Del via


Microsoft services that support auditing

You can search the unified audit log for activities performed in different Microsoft services. The following table lists the Microsoft services, apps, and features that are supported in the unified audit log.

Microsoft service or feature Record types
Microsoft Entra ID AzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogon
Azure Information Protection

(For the Microsoft Purview Information Protection client and scanner)
AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat
Communication compliance ComplianceSupervisionExchange
Content explorer LabelContentExplorer
Data connectors ComplianceConnector
Data loss prevention (DLP) ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint
Dynamics 365 CRM
eDiscovery (Standard + Premium) Discovery, AeD
Encrypted message portal OMEPortal
Exact Data Match MipExactDataMatch
Exchange Online ExchangeAdmin, ExchangeItem, ExchangeItemAggregated
Forms MicrosoftForms
Information barriers InformationBarrierPolicyApplication
Microsoft Defender XDR AirInvestigation, AirManualInvestigation, AirAdminActionInvestigation, MS365DCustomDetection
Microsoft 365 Copilot and Microsoft Copilot CopilotInteraction
Microsoft Defender Experts DefenderExpertsforXDRAdmin
Microsoft Defender for Identity (MDI) MicrosoftDefenderForIdentityAudit
Microsoft Planner PlannerCopyPlan, PlannerPlan, PlannerPlanList, PlannerRoster, PlannerRosterSensitivityLabel, PlannerTask, PlannerTaskList, PlannerTenantSettings
Microsoft Project for the web ProjectAccessed, ProjectCreated, ProjectDeleted, ProjectTenantSettingsUpdated, ProjectUpdated, RoadmapAccessed,RoadmapCreated, RoadmapDeleted, RoadmapItemAccessed,RoadmapItemCreated,RoadmapItemDeleted, RoadmapItemUpdated, RoadmapTenantSettingsUpdated, RoadmapUpdated, TaskAccessed, TaskCreated,TaskDeleted, TaskUpdated
Microsoft Purview Information Protection (MIP) labels MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation
Microsoft Teams MicrosoftTeams
Microsoft To Do MicrosoftToDo, MicrosoftToDoAudit
MyAnalytics MyAnalyticsSettings
OneDrive for Business OneDrive
Power Apps PowerAppsApp, PowerAppsPlan
Power Automate MicrosoftFlow
Power BI PowerBIAudit
Quarantine Quarantine
Sensitive information types DlpSensitiveInformationType
Sensitivity labels MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch
SharePoint Online SharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation
Stream MicrosoftStream
SystemSync DataShareCreated, DataShareDeleted, GenerateCopyOfLakeData, DownloadCopyOfLakeData
Threat Intelligence ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent
Viva Goals VivaGoals
Viva Insights VivaInsights
Yammer Yammer

For more information about the operations that are audited in each of the services listed in the previous table, see the Audit log activities article.

The previous table also identifies the record type value to use to search the audit log for activities in the corresponding service using the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell or by using a PowerShell script. Some services have multiple record types for different types of activities within the same service. For a more complete list of auditing record types, see Office 365 Management Activity API schema.

For more information about using PowerShell to search the audit log, see: