Retirement announcement for AIP Audit Logs pipeline forwarding audit logs to Azure Log Analytics

Shim Kwan 281 Reputation points
2022-04-07T05:13:09.767+00:00

Hi,

As per recent announcement, "As of March 18, 2022, Microsoft is sunsetting the AIP audit log and analytics" https://learn.microsoft.com/en-us/azure/information-protection/audit-logs.

Please excuse my ignorance here, but should we therefore be able to see all locations in the Compliance Portal now, under Content Explorer/All Locations - as to this day we are still not seeing any of our on-premises file server locations (where most of our data resides, and the AIP Scanner has been active).

As can be seen from the screenshot below, only certain Cloud locations are showing in this console. (Exchange, OneDrive, SharePoint, Teams)

Where is all our on-premises AIP data statistics then? Or do we have to go back to the AIP Azure Portal again?

Thank you,

SK

190805-dataclass.png

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
521 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2022-04-08T04:46:09.443+00:00

    @Shim Kwan

    Thank you for reaching out to us. As i understand you are looking more information on "Retirement announcement for AIP Audit Logs" where audit logs are visible.

    Apart from Content explorer, you view the labelling activities in the activity explorer. Activity explorer gathers activity information from the audit logs on multiple sources of activities.

    Following activity types for AIP scanner & AIP clients are seen in Activity explorer
    Protection applied
    Protection changed
    Protection removed
    Files discovered

    For more information refer to this article about the labelling activities available in activity explorer
    https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide#:~:text=Labeling%20activities%20that%20are%20available%20in%20Activity%20explorer

    Also i see you query related to storing AIP audit logs in Log analytics workspace.

    Starting from March 18, 2022, onboarding new Log Analytics workspaces for storing AIP audit logs is not supported. For customers already using Azure Information Protection analytics, the existent data pipeline will be kept available until September 30, 2022. After this date, customers will not get any new AIP data through this pipeline into their Log Analytics workspaces.

    https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957171
    https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957297

    Azure Information Protection (AIP) analytics for central reporting - https://learn.microsoft.com/en-us/azure/information-protection/reports-aip

    Information about new releases and updates - Azure information protection
    https://learn.microsoft.com/en-us/azure/information-protection/information-support#:~:text=the%20terminology%20page.-,Information%20about%20new%20releases%20and%20updates,-For%20information%20about

    Let me know if you have any questions.

    Please remember to "Accept Answer" if answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

  2. Shim Kwan 281 Reputation points
    2022-04-29T02:32:13.217+00:00

    Hi @GirishVaryani

    Thanks for those links and explanations...however, I am still unable to see any on-premises details in these logs, Content Explorer still only shows Cloud locations:
    I am assuming with things moving as MS and you have mentioned, we should be able to see on-premises information in Content Explorer too?

    197497-contentexplorer.png

    Starting from March 18, 2022, onboarding new Log Analytics workspaces for storing AIP audit logs is not supported - so how will we now import AIP data into Sentinel?
    197528-aip-sentinel.png

    Thank you

    0 comments No comments

  3. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2022-04-29T14:11:54.977+00:00

    @Shim Kwan

    Apologies missed on the complete screenshot, you can view the labelling activities in the activity explorer. Activity explorer gathers activity information from the audit logs on multiple sources of activities.

    Following activity types for AIP scanner & AIP clients are seen in Activity explorer
    Protection applied
    Protection changed
    Protection removed
    Files discovered

    For more information refer to this article about the labelling activities available in activity explorer
    https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide#:~:text=Labeling%20activities%20that%20are%20available%20in%20Activity%20explorer

    197784-image.png

    Let me know if you have any further questions.

    0 comments No comments

  4. Shim Kwan 281 Reputation points
    2022-05-01T22:14:47.493+00:00

    thank you your reply @GirishVaryani - happy to use Activity Explorer.

    what about the other part of the question:

    "Starting from March 18, 2022, onboarding new Log Analytics workspaces for storing AIP audit logs is not supported - so how will we now import AIP data into Sentinel?"

    Thank you