomDetection |
| Microsoft 365 Copilot and Microsoft Copilot | CopilotInteraction |
| Microsoft Defender Experts | DefenderExpertsforXDRAdmin |
| Microsoft Defender for Identity (MDI) | MicrosoftDefenderForIdentityAudit |
| Microsoft Planner | PlannerCopyPlan, PlannerPlan, PlannerPlanList, PlannerRoster, PlannerRosterSensitivityLabel, PlannerTask, PlannerTaskList, PlannerTenantSettings |
| Microsoft Project for the web | ProjectAccessed, ProjectCreated, ProjectDeleted, ProjectTenantSettingsUpdated, ProjectUpdated, RoadmapAccessed,RoadmapCreated, RoadmapDeleted, RoadmapItemAccessed,RoadmapItemCreated,RoadmapItemDeleted, RoadmapItemUpdated, RoadmapTenantSettingsUpdated, RoadmapUpdated, TaskAccessed, TaskCreated,TaskDeleted, TaskUpdated |
| Microsoft Purview Information Protection (MIP) labels | MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation |
| Microsoft Teams | MicrosoftTeams |
| Microsoft To Do | MicrosoftToDo, MicrosoftToDoAudit |
| MyAnalytics | MyAnalyticsSettings |
| OneDrive for Business | OneDrive |
| Power Apps | PowerAppsApp, PowerAppsPlan |
| Power Automate | MicrosoftFlow |
| Power BI | PowerBIAudit |
| Quarantine | Quarantine |
| Sensitive information types | DlpSensitiveInformationType |
| Sensitivity labels | MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch |
| SharePoint Online | SharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation |
| Stream | MicrosoftStream |
| SystemSync | DataShareCreated, DataShareDeleted, GenerateCopyOfLakeData, DownloadCopyOfLakeData |
| Threat Intelligence | ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent |
| Viva Goals | VivaGoals |
| Viva Insights | VivaInsights |
| Yammer | Yammer |
For more information about the operations that are audited in each of the services listed in the previous table, see the Audit log activities article.
The previous table also identifies the record type value to use to search the audit log for activities in the corresponding service using the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell or by using a PowerShell script. Some services have multiple record types for different types of activities within the same service. For a more complete list of auditing record types, see Office 365 Management Activity API schema.
For more information about using PowerShell to search the audit log, see: