Azure Information Protection classic client audit log reference (public preview)
The Azure Information Protection audit log feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
As of March 1, 2022, we are sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022. For more information, see Removed and retired services.
This article lists audit logs that are generated by the classic client.
Note
Azure Information Protection collects data from desktop apps only, and not from mobile devices. For more information, see the details in the Platform columns in this article.
Access audit logs
Access audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic client | Windows | Office | Generated for the first time in each session that a labeled or protected file is saved. The log includes any information type matches. |
| Azure Information Protection classic client | Windows | Office | Generated each time a labeled or protected file is created. |
| Azure Information Protection classic client | Windows, SharePoint, OneDrive | Office | Generated each time a labeled or protected file is opened. Note: For protected files, Access audit logs are generated only when the file is opened and the content is successfully decrypted and exposed to the user. For protected emails in Outlook, Access audit logs are also generated each time the user attempts to open an encrypted email, even if the decryption is blocked due to a lack of permissions. |
Access denied audit logs
Access denied audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| RMS service | Windows | Office | Generated each time a user attempts to access a protected document for which they have no permissions. |
Change protection audit logs
Change protection audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic client | Windows, SharePoint, OneDrive | Office | Generated each time the protection on an unlabeled document is changed manually. |
Discover audit logs
Discover audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic scanner | Windows | Office | Generated each time a file is scanned by the AIP scanner. The log includes the following details: - Matched information types - Labels |
Downgrade label audit logs
Downgrade label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic scanner and client | Windows, SharePoint, One Drive | Office | Generated each time a document label is updated with a less sensitive label. |
New label audit logs
New label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic scanner and client< | Windows, SharePoint, One Drive | Office | Generated each time new label is applied. |
New protection audit logs
New protection audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic client | Windows, SharePoint, One Drive | Office | Generated each time protection is newly added manually, without a label. |
Remove label audit logs
Remove label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic scanner and client | Windows, SharePoint, One Drive | Office | Generated each time a label is removed. |
Remove protection audit logs
Remove protection audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic client | Windows, SharePoint, One Drive | Office | Generated each time protection is manually removed, without a label. |
Upgrade label audit logs
Upgrade label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection classic scanner and client | Windows, SharePoint, One Drive | Office | Generated each time a document label is updated with a more sensitive label. |
Next steps
AIP audit logs are also sent to the Microsoft 365 Activity Explorer, where they may be displayed with different names.
For more information, see:
- Get started with activity explorer
- Labeling activity reference in activity explorer, including mapping between names displayed in AIP and in the Microsoft 365 activity explorer
- Central reporting for Azure Information Protection (public preview)