Audit Copilot interactions with Microsoft Purview

  • 5 minutes

Microsoft Purview Audit helps your organization track how Microsoft 365 Copilot is used. These logs include user interactions, such as prompts submitted to Copilot and the resources Copilot accessed to generate responses. They also include admin activity, such as changes to plugin settings, promptbooks, and AI configurations.

Audit logs for Microsoft 365 Copilot are included in Audit (Standard). If auditing is already enabled in your organization, you don't need to configure anything else. Audit logs are retained for 180 days by default, based on your organization's license and audit configuration.

This gives your organization visibility into Copilot activity without requiring extra setup.

What Copilot audit logs include

When a user interacts with Microsoft 365 Copilot, Microsoft Purview generates audit logs that include:

  • Which user initiated the interaction
  • When and where the interaction occurred
  • Files, emails, or other content Copilot accessed
  • Details about the AI system, such as plugin IDs and agents involved

Each interaction is logged as a separate entry with detailed metadata.

Common record types

Copilot audit entries might use any of these record types:

  • CopilotInteraction: Interactions with Microsoft-developed Copilot apps like Word, Excel, Teams, or Outlook
  • TeamCopilotInteraction: Interactions with Microsoft Facilitator features such as AI Notes or Meeting Moderation in Teams
  • ConnectedAIAppInteraction: Interactions with non-Microsoft or custom-built Copilot apps deployed in your organization
  • AIAppInteraction: Interactions with browser-based or external AI tools not deployed within your environment
  • CopilotResponseExported: When users export or copy Copilot-generated content from the app

Other useful fields

Audit records for Copilot contain fields that provide more context about each interaction:

  • AppIdentity: Identifies the specific Copilot or AI app involved in the interaction (such as Copilot.MicrosoftCopilot.Microsoft365Copilot)
  • AppHost: Indicates where the interaction occurred (such as Word, Teams, or microsoft365.com/chat)
  • AccessedResources: Lists the files, messages, or sites Copilot referenced, including details like file name, sensitivity label ID, and access status
  • Messages: Shows prompts and responses, including a flag for whether the entry is a user prompt or AI response
  • AISystemPlugin: Identifies any plugins used by Copilot during the interaction
  • ModelTransparencyDetails: Includes the name, version, and provider of the model used

These fields can help confirm whether sensitive information was involved or whether any unusual behavior occurred.

Search for Copilot interactions in the audit log

Audit searches can confirm how Copilot is being used in your organization. For example, if you need to confirm whether a sensitive file was used in a Copilot prompt during an investigation, you can run a search scoped to Copilot interactions. Filtering by record type or exporting results to CSV lets you focus on the activity that matters most.

To view Copilot interactions in Microsoft Purview Audit:

  1. Go to the Microsoft Purview portal.

  2. Select Solutions > Audit.

  3. On the Search page, set a Start date and End date.

  4. Under Activities - friendly names, filter to search for entries like Interacted with Copilot or Updated Copilot plugin to view related user and admin activities. These might include interactions with Copilot, updates to plugins or promptbooks, and actions related to AI-powered meeting notes.

    Screenshot showing Interacted with Copilot selected under Activities - friendly names.

  5. For more targeted searches, use Activities - operation names and enter operation values such as CopilotInteraction, AINotesUpdate, or other known operation names.

  6. In the Record types dropdown, select types such as CopilotInteraction, ConnectedAIAppInteraction, or AIAppInteraction to scope the results to AI activity.

  7. (Optional) Use fields like Users, AppIdentity, or File, folder, or site to narrow your results based on specific criteria.

  8. Enter a name for your search and select Search to run it.

To filter by other attributes such as AppIdentity or AccessedResources, export the results to a CSV file and filter offline.

Note

Audit logs for Microsoft Copilot are included with your Microsoft 365 subscription. Logs for non-Microsoft AI apps, including connected or browser-based tools outside your environment, are available only if you enable pay-as-you-go billing.

Examples of audit records for Copilot activity

Scenario RecordType AppIdentity AppHost
Copilot used in Word CopilotInteraction Copilot.MicrosoftCopilot.Microsoft365Copilot Word
Prompt submitted through BizChat CopilotInteraction Copilot.MicrosoftCopilot.BizChat BizChat
AI Notes used in Teams TeamCopilotInteraction Copilot.TeamCopilot.AINotes Teams
Custom Copilot built in Copilot Studio CopilotInteraction Copilot.Studio.<AppId> Teams

By auditing Copilot interactions, your organization can track how Copilot is used, investigate potential issues, and confirm whether sensitive data was accessed. This helps you maintain oversight and support responsible use of AI features in Microsoft 365.