Audit log activities

The tables in this article describe the activities that are audited in Microsoft 365. You can search for these activities by searching the audit log in the Microsoft Purview portal or Microsoft Purview compliance portal.

These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the Activities drop-down list (or that are available in PowerShell) and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see Audit log detailed properties.

Tip

Select one of the links in the In this article list at the top of this article to go directly to a specific product table.

Application administration activities

The following table lists application admin activities that are logged when an admin adds or changes an application that's registered in Microsoft Entra ID. Any application that relies on Microsoft Entra ID for authentication must be registered in the directory.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name	Operation	Description
Added delegation entry	Add delegation entry.	An authentication permission was created/granted to an application in Microsoft Entra ID.
Added service principal	Add service principal.	An application was registered in Microsoft Entra ID. An application is represented by a service principal in the directory.
Added credentials to a service principal	Add service principal credentials.	Credentials were added to a service principal in Microsoft Entra ID. A service principle represents an application in the directory.
Removed delegation entry	Remove delegation entry.	An authentication permission was removed from an application in Microsoft Entra ID.
Removed a service principal from the directory	Remove service principal.	An application was deleted/unregistered from Microsoft Entra ID. An application is represented by a service principal in the directory.
Removed credentials from a service principal	Remove service principal credentials.	Credentials were removed from a service principal in Microsoft Entra ID. A service principle represents an application in the directory.
Set delegation entry	Set delegation entry.	An authentication permission was updated for an application in Microsoft Entra ID.

Briefing email activities

The following table lists the activities in Briefing email that are logged in the Microsoft 365 audit log. For more information about Briefing email, see:

• Overview of Briefing email
• Configure Briefing email

Friendly name	Operation	Description
Updated organization privacy settings	UpdatedOrganizationBriefingSettings	Admin updates the organization privacy settings for Briefing email.
Updated user privacy settings	UpdatedUserBriefingSettings	Admin updates the user privacy settings for Briefing email.

Communication compliance activities

The following table lists communication compliance activities that are logged in the Microsoft 365 audit log. For more information, see Learn about Microsoft Purview Communication Compliance.

Note

These activities are available when using the Search-UnifiedAuditLog PowerShell cmdlet. These activities aren't available in the Activities drop-down list.

Friendly name	Operation	Description
Policy update	SupervisionPolicyCreated, SupervisionPolicyUpdated, SupervisionPolicyDeleted	A communication compliance administrator has performed a policy update.
Policy match	SupervisionRuleMatch	A user has sent a message that matches a policy's condition.
Tag applied to message(s)	SupervisoryReviewTag	Tags are applied to messages or messages are resolved.

Compliance Manager activities

The following table lists the operations and activities that are logged when an admin manages the settings in Compliance Manager. For more information, see Learn about Compliance Manager.

Friendly name	Operation	Description
Roles change	ComplianceManagerRolesChange	An admin changed the roles for users.
Tenant automation level change	ComplianceManagerAutomationLevelChange	An admin changed the automation level for tenant across all actions.
Testing source automation change	ComplianceManagerAutomationChange	An admin changed the testing source automation settings.

Content explorer activities

The following table lists the activities in content explorer that are logged in the audit log. Content explorer, which is accessed on the Data classifications tool in the Microsoft Purview portal and the compliance portal. For more information, see Using data classification content explorer.

Friendly name	Operation	Description
Accessed item	LabelContentExplorerAccessedItem	An admin (or a user who's a member of the Content Explorer Content Viewer role group) uses content explorer to view an email message or SharePoint/OneDrive document.

Copilot activities

The following table lists the activities from Microsoft 365 Copilot and Microsoft Copilot that are logged in the audit log. Copilot can be accessed across Microsoft services. Activities include how and when users interact with Copilot. This includes the Microsoft service where the activity took place and references to the files accessed during the interaction. For more information about Copilot interaction events and a schema example, see Copilot interaction events overview.

To access the text from the user's prompt during the interaction, see Content Search or view the AI interaction event from activity explorer in Microsoft Purview AI Hub.

For more information about auditing and other compliance management options for Copilot, see Microsoft Purview supports compliance management for Copilot.

Friendly name	Operation	Description
Interacted with Copilot	CopilotInteraction	A user, or admin or system on behalf of a user, entered prompts in Copilot.

Directory administration activities

The following table lists Microsoft Entra directory and domain-related activities that are logged when an administrator manages their organization in the Microsoft 365 admin center or in the Azure management portal.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name	Operation	Description
Added domain to company	Add domain to company.	Added a domain to your organization.
Added a partner to the directory	Add partner to company.	Added a partner (delegated administrator) to your organization.
Removed domain from company	Remove domain from company.	Removed a domain from your organization.
Removed a partner from the directory	Remove partner from company.	Removed a partner (delegated administrator) from your organization.
Set company information	Set company information.	Updated the company information for your organization. Includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
Set domain authentication	Set domain authentication.	Changed the domain authentication setting for your organization.
Updated the federation settings for a domain	Set federation settings on domain.	Changed the federation (external sharing) settings for your organization.
Set password policy	Set password policy.	Changed the length and character constraints for user passwords in your organization.
Turned on Azure AD Sync	Set DirSyncEnabled flag.	Set the property that enables a directory for Azure AD Sync.
Updated domain	Update domain.	Updated the settings of a domain in your organization.
Verified domain	Verify domain.	Verified that your organization is the owner of a domain.
Verified email verified domain	Verify email verified domain.	Used email verification to verify that your organization is the owner of a domain.

Disposition review activities

The following table lists the activities a disposition reviewer took when an item reached the end of its configured retention period, or an item was automatically moved to the next disposition stage or permanently deleted as a result of autoapproval.

Friendly name	Operation	Description
Approved disposal	ApproveDisposal	For manual approval: A disposition reviewer approved the disposition of the item to move it to the next disposition stage. If the item was in the only or final stage of disposition review, the disposition approval marked the item as eligible for permanent deletion. For autoapproval: No manual action was taken within the configured autoapproval time period so the item automatically moved to the next disposition stage. If the item was in the only or final stage of disposition review, the item automatically became eligible for permanent deletion.
Extended retention period	ExtendRetention	A disposition reviewer extended the retention period of the item.
Relabeled item	RelabelItem	A disposition reviewer relabeled the retention label.
Added reviewers	AddReviewer	A disposition reviewer added one or more other users to the current disposition review stage.

eDiscovery activities

Content Search and eDiscovery-related activities (for Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium)) that are performed in the Microsoft Purview portal, the Microsoft Purview compliance portal, or by running the corresponding PowerShell cmdlets are logged in the audit log. Events are logged when administrators or eDiscovery managers (or any user assigned eDiscovery permissions) perform the following Content Search and eDiscovery (Standard) tasks in the portals:

• Creating and managing eDiscovery (Standard) and eDiscovery (Premium) cases.
• Creating, starting, and editing Content searches.
• Performing search actions, such as previewing, exporting, and deleting search results.
• Managing custodians and review sets in eDiscovery (Premium).
• Configuring permissions filtering for Content search.
• Managing the eDiscovery Administrator role.

For more information about searching the audit log, the permissions that are required, and exporting search results, see Search the audit log.

Note

It takes up to 30 minutes for activities that result from the activities listed under eDiscovery activities and eDiscovery (Premium) activities in the Activities drop-down list to be displayed in the search results. Conversely, it takes up to 24 hours for the corresponding events from eDiscovery cmdlet activities to appear in the search results.

Content Search and eDiscovery (Standard) activities

The following table describes the Content Search and eDiscovery (Standard) activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the compliance portal. Some activities performed in eDiscovery (Premium) may be returned when you search for activities in this list.

Note

The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It may take up to 24 hours for eDiscovery cmdlet activities to appear in audit log search results.

Friendly name	Operation	Corresponding cmdlet	Description
Added member to eDiscovery case	CaseMemberAdded	Add-ComplianceCaseMember	A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they've been assigned the necessary permissions.
Changed content search	SearchUpdated	Set-ComplianceSearch	An existing content search was changed. Changes can include adding or removing content locations or editing the search query.
Changed eDiscovery administrator membership	CaseAdminUpdated	Update-eDiscoveryCaseAdmin	The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the CaseAdminAdded operation is logged.
Changed eDiscovery case	CaseUpdated	Set-ComplianceCase	An eDiscovery case was changed. Changes include closing an open case or reopening a closed case.
Changed eDiscovery case membership	CaseMemberUpdated	Update-ComplianceCaseMember	The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, CaseMemberAdded or CaseMemberRemoved operation is logged.
Changed search permissions filter	SearchPermissionUpdated	Set-ComplianceSecurityFilter	A search permissions filter was changed.
Changed search query for eDiscovery case hold	HoldUpdated	Set-CaseHoldRule	A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.
Content search preview item downloaded	PreviewItemDownloaded	N/A	A user downloaded an item to their local computer (by selecting the Download original item link) when previewing search results.
Content search preview item listed	PreviewItemListed	N/A	A user selected Preview search results to display the preview search results page, which lists up to 1,000 items from the results of a search.
Created content search	SearchCreated	New-ComplianceSearch	A new content search was created.
Created eDiscovery administrator	CaseAdminAdded	Add-eDiscoveryCaseAdmin	A user was added as an eDiscovery Administrator in the organization.
Created eDiscovery case	CaseAdded	New-ComplianceCase	An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
Created search permissions filter	SearchPermissionCreated	New-ComplianceSecurityFilter	A search permissions filter was created.
Created search query for eDiscovery case hold	HoldCreated	New-CaseHoldRule	A query-based hold associated with an eDiscovery case was created.
Deleted content search	SearchRemoved	Remove-ComplianceSearch	An existing content search was deleted.
Deleted eDiscovery administrator	CaseAdminRemoved	Remove-eDiscoveryCaseAdmin	An eDiscovery Administrator was deleted from your organization.
Deleted eDiscovery case	CaseRemoved	Remove-ComplianceCase	An eDiscovery case was deleted. Any hold associated with the case has to be removed before the case can be deleted.
Deleted search permissions filter	SearchPermissionRemoved	Remove-ComplianceSecurityFilter	A search permissions filter was deleted.
Deleted search query for eDiscovery case hold	HoldRemoved	Remove-CaseHoldRule	A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query is deleted, the content locations that were on hold are released.
Downloaded export of content search	SearchExportDownloaded	N/A	A user downloaded the results of a content search to their local computer. A Started export of content search activity has to be initiated before search results can be downloaded.
Previewed results of content search	SearchPreviewed	N/A	A user previewed the results of a content search.
Purged results of content search	SearchResultsPurged	New-ComplianceSearchAction	A user purged the results of a Content search by running the New-ComplianceSearchAction -Purge command.
Removed analysis of content search	RemovedSearchResultsSentToZoom	Remove-ComplianceSearchAction	A content search prepare action (to prepare search results for eDiscovery (Premium)) was deleted. If the preparation action was less than two weeks old, the search results that were prepared for eDiscovery (Premium) were deleted from the Microsoft Azure storage area. If the preparation action was older than 2 weeks, then this event indicates that only the corresponding preparation action was deleted.
Removed export of content search	RemovedSearchExported	Remove-ComplianceSearchAction	A content search export action was deleted. If the export action was less than two weeks old, the search results that were uploaded to the Microsoft Azure storage area were deleted. If the export action was older than 2 weeks, then this event indicates that only the corresponding export action was deleted.
Removed member from eDiscovery case	CaseMemberRemoved	Remove-ComplianceCaseMember	A user was removed as a member of an eDiscovery case.
Removed preview results of content search	RemovedSearchPreviewed	Remove-ComplianceSearchAction	A content search preview action was deleted.
Removed purge action performed on content search	RemovedSearchResultsPurged	Remove-ComplianceSearchAction	A content search purge action was deleted.
Removed search report	SearchReportRemoved	Remove-ComplianceSearchAction	A content search export report action was deleted.
Started analysis of content search	SearchResultsSentToZoom	New-ComplianceSearchAction	The results of a content search were prepared for analysis in eDiscovery (Premium).
Started content search	SearchStarted	Start-ComplianceSearch	A content search was started. When you create or change a content search by using the compliance portal, the search is automatically started.
Started export of content search	SearchExported	New-ComplianceSearchAction	A user exported the results of a content search.
Started export report	SearchReport	New-ComplianceSearchAction	A user exported a content search report.
Stopped content search	SearchStopped	Stop-ComplianceSearch	A user stopped a content search.
(none)	CaseViewed	Get-ComplianceCase	A user viewed an eDiscovery (Standard) case in the compliance portal. The audit record for this event includes the name of the case that was viewed.
(none)	SearchViewed	Get-ComplianceSearch	A user viewed a Content search in the compliance portal by accessing the search on the Searches tab in an eDiscovery (Standard) case or accessing it on the Content search page. The audit record for this event includes the identity of the search that was viewed.
(none)	ViewedSearchExported	Get-ComplianceSearchAction -Export	A user viewed a Content search export in the compliance portal by accessing the export on the Exports tab on the Content search page. This activity is also logged when a user views an export associated with an eDiscovery (Standard) case.
(none)	ViewedSearchPreviewed	Get-ComplianceSearchAction -Preview	A user previewed the results of a Content search in the compliance portal. This activity is also logged when a user previews the results of a search associated with an eDiscovery (Standard) case.

eDiscovery (Premium) activities

The following table describes the eDiscovery (Premium) activities logged in the audit log. These activities can be used to help you track the progression of activity in an eDiscovery (Premium) case.

Friendly name	Operation	Description
Added data to another review set	AddWorkingSetQueryToWorkingSet	User added documents from one review set to a different review set.
Added data to review set	AddQueryToWorkingSet	User added the search results from a content search associated with an eDiscovery (Premium) case to a review set.
Added non-Microsoft 365 data to review set	AddNonOffice365DataToWorkingSet	User added non-Microsoft 365 data to a review set.
Added remediated documents to review set	AddRemediatedData	User uploads documents that had indexing errors that were fixed to a review set.
Analyzed data in review set	RunAlgo	User ran analytics on the documents in a review set.
Annotated document in review set	AnnotateDocument	User annotated a document in a review set. Annotation includes redacting content in a document.
Compared load sets	LoadComparisonJob	User compared two different load sets in a review set. A load set is when data from a content search that associated with the case is added to a review set.
Converted redacted documents to PDF	BurnJob	User converted all the redacted documents in a review set to PDF files.
Created review set	CreateWorkingSet	User created a review set.
Created review set search	CreateWorkingSetSearch	User created a search query that searches the documents in a review set.
Created tag	CreateTag	User created a tag group in a review set. A tag group can contain one or more child tags. These tags are then used to tag documents in the review set.
Deleted review set search	DeleteWorkingSetSearch	User deleted a search query in a review set.
Deleted tag	DeleteTag	User deleted a tag or a tag group in a review set.
Downloaded document	DownloadDocument	User downloaded a document from a review set.
Edited tag	UpdateTag	User changed a tag in a review set.
Exported documents from review set	ExportJob	User exported documents from a review set.
Modified case setting	UpdateCaseSettings	User modified the settings for a case. Case settings include case information, access permissions, and settings that control search and analytics behavior.
Modified review set search	UpdateWorkingSetSearch	User edited a search query in a review set.
Previewed review set search	PreviewWorkingSetSearch	User previewed the results of a search query in a review set.
Remediated error documents	ErrorRemediationJob	User fixes files that contained indexing errors.
Tagged document	TagFiles	User tags a document in a review set.
Tagged results of a query	TagJob	User tags all of the documents that match the criteria of search query in a review set.
Viewed document in review set	ViewDocument	User viewed a document in a review set.

eDiscovery cmdlet activities

The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance portal or by running the corresponding cmdlet in Security & Compliance PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.

As previously stated, it may take up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.

Tip

The cmdlets in the Operation column in the following table are linked to the corresponding cmdlet help topic on TechNet. Go to the cmdlet help topic for a description of the available parameters for each cmdlet. The parameter and the parameter value that were used with a cmdlet are included in the audit log entry for each eDiscovery cmdlet activity that's logged.

Friendly name	Operation (cmdlet)	Description
Created hold in eDiscovery case	New-CaseHoldPolicy	A hold was created for an eDiscovery case. A hold can be created with or without specifying a content source. If content sources are specified, they're identified in the audit log entry.
Deleted hold from eDiscovery case	Remove-CaseHoldPolicy	A hold that is associated with an eDiscovery case was deleted. Deleting a hold releases all of the content locations from the hold. Deleting the hold also results in deleting the case hold rules associated with the hold (see Remove-CaseHoldRule).
Changed hold in eDiscovery case	Set-CaseHoldPolicy	A hold that is associated with an eDiscovery was changed. Possible changes include adding or removing content locations or turning off (disabling) the hold.
Created search query for eDiscovery case hold	New-CaseHoldRule	A query-based hold associated with an eDiscovery case was created.
Deleted search query for eDiscovery case hold	Remove-CaseHoldRule	A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query is deleted, the content locations that were on hold are released.
Changed search query for eDiscovery case hold	Set-CaseHoldRule	A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.
Created eDiscovery case	New-ComplianceCase	An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
Deleted eDiscovery case	Remove-ComplianceCase	An eDiscovery case was deleted. Any hold associated with the case has to be removed before the case can be deleted.
Changed eDiscovery case	Set-ComplianceCase	An eDiscovery case was changed. Changes include closing an open case or reopening a closed case.
Added member to eDiscovery case	Add-ComplianceCaseMember	A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they've been assigned the necessary permissions.
Removed member from eDiscovery case	Remove-ComplianceCaseMember	A user was removed as a member of an eDiscovery case.
Changed eDiscovery case membership	Update-ComplianceCaseMember	The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, the Add-ComplianceCaseMember or Remove-ComplianceCaseMember operation is logged.
Created content search	New-ComplianceSearch	A new content search was created.
Deleted content search	Remove-ComplianceSearch	An existing content search was deleted.
Changed content search	Set-ComplianceSearch	An existing content search was changed. Changes can include adding or removing content locations that are searched and editing the search query.
Started content search	Start-ComplianceSearch	A content search was started. When you create or change a content search by using the compliance portal GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.
Stopped content search	Stop-ComplianceSearch	A content search that was running was stopped.
Created content search action	New-ComplianceSearchAction	A content search action was created. Content search actions include previewing search results, exporting search results, preparing search results for analysis in eDiscovery (Premium), and permanently deleting items that match the search criteria of a content search.
Deleted content search action	Remove-ComplianceSearchAction	A content search action was deleted.
Created search permissions filter	New-ComplianceSecurityFilter	A search permissions filter was created.
Deleted search permissions filter	Remove-ComplianceSecurityFilter	A search permissions filter was deleted.
Changed search permissions filter	Set-ComplianceSecurityFilter	A search permissions filter was changed.
Created eDiscovery administrator	Add-eDiscoveryCaseAdmin	A user was added as an eDiscovery Administrator in your organization.
Deleted eDiscovery administrator	Remove-eDiscoveryCaseAdmin	An eDiscovery Administrator was deleted from your organization.
Changed eDiscovery administrator membership	Update-eDiscoveryCaseAdmin	The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the Add-eDiscoveryCaseAdmin or Remove-eDiscoveryCaseAdmin operation is logged.
(none)	Get-ComplianceCase	This activity is logged when a user viewed a list of eDiscovery (Standard) or eDiscovery (Premium) cases. This activity is also logged when a user views a specific case in eDiscovery (Standard). When a user views a specific case, the audit record includes the identity of the case that was viewed. If the user only viewed a list of cases, the audit record doesn't contain a case identity.
(none)	Get-ComplianceSearch	This activity is logged when a user viewed a list of Content searches or searches associated with an eDiscovery (Standard) case. This activity is also logged when a user views a specific Content search or views a specific search associated with an eDiscovery (Standard) case. When a user views a specific search, the audit record includes the identity of the search that was viewed. If the user only viewed a list of searches, the audit record doesn't contain a search identity.
(none)	Get-ComplianceSearchAction	This activity is logged when a user viewed a list of compliance search actions (such as exports, previews, or purges) or actions associated with an eDiscovery (Standard) case. This activity is also logged when a user views a specific compliance search action (such as an export) or views a specific action associated with an eDiscovery (Standard) case. When a user views a search action, the audit record includes the identity of the search action that was viewed. If the user only viewed a list of actions, the audit record doesn't contain an action identity.

Detailed properties for eDiscovery activities

The following table describes the properties that are included on the flyout page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. An audit log record for an eDiscovery activity won't include every detailed property listed in the following table.

Tip

When you export the search results, the CSV file contains a column named AudtiData, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property has its own column. This will let you sort and filter on one or more of these properties. For more information, see Search the audit log.

Property	Description
Case	The identity (GUID) of the eDiscovery case that was created, changed, or deleted.
ClientApplication	eDiscovery cmdlet activities have a value of EMC for this property. This indicates the activity was performed by using the compliance portal GUI or running the cmdlet in PowerShell.
ClientIP	The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
ClientRequestId	For eDiscovery activities, this property is typically blank.
CmdletVersion	The build number for the version of the compliance portal running in your organization.
CreationTime	The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed.
EffectiveOrganization	The name of the Microsoft 365 organization.
ExchangeLocations	The Exchange Online mailboxes that are included in a content search or placed on hold in an eDiscovery case.
Exclusions	Mailbox or site locations that are excluded from a content search or a hold in an eDiscovery case.
ExtendedProperties	Additional properties from a content search, a content search action, or hold in an eDiscovery case, such as the object GUID and the corresponding cmdlet and cmdlet parameters that were used when the activity was performed.
Id	The ID of the report entry. The ID uniquely identifies the audit log entry.
NonPIIParameters	A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. The parameters listed in this property are the same as those listed in the Parameters property.
ObjectId	The GUID or name of the object (for example, a Content search or an eDiscovery (Standard) case) that was created, accessed, changed, or deleted by the activity listed in the Operation property. This object is also identified in the Item column in the audit log search results.
ObjectType	The type of eDiscovery object that the user created, deleted, or modified; for example, a content search action (preview, export, or purge), an eDiscovery case, or a content search.
Operation	The name of the operation that corresponds to the eDiscovery activity that was performed.
OrganizationId	The GUID for your Microsoft 365 organization.
Parameters	The name and value for the parameters that were used with the corresponding cmdlet.
PublicFolderLocations	The public folder locations in Exchange Online that are included in a content search or placed on hold in an eDiscovery case.
Query	The search query associated with the activity, such as a content search or a query-based hold.
RecordType	The type of operation indicated by the record. The value of 18 indicates an event related to an activity listed in the eDiscovery cmdlet activities section. A value of 24 indicates an event related to an activity listed in the eDiscovery activities section.
ResultStatus	Indicates whether the action (specified in the Operation property) was successful or not.
SecurityComplianceCenterEventType	Indicates that the activity was a compliance portal event. All eDiscovery activities will have a value of 0 for this property.
SharepointLocations	The SharePoint Online sites that are included in a content search or placed on hold in an eDiscovery case.
StartTime	The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started.
UserId	The user who performed the activity (specified in the Operation property) that resulted in the record being logged. Records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log.
UserKey	An alternative ID for the user identified in the UserId property. For eDiscovery activities, the value for this property is typically the same as the UserId property.
UserServicePlan	The subscription used by your organization. For eDiscovery activities, this property is typically blank.
UserType	The type of user that performed the operation. The following values indicate the user type. 0 A regular user. 2 An administrator in your organization. 3 A Microsoft datacenter administrator or datacenter system account. 4 A system account. 5 An application. 6 A service principal.
Version	Indicates the version number of the activity (identified by the Operation property) that's logged.
Workload	The service where the activity occurred. For eDiscovery activities, the value is SecurityComplianceCenter.

Encrypted message portal activities

Access logs are available for encrypted messages through the encrypted message portal that lets your organization determine when messages are read, and forwarded by your external recipients. For more information on enabling and using encrypted message portal activity logs, see Encrypted message portal activity log.

Each audit entry for a tracked message contains the following fields:

• MessageID: Contains the ID of the message being tracked. The key identifier used to follow a message through the system.
• Recipient: List of all recipient email addresses.
• Sender: The originating email address.
• AuthenticationMethod: Describes the authenticating method for accessing the message, for example OTP, Yahoo, Gmail, or Microsoft.
• AuthenticationStatus: Contains a value indicating that the authentication succeeded or failed.
• OperationStatus: Indicates whether the indicated operation succeeded or failed.
• AttachmentName: Name of the attachment.
• OperationProperties: A list of optional properties. For example, the number of OTP passcodes sent, or the email subject.

Exchange admin activities

Exchange administrator audit logging (which is enabled by default in Microsoft 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs Get-, Search-, or Test- aren't logged in the audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.

Important

Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log (or in the audit log). Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events. If there's an Exchange Online cmdlet that isn't being audited, please submit a design change request (DCR) to Microsoft Support.

Here are some tips for searching for Exchange admin activities when searching the audit log:

• Use the date range boxes and the Users list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.
• To display events from the Exchange admin audit log, select the Activity column to sort the cmdlet names in alphabetical order.
• To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the Download all results option. For more information, see Export, configure, and view audit log records.
• You can also use the Search-UnifiedAuditLog -RecordType ExchangeAdmin command in Exchange Online PowerShell to return only audit records from the Exchange admin audit log. It may take up to 30 minutes after an Exchange cmdlet is run for the corresponding audit log entry to be returned in the search results. For more information, see Search-UnifiedAuditLog. For information about exporting the search results returned by the Search-UnifiedAuditLog cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in Export, configure, and view audit log records.

Exchange mailbox activities

The following table lists the activities that can be logged by mailbox audit logging. Mailbox activities performed by the mailbox owner, a delegated user, or an administrator are automatically logged in the audit log for up to 180 days. It's possible for an admin to turn off mailbox audit logging for all users in your organization. In this case, no mailbox actions for any user are logged. For more information, see Manage mailbox auditing.

Important

The default retention period for Audit (Standard) has changed from 90 days to 180 days. Audit (Standard) logs generated before October 17, 2023 are retained for 90 days. Audit (Standard) logs generated on or after October 17, 2023 follow the new default retention of 180 days.

You can also search for mailbox activities by using the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell.

Friendly name	Operation	Description
Accessed mailbox items	MailItemsAccessed	Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. Analyzing audit records for this activity is useful when investigating compromised email account.
Added delegate mailbox permissions	Add-MailboxPermission	An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see System accounts in Exchange mailbox audit records.
Added or removed user with delegate access to calendar folder	UpdateCalendarDelegation	A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.
Added permissions to folder	AddFolderPermissions	A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
Copied messages to another folder	Copy	A message was copied to another folder.
Created mailbox item	Create	An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.
Created new inbox rule in Outlook web app	New-InboxRule	A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.
Deleted messages from Deleted Items folder	SoftDelete	A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete.
Labeled message as a record	ApplyRecordLabel	A message was classified as a record. Occurs when a retention label that classifies content as a record is manually or automatically applied to a message.
Moved messages to another folder	Move	A message was moved to another folder.
Moved messages to Deleted Items folder	MoveToDeletedItems	A message was deleted and moved to the Deleted Items folder.
Modified folder permission	UpdateFolderPermissions	A folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder.
Modified inbox rule from Outlook web app	Set-InboxRule	A mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app.
Purged messages from the mailbox	HardDelete	A message was purged from the Recoverable Items folder (permanently deleted from the mailbox).
Removed delegate mailbox permissions	Remove-MailboxPermission	An administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it.
Removed permissions from folder	RemoveFolderPermissions	A folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
Sent message	Send	A message was sent, replied to or forwarded.
Sent message using Send As permissions	SendAs	A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.
Sent message using Send On Behalf permissions	SendOnBehalf	A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message.
Updated inbox rules from Outlook client	UpdateInboxRules	A mailbox owner or other user with access to the mailbox created, modified, or removed an inbox rule by using the Outlook client.
Updated message	Update	A message or its properties was changed.
User signed in to mailbox	MailboxLogin	The user signed in to their mailbox.
Label message as a record		A user applied a retention label to an email message and that label is configured to mark the item as a record.

System accounts in Exchange mailbox audit records

In audit records for some mailbox activities (especially Add-MailboxPermissions), you may notice the user who performed the activity (and is identified in the User and UserId fields) is NT AUTHORITY\SYSTEM or NT AUTHORITY\SYSTEM(Microsoft.Exchange.Servicehost). This indicates that the "user" who performed the activity was a system account in Exchange service in the Microsoft cloud. This system account often performs scheduled maintenance tasks on behalf of your organization. For example, a common audited activity performed by the NT AUTHORITY\SYSTEM(Microsoft.Exchange.ServiceHost) account is to update the permissions on the DiscoverySearchMailbox, which is a system mailbox. The purpose of this update is to verify that the FullAccess permission (which is the default) is assigned to the Discovery Management role group for the DiscoverySearchMailbox. Ensures that eDiscovery administrators can perform necessary tasks in their organization.

Another system user account that may be identified in an audit record for Add-MailboxPermission is Administrator@apcprd03.prod.outlook.com. This service account is also included in mailbox audit records related to verifying and updating the FullAccess permission is assigned to the Discovery Management role group for the DiscoverySearchMailbox system mailbox. Specifically, audit records that identify the Administrator@apcprd03.prod.outlook.com account are typically triggered when Microsoft support personnel run a role-based access control diagnostic tool on behalf of your organization.

File and page activities

The following table describes the file and page activities in SharePoint Online and OneDrive for Business.

Friendly name	Operation	Description
Accessed file	FileAccessed	User or system account accesses a file. Once a user accesses a file, the FileAccessed event isn't logged again for the same user for same file for the next five minutes.
(none)	FileAccessedExtended	This is related to the "Accessed file" (FileAccessed) activity. A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period (up to 3 hours). The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileAccessed event.
Changed retention label for a file	ComplianceSettingChanged	A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.
Changed record status to locked	LockRecord	The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Changed record status to unlocked	UnlockRecord	The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
Checked in file	FileCheckedIn	User checks in a document that they checked out from a document library.
Checked out file	FileCheckedOut	User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.
Copied file	FileCopied	User copies a document from a site. The copied file can be saved to another folder on the site.
Deleted file	FileDeleted	User deletes a document from a site.
Deleted file from recycle bin	FileDeletedFirstStageRecycleBin	User deletes a file from the recycle bin of a site.
Deleted file from second-stage recycle bin	FileDeletedSecondStageRecycleBin	User deletes a file from the second-stage recycle bin of a site.
Deleted file marked as a record	RecordDelete	A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
Detected document sensitivity mismatch	DocumentSensitivityMismatchDetected	User uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled Confidential is uploaded to a site labeled General. This event isn't triggered if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential. For more information about sensitivity label priority, see Label priority (order matters).
Detected malware in file	FileMalwareDetected	SharePoint anti-virus engine detects malware in a file.
Discarded file checkout	FileCheckOutDiscarded	User discards (or undoes) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
Downloaded file	FileDownloaded	User downloads a document from a site.
Modified file	FileModified	User or system account modifies the content or the properties of a document on a site. The system waits five minutes before it logs another FileModified event when the same user modifies the content or properties of the same document.
(none)	FileModifiedExtended	This is related to the "Modified file" (FileModified) activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period (up to 3 hours). The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified. This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileModified event.
Moved file	FileMoved	User moves a document from its current location on a site to a new location.
(none)	FilePreviewed	User previews files on a SharePoint or OneDrive for Business site. These events typically occur in high volumes based on a single activity, such as viewing an image gallery.
Performed search query	SearchQueryPerformed	User or system account performs a search in SharePoint or OneDrive for Business. Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and autoapplying retention or sensitivity labels to site content.
Recycled a file	FileRecycled	User moves a file into the SharePoint Recycle Bin.
Recycled a folder	FolderRecycled	User moves a folder into the SharePoint Recycle Bin.
Recycled all minor versions of file	FileVersionsAllMinorsRecycled	User deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
Recycled all versions of file	FileVersionsAllRecycled	User deletes all versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
Recycled version of file	FileVersionRecycled	User deletes a version from the version history of a file. The deleted version is moved to the site's recycle bin.
Renamed file	FileRenamed	User renames a document.
Restored file	FileRestored	User restores a document from the recycle bin of a site.
Uploaded file	FileUploaded	User uploads a document to a folder on a site.
Viewed page	PageViewed	User views a page on a site. This doesn't include using a Web browser to view files located in a document library. Once a user views a page, the PageViewed event isn't logged again for the same user for same page for the next five minutes.
(none)	PageViewedExtended	This is related to the "Viewed page" (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period (up to 3 hours). The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed. This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.
View signaled by client	ClientViewSignaled	A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page. NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. The system waits five minutes before it logs the same event when the same user's client signals that the page has been viewed again by the user.
(none)	PagePrefetched	A user's client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page. When the page content is rendered by the client (as per the user's request) a ClientViewSignaled event should be generated. Not all clients support indicating a prefetch, and therefore some prefetched activities might instead be logged as PageViewed events.

Frequently asked questions about FileAccessed and FilePreviewed events

Could any non-user activities trigger FilePreviewed audit records that contain a user agent like "OneDriveMpc-Transform_Thumbnail"?

We aren't aware of scenarios where nonuser actions generate events like these. User actions like opening a user profile card (by selecting their name or email address in a message in Outlook on the web) would generate similar events.

Are calls to the OneDriveMpc-Transform_Thumbnail always intentionally being triggered by the user?

No. But similar events can be logged as a result of browser prefetch.

If we see a FilePreviewed event coming from a Microsoft-registered IP address, does that mean that the preview was displayed on the screen of the user's device?

No. The event might have been logged as a result of browser prefetch.

Are there scenarios where a user previewing a document generates FileAccessed events?

Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). While these events are intended to align with preview vs. access intention, the event distinction isn't a guarantee of the user's intent.

The app@sharepoint user in audit records

In audit records for some file activities (and other SharePoint-related activities), you may notice the user who performed the activity (identified in the User and UserId fields) is app@sharepoint. This indicates that the "user" who performed the activity was an application. In this case, the application was granted permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. This process of giving permissions to an application is called SharePoint App-Only access. This indicates that the authentication presented to SharePoint to perform an action was made by an application, instead of a user. This is why the app@sharepoint user is identified in certain audit records. For more information, see Grant access using SharePoint App-Only.

For example, app@sharepoint is often identified as the user for "Performed search query" and "Accessed file" events. That's because an application with SharePoint App-Only access in your organization performs search queries and accesses files when applying retention policies to sites and OneDrive accounts.

Here are a few other scenarios where app@sharepoint may be identified in an audit record as the user who performed an activity:

• Microsoft 365 Groups. When a user or admin creates a new group, audit records are generated for creating a site collection, updating lists, and adding members to a SharePoint group. These tasks are performed an application on behalf of the user who created the group.
• Microsoft Teams. Similar to Microsoft 365 Groups, audit records are generated for creating a site collection, updating lists, and adding members to a SharePoint group when a team is created.
• Compliance features. When an admin implements compliance features, such as retention policies, eDiscovery holds, and autoapplying sensitivity labels.

In these and other scenarios, you'll also notice that multiple audit records with app@sharepoint as the specified user were created within a short time frame, often within a few seconds of each other. This also indicates they were probably triggered by the same user-initiated task. Also, the ApplicationDisplayName and EventData fields in the audit record may help you identify the scenario or application that triggered the event.

Folder activities

The following table describes the folder activities in SharePoint Online and OneDrive for Business. As previously explained, audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Friendly name	Operation	Description
Copied folder	FolderCopied	User copies a folder from a site to another location in SharePoint or OneDrive for Business.
Created folder	FolderCreated	User creates a folder on a site.
Deleted folder	FolderDeleted	User deletes a folder from a site.
Deleted folder from recycle bin	FolderDeletedFirstStageRecycleBin	User deletes a folder from the recycle bin on a site.
Deleted folder from second-stage recycle bin	FolderDeletedSecondStageRecycleBin	User deletes a folder from the second-stage recycle bin on a site.
Modified folder	FolderModified	User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.
Moved folder	FolderMoved	User moves a folder to a different location on a site.
Renamed folder	FolderRenamed	User renames a folder on a site.
Restored folder	FolderRestored	User restores a deleted folder from the recycle bin on a site.

Information barriers activities

The following table lists the activities in information barriers that are logged in the Microsoft 365 audit log. For more information about information barriers, see Learn about information barriers in Microsoft 365.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name	Operation	Description
Changed AppBypassInformationBarrier setting for the tenant	AppBypassInformationBarrier	A SharePoint or global administrator has changed apps access for SharePoint sites.
Applied information barrier mode to site	SiteIBModeSet	A SharePoint or global administrator has applied a mode to the site.
Applied segments to site	SiteIBSegmentsSet	A SharePoint, global administrator, or site owner added one or more information barriers segments to a site.
Changed information barrier mode of site	SiteIBModeChanged	A SharePoint or global administrator has updated the mode of the site.
Changed segments of site	SiteIBSegmentsChanged	A SharePoint or global administrator changed one or more information barriers segments for a site.
Disabled information barriers for SharePoint and OneDrive	SPOIBIsDisabled	A SharePoint or global administrator has disabled information barriers for SharePoint and OneDrive in the organization.
Enabled information barriers for SharePoint and OneDrive	SPOIBIsEnabled	A SharePoint or global administrator has disabled information barriers for SharePoint and OneDrive in the organization.
Information barriers insights report completed	InformationBarriersInsightsReportCompleted	System completes build of the information barriers insights report.
Information barriers insights report OneDrive section queried	InformationBarriersInsightsReportOneDriveSectionQueried	An administrator queries the information barriers insights report for OneDrive accounts.
Information barriers insights report scheduled	InformationBarriersInsightsReportSchedule	An administrator schedules the information barriers insights report.
Information barriers insights report SharePoint section queried	InformationBarriersInsightsReportSharePointSectionQueried	An administrator queries the information barriers insights report for Sharepoint sites.
Removed segment from site	SiteIBSegmentsRemoved	A SharePoint or global administrator removed one or more information barriers segments from a site.

Microsoft Defender for Endpoint general settings activities

The following table lists the activities for Microsoft Defender for Endpoint general settings that are logged in the Microsoft 365 audit log. For more information about the settings Microsoft Defender for Endpoint, see Configure general Defender for Endpoint settings.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Downloaded offboarding package	DownloadOffboardingPkg	Downloaded the package used to remove devices from Defender for Endpoint.
Downloaded onboarding package	DownloadOnboardingPkg	Downloaded the package used to onboard devices to Defender for Endpoint.
Changed data retention	ChangeDataRetention	Edited the data retention settings for Defender for Endpoint.
Set advanced features	SetAdvancedFeatures	Changed advanced features in Defender for Endpoint, enabling more precise controls during an incident. Only settings for advanced features that are generally available are logged in the Microsoft 365 audit log.

Microsoft Defender for Endpoint indicator settings activities

The following table lists the activities for Microsoft Defender for Endpoint indicator settings that are logged in the Microsoft 365 audit log. For more information about Microsoft Defender for Endpoint indicators, see Manage indicators.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Added indicator	AddIndicator	Created a new Indicator of compromise you can use to track attacks and events.
Edited indicator	EditIndicator	Edited an Indicator of compromise.
Deleted indicator	DeleteIndicator	Removed an Indicator of compromise.

Microsoft Defender for Endpoint response actions activities

The following table lists the activities for Microsoft Defender for Endpoint response actions, including Live response, that are logged in the Microsoft 365 audit log. For more information about Microsoft Defender for Endpoint response actions, see Take response actions on a device.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Collected investigation package	CollectInvestigationPackage	Collected information about a device that's used to understand attack tools and techniques.
Ran Antivirus scan	RunAntiVirusScan	Ran Microsoft Defender Antivirus scan on a device.
Restricted app execution	RestrictAppExecution	Prevent a malicious app from running.
Removed app restrictions	RemoveAppRestrictions	Allow an app to run.
Isolated device	IsolateDevice	Isolated a device from the network, helping prevent attacks from spreading.
Released from isolation	ReleaseFromIsolation	Added an isolated device back onto the network.
Stopped and quarantined file	StopAndQuarantineFile	Quarantined a suspicious file for further analysis.
Downloaded file	DownloadFile	Downloaded a suspicious file for further investigation.
Offboarded device	DeviceOffBoarding	Removed a device from Defender for Endpoint.
Ran Live response API	RunLiveResponseApi	Opened a Live response session via an API call, opening a remote shell into a device.
Collected Logs	LogsCollection	Collected log information about Defender for Endpoint.
Ran get Live response file link	LiveResponseGetFile	Opened a Live response session, opening a remote shell into a device.
Ran Live response session	RunLiveResponseSession	Ran a Live response session, opening a remote shell into a device.

Microsoft Defender for Endpoint roles settings activities

The following table lists the activities for Microsoft Defender for Endpoint role settings that are logged in the Microsoft 365 audit log. For more information about roles in Microsoft Defender for Endpoint, see Create and manage roles for role-based access control.

To view Microsoft Defender for Endpoint activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
AddRole	Added role	Added new security role and permissions.
EditRole	Edited role	Edited security roles and permissions.
DeleteRole	Deleted role	Removed security roles and permissions.

Microsoft Defender for Experts activities

The following table lists the activities in Microsoft Defender Experts that are logged into the Microsoft 365 audit log. For more information about Microsoft Defender Experts, see Learn about Microsoft Defender Experts for XDR and Learn about Microsoft Defender Experts for Hunting

Friendly name	Operation	Description
Defender Experts analyst permission created	DefenderExpertsAnalystPermissionCreated	An administrator granted one or more role permissions to Defender Experts analysts to investigate incidents or remediate threats.
Defender Experts analyst permission modified	DefenderExpertsAnalystPermissionModified	An administrator modified role permissions for Defender Experts analysts to investigate incidents or remediate threats.

Microsoft Defender for Identity activities

The following table lists the activities for Microsoft Defender for Identity that are logged in the Microsoft 365 audit log.

To view Microsoft Defender for Identity activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Updated entity tags	TaggingConfigurationUpdated	A tag was added or removed from an entity.
Added exclusions configuration	ExclusionConfigurationAdded	A global exclusion was added for an alert or for an entity.
Updated exclusions configuration	ExclusionConfigurationUpdated	A global exclusion was updated for an alert or for an entity.
Deleted exclusions configuration	ExclusionConfigurationDeleted	A global exclusion was deleted for an alert or for an entity.
Updated alert threshold configuration	WorkspaceAlertThresholdLevelUpdated	The alerts thresholds configuration was updated.
Downloaded security alert Excel	AlertExcelDownloaded	The detailed Excel file of an alert was downloaded.
Added remediation action	RemediationActionAdded	A remediation action was added to the queue.
Updated remediation action	RemediationActionUpdated	A remediation action was completed.
Updated sensor configuration	SensorConfigurationUpdated	A sensor's configuration was updated.
Added sensor	SensorCreated	A new sensor was added.
Removed sensor	SensorDeleted	A sensor was deleted.
Retrieved sensor deployment key	SensorDeploymentAccessKeyReceived	The sensors access key was retrieved.
Regenerated sensor deployment key	SensorDeploymentAccessKeyUpdated	The sensors access key was regenerated.
Downloaded Domain Controller coverage Excel	DomainControllerCoverageExcelDownloaded	The Domain Controller coverage Excel file was downloaded.
Updated directory services account configuration	DirectoryServicesAccountConfigurationUpdated	The Directory services accounts set was modified.
Updated remediation action configuration	RemediationActionConfigurationUpdated	The Manage action accounts set was modified.
Updated entity remediation configuration	EntityRemediatorConfigurationUpdated	The Manage action accounts mode was modified.
Updated health issue	MonitoringAlertUpdated	A health issue was modified.
Downloaded report	ReportDownloaded	A report was downloaded.
Updated reporter configuration	ReporterConfigurationUpdated	A report's scheduling was modified.
Updated syslog forwarding configuration	SyslogServiceConfigurationUpdated	The syslog forwarding configuration was modified.
Updated security notification configuration	NotificationConfigurationUpdated	The security alerts or health issues notifications configuration was modified.
Added alert notification recipient	AlertNotificationsRecipientAdded	A recipient was added to the security alerts notification configuration.
Deleted alert notification recipient	AlertNotificationsRecipientDeleted	A recipient was removed from the security alerts notification configuration.
Added health issues notification recipient	MonitoringAlertNotificationRecipientAdded	A recipient was added to the health issues notification configuration.
Deleted health issues notification recipient	MonitoringAlertNotificationRecipientDeleted	A recipient was removed from the heath issues notification configuration.
Updated VPN configuration	VpnConfigurationUpdated	The VPN (radius accounting) configuration was modified.
Updated Unified RBAC configuration	URbacAuthorizationStatusChanged	The Unified Role Based Access Control configuration was modified.
Created workspace	WorkspaceCreated	The workspace was created.
Deleted workspace	WorkspaceDeleted	The workspace was deleted.

Microsoft Defender XDR custom detection activities

The following table lists the custom detection activities for Microsoft Defender XDR that are logged in the Microsoft 365 audit log. For more information about Microsoft Defender XDR custom detections, see Create and manage custom detections rules.

To view Microsoft Defender XDR activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Created custom detection rule	CreateCustomDetection	A new custom detection rule was created.
Edited custom detection rule	EditCustomDetection	A custom detection rule was modified.
Changed custom detection rule status	ChangeCustomDetectionRuleStatus	A custom detection rule was turned off or on.
Ran custom detection rule	RunCustomDetection	A custom detection rule was manually run.
Deleted custom detection rule	DeleteCustomDetection	A custom detection rule was removed.

Microsoft Defender XDR incident activities

The following table lists the incident activities for Microsoft Defender XDR that are logged in the Microsoft 365 audit log. For more information about incidents in Microsoft Defender XDR, see Incidents overview.

To view Microsoft Defender XDR activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Added comment to incident	AddCommentToIncident.	Added comment to incident.
Assigned user to incident	AssignUserToIncident	Assigned user to incident.
Unassigned user to incident	UnAssignUserFromIncident	Unassigned user to incident.
Updated incidents status	UpdateIncidentStatus	Updated incidents status.
Edit incident classification	EditIncidentClassification	Edit incident classification.
Added tags to incident	AddTagsToIncident	Added tags to incident.
Removed tags from incident	RemoveTagsFromIncident	Removed tags from incident.

Microsoft Defender XDR suppression rule activities

The following table lists the activities for suppression rules for Microsoft Defender XDR that are logged in the Microsoft 365 audit log. For more information about suppression rules in Microsoft Defender XDR, see Manage suppression rules.

To view Microsoft Defender XDR activities, the unified audit log must be enabled in the Microsoft Defender XDR portal. For more information, see Enable the unified audit log.

Friendly name	Operation	Description
Created suppression rule	CreateSuppressionRule	Created alert suppression rule.
Edited suppression rule	EditSuppressionRule	Deleted alert suppression rule.
Enabled suppression rule	EnableSuppressionRule	Enabled alert suppression rule.
Disabled suppression rule	DisableSuppressionRule	Disabled alert suppression rule.
Deleted suppression rule	DeleteSuppressionRule	Deleted alert suppression rule.

Microsoft Entra group administration activities

The following table lists group administration activities that are logged when an admin or a user creates or changes a Microsoft 365 group or when an admin creates a security group by using the Microsoft 365 admin center or the Azure management portal. For more information about groups in Microsoft 365, see View, create, and delete Groups in the Microsoft 365 admin center.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name	Operation	Description
Added group	Add group.	A group was created.
Added member to group	Add member to group.	A member was added to a group.
Deleted group	Delete group.	A group was deleted.
Removed member from group	Remove member from group.	A member was removed from a group.
Updated group	Update group.	A property of a group was changed.

Microsoft Fabric activities

You can search the audit log for activities in Power BI. For information about audit settings, see Audit and usage tenant settings.

Audit logging is turned on by default for Microsoft 365 organizations. If auditing isn't turned on for your organization, a banner appears that prompts you to start recording user and admin activity. For instructions, see Turn on auditing.

Microsoft Forms activities

The tables in this section the user and admin activities in Microsoft Forms that are logged in the audit log. Microsoft Forms is a forms/quiz/survey tool used to collect data for analysis. Where noted below in the descriptions, some operations contain additional activity parameters.

If a Forms activity is performed by a coauthor or an anonymous responder, it's logged slightly differently. For more information, see the Forms activities performed by coauthors and anonymous responders section.

Friendly name	Operation	Description
Created comment	CreateComment	Form owner adds comment or score to a quiz.
Created form	CreateForm	Form owner creates a new form. Property DataMode:string indicates the current form is set to sync with a new or existing Excel workbook if the property value equals DataSync. Property ExcelWorkbookLink:string indicates the associated Excel workbook ID of the current form.
Edited form	EditForm	Form owner edits a form such as creating, removing, or editing a question. The property EditOperation:string indicates the edit operation name. The possible operations are: - CreateQuestion - CreateQuestionChoice - DeleteQuestion - DeleteQuestionChoice - DeleteFormImage - DeleteQuestionImage - UpdateQuestion - UpdateQuestionChoice - UploadFormImage/Bing/Onedrive - UploadQuestionImage - ChangeTheme FormImage includes any place within Forms that user can upload an image, such as in a query or as a background theme.
Moved form	MoveForm	Form owner moves a form. Property DestinationUserId:string indicates the user ID of the person who moved the form. Property NewFormId:string is the new ID for the newly copied form. Property IsDelegateAccess:boolean indicates the current form move action is performed through the admin delegate page.
Deleted form	DeleteForm	Form owner deletes a form. This includes SoftDelete (delete option used and form moved to recycle bin) and HardDelete (Recycle bin is emptied).
Viewed form (design time)	ViewForm	Form owner opens an existing form for editing. Property AccessDenied:boolean indicates access of current form is denied due to permission check. Property FromSummaryLink:boolean indicates current request comes from the summary link page.
Previewed form	PreviewForm	Form owner previews a form using the Preview function.
Exported form	ExportForm	Form owner exports results to Excel. Property ExportFormat:string indicates if the Excel file is Download or Online.
Allowed share form for copy	AllowShareFormForCopy	Form owner creates a template link to share the form with other users. This event is logged when the form owner selects to generate template URL.
Disallowed share form for copy	DisallowShareFormForCopy	Form owner deletes template link.
Added form coauthor	AddFormCoauthor	A user uses a collaboration link to help design for/view responses. This event is logged when a user uses a collab URL (not when collab URL is first generated).
Removed form coauthor	RemoveFormCoauthor	Form owner deletes a collaboration link.
Viewed response page	ViewRuntimeForm	User has opened a response page to view. This event is logged regardless of whether the user submits a response or not.
Created response	CreateResponse	Similar to receiving a new response. A user has submitted a response to a form. Property ResponseId:string and Property ResponderId:string indicates which result is being viewed. For an anonymous responder, the ResponderId property is null.
Updated response	UpdateResponse	Form owner has updated a comment or score on a quiz. Property ResponseId:string and Property ResponderId:string indicates which result is being viewed. For an anonymous responder, the ResponderId property is null.
Deleted all responses	DeleteAllResponses	Form owner deletes all response data.
Deleted Response	DeleteResponse	Form owner deletes one response. Property ResponseId:string indicates the response being deleted.
Viewed responses	ViewResponses	Form owner views the aggregated list of responses. Property ViewType:string indicates whether form owner is viewing Detail or Aggregate
Viewed response	ViewResponse	Form owner views a particular response. Property ResponseId:string and Property ResponderId:string indicates which result is being viewed. For an anonymous responder, the ResponderId property is null.
Created summary link	GetSummaryLink	Form owner creates summary results link to share results.
Deleted summary link	DeleteSummaryLink	Form owner deletes summary results link.
Updated form phishing status	UpdatePhishingStatus	This event is logged whenever the detailed value for the internal security status was changed, regardless of whether this changed the final security state (for example, form is now Closed or Opened). This means you may see duplicate events without a final security state change. The possible status values for this event are: - Take Down - Take Down by Admin - Admin Unblocked - Auto Blocked - Auto Unblocked - Customer Reported - Reset Customer Reported
Updated user phishing status	UpdateUserPhishingStatus	This event is logged whenever the value for the user security status was changed. The value of the user status in the audit record is Confirmed as Phisher when the user created a phishing form that was taken down by the Microsoft Online safety team. If an admin unblocks the user, the value of the user's status is set to Reset as Normal User.
Sent Forms Pro invitation	ProInvitation	User selects to activate a Pro trial.
Updated form setting	UpdateFormSetting	Form owner updates one or multiple form settings. Property FormSettingName:string indicates updated sensitive settings' name. Property NewFormSettings:string indicates updated settings' name and new value. Property thankYouMessageContainsLink:boolean indicates updated thank-you message contains a URL link.
Updated user setting	UpdateUserSetting	Form owner updates a user setting. Property UserSettingName:string indicates the setting's name and new value
Listed forms	ListForms	Form owner is viewing a list of forms. Property ViewType:string indicates which view the form owner is looking at: All Forms, Shared with Me, or Group Forms
Submitted response	SubmitResponse	A user submits a response to a form. Property IsInternalForm:boolean indicates if the responder is within the same organization as the form owner.
Enabled anyone can respond setting	AllowAnonymousResponse	Form owner turns on the setting allowing any one to respond to the form.
Disabled anyone can respond setting	DisallowAnonymousResponse	Form owner turns off the setting allowing any one to respond to the form.
Enabled specific people can respond setting	EnableSpecificResponse	Form owner turns on the setting allowing only specific people or specific groups in the current organization to respond to the form.
Disabled specific people can respond setting	DisableSpecificResponse	Form owner turns off the setting allowing only specific people or specific groups in the current organization to respond to the form.
Added specific responder	AddSpecificResponder	Form owner adds a new user or group to the specific responders list.
Removed specific responder	RemoveSpecificResponder	Form owner removes a user or group from the specific responders list.
Disabled collaboration	DisableCollaboration	Form owner turns off the setting of collaboration on the form.
Enabled Office 365 work or school account collaboration	EnableWorkOrSchoolCollaboration	Form owner turns on the setting allowing users with a Microsoft 365 work or school account to view and edit the form.
Enabled people in my organization collaboration	EnableSameOrgCollaboration	Form owner turns on the setting allowing users in the current organization to view and edit the form.
Enabled specific people collaboration	EnableSpecificCollaboaration	Form owner turns on the setting allowing only specific people or specific groups in the current organization to view and edit the form.
Connected to Excel workbook	ConnectToExcelWorkbook	Connected the form to an Excel workbook. Property ExcelWorkbookLink:string indicates the associated Excel workbook ID of the current form.
Created a collection	CollectionCreated	Form owner created a collection.
Updated a collection	CollectionUpdated	Form owner updated a collection property.
Deleted collection from the Recycle Bin	CollectionHardDeleted	Form owner hard-deleted a collection from the Recycle Bin.
Moved collection to the Recycle Bin	CollectionSoftDeleted	Form owner moved a collection to the Recycle Bin.
Renamed a collection	CollectionRenamed	Form owner changed the name of a collection.
Moved a form into collection	MovedFormIntoCollection	Form owner moved a form into a collection.
Moved a form out of collection	MovedFormOutofCollection	Form owner moved a form out of a collection.

Forms activities performed by coauthors and anonymous responders

Forms supports collaboration when forms are designed and when analyzing responses. A form collaborator is known as a coauthor. Coauthors can do everything a form owner can do, except delete or move a form. Forms also allows you to create a form that can be responded to anonymously. This means the responder doesn't have to be signed into your organization to respond to a form.

The following table describes the auditing activities and information in the audit record for activities performed by coauthors and anonymous responders.

Activity type	Internal or external user	User ID that's logged	Organization logged in to	Forms user type
Coauthoring activities	Internal	UPN	Form owner's org	Coauthor
Coauthoring activities	External	UPN	Coauthor's org	Coauthor
Coauthoring activities	External	urn:forms:coauthor#a0b1c2d3@forms.office.com (The second part of the ID is a hash, which will differ for different users)	Form owner's org	Coauthor
Response activities	External	UPN	Responder's org	Responder
Response activities	External	urn:forms:external#a0b1c2d3@forms.office.com (The second part of the User ID is a hash, which will differ for different users)	Form owner's org	Responder
Response activities	Anonymous	urn:forms:anonymous#a0b1c2d3@forms.office.com (The second part of the User ID is a hash, which will differ for different users)	Form owner's org	Responder

Microsoft Graph Data Connect

The following table lists the user and admin activities in Microsoft Graph Data Connect that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Friendly name	Operation	Description
Approved or denied an app	ConsentModificationRequest	A user performed a consent modification request.
Extraction ran	DataAccessRequestOperation	A user performed an extraction. Partner datasets and ISV runs are excluded.

Microsoft Planner activities

The following table lists the user and admin activities in Microsoft Planner that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Note

Portfolio activity in Planner is logged with Microsoft Project for web roadmap activity. For details, see the Microsoft Project for the web activities section.

Friendly name	Operation	Description
Read a plan	PlanRead	A plan is read by a user or an app. If the read operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ContainerType indicates ContainerType.Invalid and ContainerId indicates null.
Created a plan	PlanCreated	A plan is created by a user or an app. If the create operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates null, ContainerType indicates ContainerType.Invalid and ContainerId indicates null.
Modified a plan	PlanModified	A plan is modified by a user or an app.
Deleted a plan	PlanDeleted	A plan is deleted by a user or an app.
Copied a plan	PlanCopied	A plan is copied by a user or an app. If the copy operation is a ResultStatus.Failure or ResultStatus.Failure, newPlanId indicates null, newContainerType indicates ContainerType.Invalid, and newContainerId indicates null.
Read a task	TaskRead	A task is read by a user or an app. If the read operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, PlanId indicates null.
Created a task	TaskCreated	A task is created by a user or an app. If the create operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates null and PlanId indicates null.
Modified a task	TaskModified	A task is modified by a user or an app.
Deleted a task	TaskDeleted	A task is deleted by a user or an app.
Assigned a task	TaskAssigned	A task's assignee is modified by a user or an app. This can be an unassigned task getting assigned or an assigned task has a new assignee.
Completed a task	TaskCompleted	A task is marked completed by a user or an app.
Created a roster	RosterCreated	A roster is created by a user or an app. If the create operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates null, MemberIds indicates an empty string.
Deleted a roster	RosterDeleted	A roster is deleted by a user or an app.
Added a member(s) to a roster	RosterMemberAdded	A member(s) is added to a roster. If the add operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, MemberIds indicates the list of member IDs attempted.
Removed a member(s) to a roster	RosterMemberDeleted	A member(s) is removed from a roster. If the remove operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, MemberIds indicates the list of member IDs attempted.
Read a list of plans	PlanListRead	A list of plans is queried by a user or an app. If the query operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, PlanList indicates an empty string.
Read a list of tasks	TaskListRead	A list of tasks is queried by a user or an app. If the query operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, TaskList indicates an empty string.
Updated tenant settings	TenantSettingsUpdated	Tenant settings are updated by a tenant admin. If the update operation is a ResultStatus.Failure or ResultStatus.AuthorizationFailure, ObjectId indicates the original settings, and TenantSettings indicates the tenant settings attempted.
Updated a roster's sensitivity label	RosterSensitivityLabelUpdated	A user or an app updates a roster's sensitivity label.

Microsoft Power Apps activities

You can search the audit log for app-related activities in Power Apps. These activities include creating, launching, and publishing an app. Assigning permissions to apps is also audited. For a description of all Power Apps activities, see Activity logging for Power Apps.

Note

Alert Policies (Protection Alert) audit events (RecordType:45) aren't currently supported for PowerApps.

Microsoft Power Automate activities

You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog Power Automate audit events now available in compliance portal.

Microsoft Project for the web activities

You can search the audit log for activities in Microsoft Project for the web. Microsoft Project for the web is built on the Microsoft Dataverse and has an associated Project Power App. To enable auditing for scenarios where the user is using the Microsoft Dataverse or the Project Power App, see the System Settings Auditing tab guidance. For a list of entities related to Project for the web, see the Export user data from Project for the web guidance.

For information about Microsoft Project for the web, see Microsoft Project for the web.

Note

Auditing events for Microsoft Project for the web activities requires a paid Project Plan 1 license (or higher).

Friendly name	Operation	Description
Created project	ProjectCreated	A project is created by a user or app.
Created roadmap	RoadmapCreated	A roadmap or portfolio is created by a user or app.
Created roadmap item	RoadmapItemCreated	A roadmap or portfolio item is created by a user or app.
Created task	TaskCreated	A task is created by a user or app.
Deleted project	ProjectDeleted	A project is deleted by a user or app.
Deleted roadmap	RoadmapDeleted	A roadmap or portfolio is deleted by a user or app.
Deleted roadmap item	RoadmapItemDeleted	A roadmap or portfolio item is deleted by a user or app.
Deleted task	TaskDeleted	A task is deleted by a user or app.
Project accessed	ProjectAccessed	A project is read or app.
Project home accessed	ProjectListAccessed	A list of projects and/or roadmaps is queried by a user.
Roadmap accessed	RoadmapAccessed	A roadmap or portfolio is read by a user or app.
Roadmap item accessed	RoadmapItemAccessed	A roadmap or portfolio item is read by a user or app.
Task accessed	TaskAccessed	A task is read by a user or app.
Updated project settings	ProjectForTheWebProjectSettings	Project settings are updated by an admin.
Updated roadmap	RoadmapUpdated	A roadmap or portfolio is modified by a user or app.
Updated roadmap item	RoadmapItemUpdated	A roadmap or portfolio item is modified by a user or app.
Updated roadmap settings	ProjectForTheWebRoadmaptSettings	Roadmap or portfolio settings are updated by an admin.
Updated task	TaskUpdated	A task is modified by a user or app.
Updated project	ProjectUpdated	A project is modified by a user or app.

Microsoft Purview Audit solution activities

The following table lists activities associated with audit solutions in the Microsoft Purview portal, the Microsoft Purview compliance portal, and the Audit Search Graph API. These activities are audited under the SecurityComplianceCenter workload. For more information, see Search the audit log.

Audit search and export activities performed using Search-UnifiedAuditLog aren't audited.

Friendly name	Operation	Description
Audit search created	AuditSearchCreated	A new audit search request is submitted.
Audit search completed	AuditSearchCompleted	An audit search job is completed.
Audit search canceled	AuditSearchCancelled	An audit search job is canceled.
Audit search deleted	AuditSearchDeleted	An audit search job is deleted.
Audit search export job created	AuditSearchExportJobCreated	An export job is created to export the search results of an audit search query.
Audit search export job completed	AuditSearchExportJobCompleted	The export job to export the search results of an audit search query is completed.
Audit search export results downloaded	AuditSearchExportResultsDownloaded	The search results from an audit search query were downloaded.

Microsoft Purview governance activities

The following table lists Microsoft Purview governance activities that are logged in the Microsoft 365 audit log. For more information, see Microsoft Purview governance solutions.

Friendly name	Operation	Description
Asset or entity created	EntityCreated	A new asset or entity is created or added to an existing asset.
Classification added	ClassificationAdded	Add classifications to asset entity.
Classification definition created	ClassificationDefinitionCreated	Create a classification type.
Classification definition deleted	ClassificationDefinitionDeleted	Delete a classification type.
Classification definition updated	ClassificationDefinitionUpdated	Update a classification type.
Classification deleted	ClassificationDeleted	Delete classifications from asset entity.
Classification updated	ClassificationUpdated	Update classifications on asset entity.
Entity deleted	EntityDeleted	An asset or entity is deleted from an existing asset.
Entity updated	EntityUpdated	Includes: attribute update, business attribute update, collection info (only include collection ID), contacts update, customAttributes, hierarchy, homeId, labels, sourceDetails
Glossary term assigned	GlossaryTermAssigned	Assign terms to asset entity.
Glossary term created	GlossaryTermCreated	Create a term.
Glossary term deleted	GlossaryTermDeleted	Delete a term.
Glossary term disassociated	GlossaryTermDisassociated	Disassociate terms from asset entity.
Glossary term updated	GlossaryTermUpdated	Update a term.
Sensitivity label changed	SensitivityLabelChanged	Sensitivity label is added/updated/deleted.

Microsoft Stream activities

You can search the audit log for activities in Microsoft Stream. These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. For a description of these activities, see the "Actions logged in Stream" section in Audit Logs in Microsoft Stream.

Microsoft Teams activities

The following table lists Microsoft Teams activities that are logged in the Microsoft 365 audit log. You can search the audit log for user and admin activities in Microsoft Teams. Teams is a chat-centered workspace in Microsoft 365. It brings a team's conversations, meetings, files, and notes together into a single place. For more detailed search guidance, see Search the audit log for events in Microsoft Teams.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name	Operation	Description
Added bot to team	BotAddedToTeam	A user adds a bot to a team.
Added channel	ChannelAdded	A user adds a channel to a team.
Added connector	ConnectorAdded	A user adds a connector to a channel.
Added details about Teams meeting 9	MeetingDetail	Teams added information about a meeting, including the start time, the end time, and the URL to join the meeting.
Added information about meeting participants 9	MeetingParticipantDetail	Teams added information about the participants of a meeting, including the user ID of each participant, the time a participant joined the meeting, and the time a participant left the meeting.
Added members 6, 8	MemberAdded	A team owner adds members to a team, channel, or group chat.
Added tab	TabAdded	A user adds a tab to a channel.
Applied sensitivity label	SensitivityLabelApplied	A user or meeting organizer applied a sensitivity label to a Teams meeting.
Changed channel setting	ChannelSettingChanged	The ChannelSettingChanged operation is logged when the following activities are performed by a team member. For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the Item column in the audit log search results. Changes name of a team channel (Channel name) Changes description of a team channel (Channel description)
Changed organization setting	TeamsTenantSettingChanged	The TeamsTenantSettingChanged operation is logged when the following activities are performed by a global admin in the Microsoft 365 admin center. These activities affect org-wide Teams settings. To learn more, see Manage Teams settings for your organization. For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the Item column in the audit log search results. Enables or disables Teams for the organization (Microsoft Teams). Enables or disables interoperability between Microsoft Teams and Skype for Business for the organization (Skype for Business interoperability). Enables or disables the organizational chart view in Microsoft Teams clients (Org chart view). Enables or disables the ability for team members to schedule private meetings (Private meeting scheduling). Enables or disables the ability for team members to schedule channel meetings (Channel meeting scheduling). Enables or disables video calling in Teams meetings (Video for Skype meetings). Enables or disables screen sharing in Microsoft Teams meetups for the organization (Screen sharing for Skype meetings). Enables or disables that ability to add animated images (called Giphys) to Teams conversations (Animated images). Changes the content rating setting for the organization (Content rating). The content rating restricts the type of animated image that can be displayed in conversations. Enables or disables the ability for team members to add customizable images (called custom memes) from the internet to team conversations (Customizable images from the Internet). Enables or disables the ability for team members to add editable images (called stickers) to team conversations (Editable images). Enables or disables that ability for team members to use bots in Microsoft Teams chats and channels (Org-wide bots). Enables specific bots for Microsoft Teams. This doesn't include the T-Bot, which is Teams help bot that's available when bots are enabled for the organization (Individual bots). Enables or disables the ability for team members to add extensions or tabs (Extensions or tabs). Enables or disables the side-loading of proprietary bots for Microsoft Teams (Side loading of Bots). Enables or disables the ability for users to send email messages to a Microsoft Teams channel (Channel email).
Changed role of members in team	MemberRoleChanged	A team owner changes the role of members in a team. The following values indicate the role type assigned to the user. 1 - Indicates the Member role. 2 - Indicates the Owner role. 3 - Indicates the Guest role. The Members property also includes the name of your organization and the member's email address.
Changed team setting	TeamSettingChanged	The TeamSettingChanged operation is logged when the following activities are performed by a team owner. For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the Item column in the audit log search results. Changes the access type for a team. Teams can be set as private or public (Team access type). When a team is private (the default setting), users can access the team only by invitation. When a team is public, it's discoverable by anyone. Changes the information classification of a team (Team classification). For example, team data can be classified as high business impact, medium business impact, or low business impact. Changes the name of a team (Team name). Changes the team description (Team description). Changes made to team settings. To access these settings, a team owner can right-click a team, select Manage team, and then select the Settings tab. For these activities, the name of the setting that was changed is displayed in the Item column in the audit log search results.
Changed sensitivity label	SensitivityLabelChanged	A user changed a sensitivity label on a Teams meeting.
Created a chat 1	ChatCreated	A Teams chat was created.
Created team	TeamCreated	A user creates a team.
Deleted a message 2	MessageDeleted	A message in a chat or channel was deleted.
Deleted all organization apps	DeletedAllOrganizationApps	Deleted all organization apps from the catalog.
Deleted app	AppDeletedFromCatalog	An app has been deleted from the catalog.
Deleted channel	ChannelDeleted	A user deletes a channel from a team.
Deleted team	TeamDeleted	A team owner deletes a team.
Edited a message with a URL link in Teams	MessageEditedHasLink	A user edits a message and adds a URL link to it in Teams.
Exported messages 1, 2	MessagesExported	Chat or channel messages were exported.
Exported recordings 1	RecordingExported	Chat recordings were exported.
Exported transcripts 1	TranscriptsExported	Chat transcripts were exported.
Failed to validate invitation to shared channel 3	FailedValidation	A user responds to an invitation to a shared channel but the invitation failed validation.
Fetched chat 1	ChatRetrieved	A Microsoft Teams chat was retrieved.
Fetched all hosted content of a message1	MessageHostedContentsListed	All hosted content in a message, such as images or code snippets, was retrieved.
Installed app	AppInstalled	An app was installed.
Performed action on card	PerformedCardAction	A user took action on an adaptive card within a chat. Adaptive cards are typically used by bots to allow the rich display of information and interaction in chats. Note: Only inline input actions on an adaptive card inside a chat will be available in the audit log. For example, when a user submits a poll response in a channel conversation on an adaptive card generated by a Poll bot. User actions such as "View result", which will open a dialog, or user actions inside dialogs won't be available in the audit log.
Posted a new message 1, 6, 8	MessageSent	A new message was posted to a chat or channel.
Published app	AppPublishedToCatalog	An app was added to the catalog.
Read a message 1	MessageRead	A message of a chat or channel was retrieved.
Read hosted content of a message 1	MessageHostedContentRead	Hosted content in a message, such as an image or a code snippet, was retrieved.
Removed bot from team	BotRemovedFromTeam	A user removes a bot from a team.
Removed connector	ConnectorRemoved	A user removes a connector from a channel.
Removed members 8	MemberRemoved	A team owner removes members from a team, channel, or group chat.
Removed sensitivity label	SensitivityLabelRemoved	A user removed a sensitivity label from a Teams meeting.
Removed sharing of team channel 3	TerminatedSharing	A team or channel owner disabled sharing for a shared channel.
Restored sharing of team channel 3	SharingRestored	A team or channel owner re-enabled sharing for a shared channel.
Removed tab	TabRemoved	A user removes a tab from a channel.
Responded to invitation for shared channel 3	InviteeResponded	A user responded to a shared channel invitation.
Responded to invitee response to shared channel 3	ChannelOwnerResponded	A channel owner responded to a response from a user who responded to a shared channel invitation.
Retrieved messages 1	MessagesListed	Messages from a chat or channel were retrieved.
Sent a message with a URL link in Teams	MessageCreatedHasLink	A user sends a message containing a URL link in Teams.
Sent change notification for message creation 1	MessageCreatedNotification	A change notification was sent to notify a subscribed listener application of a new message.
Sent change notification for message deletion 1	MessageDeletedNotification	A change notification was sent to notify a subscribed listener application of a deleted message.
Sent change notification for message update 1	MessageUpdatedNotification	A change notification was sent to notify a subscribed listener application of an updated message.
Sent invitation for shared channel 3	InviteSent	A channel owner or member sends an invitation to a shared channel. Invitations to shared channels can be sent to people outside of your organization if the channel policy is configured to share the channel with external users.
Subscribed to message change notifications 1	SubscribedToMessages	A subscription was created by a listener application to receive change notifications for messages.
Uninstalled app	AppUninstalled	An app was uninstalled.
Updated app	AppUpdatedInCatalog	An app was updated in the catalog.
Updated a chat 1	ChatUpdated	A Teams chat was updated.
Updated a message 1	MessageUpdated	A message of a chat or channel was updated.
Updated connector	ConnectorUpdated	A user modified a connector in a channel.
Updated tab	TabUpdated	A user modified a tab in a channel.
Upgraded app	AppUpgraded	An app was upgraded to its latest version in the catalog.
User signed in to Teams	TeamsSessionStarted	A user signs in to a Microsoft Teams client. This event doesn't capture token refresh activities.
Posted New Message 3, 4, 6, 8	MessageSent	A new message was posted to a chat or a channel.

Note

¹ An audit record for this event is only logged when the operation is performed by calling a Microsoft Graph API. If the operation is performed in the Teams client, an audit record will not be logged
² This event is only available in Audit (Premium). That means users must be assigned the appropriate license before these events are logged in the audit log. For more information about activities only available in Audit (Premium), see Audit (Premium) in Microsoft Purview. For Audit (Premium) licensing requirements, see Auditing solutions in Microsoft 365.
³ This event is in public preview.
⁴This event is generated for chat only if there are guests, federated and/or anonymous users.
⁵ This event is currently unavailable in Government Community Cloud (GCC), Government Community Cloud High (GCC-High), and Department of Defense (DoD) organizations.
⁶ This event is included in all participating tenants for federated chats.
⁷ This event has participating domain info for 1:1 federated chats.
⁸ This event is included in all chat conversations between external Teams users managed by an organization and external Teams users not managed by an organization.
⁹ This event is currently unavailable in Government Community Cloud (GCC) and Department of Defense (DoD) organizations.

Microsoft Teams Healthcare activities

If your organization is using the Patients application in Microsoft Teams, you can search the audit log for activities related to the using the Patients app. If your environment is configured to support Patients app, an additional activity group for these activities is available in the Activities picker list.

For a description of the Patients app activities, see Audit logs for Patients app.

Microsoft Teams Shifts activities

The following table lists Shift app in Microsoft Teams activities that are logged in the Microsoft 365 audit log. If your organization is using the Shifts app in Microsoft Teams, you can search the audit log for activities related to the using the Shifts app. If your environment is configured to support Shifts apps, an additional activity group for these activities is available in the Activities picker list.

Friendly name	Operation	Description
Added scheduling group	ScheduleGroupAdded	A user successfully adds a new scheduling group to the schedule.
Edited scheduling group	ScheduleGroupEdited	A user successfully edits a scheduling group.
Deleted scheduling group	ScheduleGroupDeleted	A user successfully deletes a scheduling group from the schedule.
Withdrew schedule	ScheduleWithdrawn	A user successfully withdraws a published schedule.
Added shift	ShiftAdded	A user successfully adds a shift.
Edited shift	ShiftEdited	A user successfully edits a shift.
Deleted shift	ShiftDeleted	A user successfully deletes a shift.
Added time off	TimeOffAdded	A user successfully adds time off on the schedule.
Edited time off	TimeOffEdited	A user successfully edits time off.
Deleted time off	TimeOffDeleted	A user successfully deletes time off.
Added open shift	OpenShiftAdded	A user successfully adds an open shift to a scheduling group.
Edited open shift	OpenShiftEdited	A user successfully edits an open shift in a scheduling group.
Deleted open shift	OpenShiftDeleted	A user successfully deletes an open shift from a scheduling group.
Shared schedule	ScheduleShared	A user successfully shared a team schedule for a date range.
Clocked in using Time clock	ClockedIn	A user successfully clocks in using Time clock.
Clocked out using Time clock	ClockedOut	A user successfully clocks out using Time clock.
Started break using Time clock	BreakStarted	A user successfully starts a break during an active Time clock session.
Ended break using Time clock	BreakEnded	A user successfully ends a break during an active Time clock session.
Added Time clock entry	TimeClockEntryAdded	A user successfully adds a new manual Time clock entry on Time Sheet.
Edited Time clock entry	TimeClockEntryEdited	A user successfully edits a Time clock entry on Time Sheet.
Deleted Time clock entry	TimeClockEntryDeleted	A user successfully deletes a Time clock entry on Time Sheet.
Added shift request	RequestAdded	A user added a shift request.
Responded to shift request	RequestRespondedTo	A user responded to a shift request.
Canceled shift request	RequestCancelled	A user canceled a shift request.
Changed schedule setting	ScheduleSettingChanged	A user changes a setting in Shifts settings.
Added workforce integration	WorkforceIntegrationAdded	The Shifts app is integrated with a third-party system.
Accepted off shift message	OffShiftDialogAccepted	A user acknowledges the off-shift message to access Teams after shift hours.

Microsoft Teams Updates activities

The following table lists Updates app in Microsoft Teams activities that are logged in the Microsoft 365 audit log. If your organization is using the Updates app in Microsoft Teams, you can search the audit log for activities related to the using the Updates app. If your environment is configured to support Updates apps, an additional activity group for these activities is available in the Activities picker list.

Friendly name	Operation	Description
Create an update request	CreateUpdateRequest	A user successfully creates an update request.
Edit an update request	EditUpdateRequest	A user opens the request editing wizard and selects Save to confirm and save any changes, or enables or disables the update request directly.
Submit an update	SubmitUpdate	A user successfully submits an update.
View the details of one update	ViewUpdate	A user views the details of the update.

Microsoft To Do activities

The following table lists the activities in Microsoft To Do that are logged in the Microsoft 365 audit log. For more information about Microsoft To Do, see Support for Microsoft To Do.

Note

Auditing events for Microsoft To Do activities requires a paid Project Plan 1 license (or higher) in addition to the relevant Microsoft 365 license that includes entitlements to Audit (Premium).

Friendly name	Operation	Description
Accepted sharing link on folder	AcceptedSharingLinkOnFolder	Accepted sharing link for a folder.
Attachment created	AttachmentCreated	An attachment was created for a task.
Attachment updated	AttachmentUpdated	An attachment was updated.
Attachment deleted	AttachmentDeleted	An attachment was deleted.
Folder sharing link shared	FolderSharingLinkShared	Created a sharing link for a folder.
Linked entity deleted	LinkedEntityDeleted	A linked entity was deleted.
Linked entity updated	LinkedEntityUpdated	A linked entity was updated.
Linked entity created	LinkedEntityCreated	A linked entity of task was created.
SubTask created	SubTaskCreated	A subtask was created.
SubTask deleted	SubTaskDeleted	A subtask was deleted.
SubTask updated	SubTaskUpdated	A subtask was updated.
Task created	TaskCreated	A task was created.
Task deleted	TaskDeleted	A task was deleted.
Task read	TaskRead	A task was read.
Task updated	TaskUpdated	A task was updated.
TaskList created	TaskListCreated	A task list was created.
TaskList read	TaskListRead	A task list was read.
TaskList updated	TaskListUpdated	A task list was updated.
User invited	UserInvited	Invited user to a folder.

Microsoft Viva Insights activities

Viva Insights provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Viva Insights. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Viva Insights. For more information, see Introducing Microsoft Viva Insights.

Friendly name	Operation	Description
Accessed OData link	AccessedOdataLink	Analyst accessed the OData link for a query.
Added delegate access	AddDelegates	A user added delegate access for organization insights or Copilot dashboard.
Canceled query	CanceledQuery	Analyst canceled a running query.
Created meeting exclusion	MeetingExclusionCreated	Analyst created a meeting exclusion rule.
Deleted result	DeletedResult	Analyst deleted a query result.
Downloaded report	DownloadedReport	Analyst downloaded a query result file.
Executed query	ExecutedQuery	Analyst ran a query.
Removed delegate access	RemoveDelegates	A user removed delegate access for organization insights or Copilot dashboard.
Updated data access setting	UpdatedDataAccessSetting	Admin updated data access settings.
Updated privacy setting	UpdatedPrivacySetting	Admin updated privacy settings; for example, minimum group size.
Uploaded organization data	UploadedOrgData	Admin uploaded organizational data file.
User logged in*	UserLoggedIn	A user signed in to their Microsoft 365 user account.
User logged off*	UserLoggedOff	A user signed out of their Microsoft 365 user account.
Viewed Explore	ViewedExplore	Analyst viewed visualizations in one or more Explore page tabs.

Note

^*a Microsoft Entra sign-in and sign off activity event is created when a user signs in. This activity is logged even if you don't have Viva Insights turned on in your organization. For more information about user sign in activities, see Sign-in logs in Microsoft Entra ID.

Personal insights activities

The following table lists the activities in personal insights that are logged in the Microsoft 365 audit log. For more information about personal insights, see Admin guide for personal insights.

Friendly name	Operation	Description
Updated organization MyAnalytics settings	UpdatedOrganizationMyAnalyticsSettings	Admin updates organization-level settings for personal insights.
Updated user MyAnalytics settings	UpdatedUserMyAnalyticsSettings	Admin updates user settings for personal insights.

Quarantine activities

The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see Quarantine email messages.

Friendly name	Operation	Description
Deleted quarantine message	QuarantineDeleteMessage	An admin or user deleted an email message that was deemed to be harmful.
Denied quarantine message release request	QuarantineReleaseRequestDeny	An admin denial for a release request from a user for an email message that was deemed to be harmful.
Exported quarantine message	QuarantineExport	An admin or user exported an email message that was deemed to be harmful.
Previewed quarantine message	QuarantinePreview	An admin or user previewed an email message that was deemed to be harmful.
Released quarantine message	QuarantineRelease	An admin or user released an email message from quarantine that was deemed to be harmful.
Release request quarantine message	QuarantineReleaseRequest	A user requested the release of an email message that was deemed to be harmful.
Viewed quarantine message's header	QuarantineViewHeader	An admin or user viewed the header an email message that was deemed to be harmful.

Report activities

The following table lists the activities for usage reports that are logged in the Microsoft 365 audit log.

Friendly name	Operation	Description
Updated usage report privacy settings	UpdateUsageReportsPrivacySetting	Admin updated privacy settings for usage reports.

Retention policy and retention label activities

The following table describes the configuration activities for retention policies and retention labels when they were created, reconfigured, or deleted.

Friendly name	Operation	Description
Changed adaptive scope membership	ApplicableAdaptiveScopeChange	Users, sites, or groups were added to or removed from the adaptive scope. These changes are the results of running the scope's query. Because the changes are system-initiated, the reported user displays as a GUID rather than a user account.
Configured settings for a retention policy	NewRetentionComplianceRule	Administrator configured the retention settings for a new retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the New-RetentionComplianceRule cmdlet.
Created adaptive scope	NewAdaptiveScope	Administrator created an adaptive scope.
Created retention label	NewComplianceTag	Administrator created a new retention label.
Created retention policy	NewRetentionCompliancePolicy	Administrator created a new retention policy.
Deleted adaptive scope	RemoveAdaptiveScope	Administrator deleted an adaptive scope.
Deleted settings from a retention policy	RemoveRetentionComplianceRule	Administrator deleted the configuration settings of a retention policy. Most likely, this activity is logged when an administrator deletes a retention policy or runs the Remove-RetentionComplianceRule cmdlet.
Deleted retention label	RemoveComplianceTag	Administrator deleted a retention label.
Deleted retention policy	RemoveRetentionCompliancePolicy	Administrator deleted a retention policy.
Enabled regulatory record option for retention labels	SetRestrictiveRetentionUI	Administrator ran the Set-RegulatoryComplianceUI cmdlet so that an administrator can then select the UI configuration option for a retention label to mark content as a regulatory record.
Retained email item proactively	ExchangeDataProactivelyPreserved	Adaptive protection automatically applied a retention label to retain an item in Exchange.
Retained file proactively	SharePointDataProactivelyPreserved	Adaptive protection automatically applied a retention label to retain an item in SharePoint or OneDrive.
Updated adaptive scope	SetAdaptiveScope	Administrator changed the description or query for an existing adaptive scope.
Updated settings for a retention policy	SetRetentionComplianceRule	Administrator changed the retention settings for an existing retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the Set-RetentionComplianceRule cmdlet.
Updated retention label	SetComplianceTag	Administrator updated an existing retention label.
Updated retention policy	SetRetentionCompliancePolicy	Administrator updated an existing a retention policy. Updates that trigger this event include adding or excluding content locations that the retention policy is applied to.

Role administration activities

The following table lists Microsoft Entra role administration activities that are logged when an admin manages admin roles in the Microsoft 365 admin center or in the Azure management portal.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Friendly name	Operation	Description
Add member to Role	Add member to role.	Added a user to an admin role in Microsoft 365.
Removed a user from a directory role	Remove member from role.	Removed a user to from an admin role in Microsoft 365.
Set company contact information	Set company contact information.	Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.

Sensitive information types activities

The following table describes the audit events for activities involving creation and updating of sensitive information types.

Friendly name	Operation	Description
Created new sensitive information type	CreateRulePackage / EditRulePackage*	A new sensitive information type was created. This includes any SITs created by copying an out of the box SIT. Note: This activity surfaces under the audit activities 'Created rule package' or 'Edited rule package'.
Edited a sensitive information type	EditRulePackage	An existing sensitive information type was edited. This can include operations like adding/removing a pattern and editing the regex/keyword associated with the sensitive information type. Note: This activity surfaces under the audit activity "Edited rule package."
Deleted a sensitive information type	EditRulePackage / RemoveRulePackage	An existing sensitive information type was deleted. Note: This activity surfaces under the audit activity "Edited rule package" or "Removed rule package."

Sensitivity label activities

The following table lists events that result from using sensitivity labels with sites and items managed by Microsoft Purview. Items include documents, emails, and calendar events. For auto-labeling policies, items also include files and schematized data assets in Microsoft Purview Data Map.

Friendly name	Operation	Description
Applied sensitivity label to site	SiteSensitivityLabelApplied	A sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.
Removed sensitivity label from site	SiteSensitivityLabelRemoved	A sensitivity label was removed from a SharePoint site or Teams site that isn't group-connected.
Applied sensitivity label to file	FileSensitivityLabelApplied SensitivityLabelApplied	A sensitivity label was applied to an item by using Microsoft 365 apps, Office for the web, or an auto-labeling policy. The operations for this activity are different depending on how the label was applied: - Office for the web or an auto-labeling policy (FileSensitivityLabelApplied) - Microsoft 365 apps (SensitivityLabelApplied)
Changed sensitivity label applied to file	FileSensitivityLabelChanged SensitivityLabelUpdated	A different sensitivity label was applied to an item. The operations for this activity are different depending on how the label was changed: - Office for the web or an auto-labeling policy (FileSensitivityLabelChanged) - Microsoft 365 apps (SensitivityLabelUpdated)
Changed sensitivity label on a site	SiteSensitivityLabelChanged	A different sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.
Removed sensitivity label from file	FileSensitivityLabelRemoved SensitivityLabelRemoved	A sensitivity label was removed from an item by using Microsoft 365 apps, Office for the web, an auto-labeling policy, or the Unlock-SPOSensitivityLabelEncryptedFile cmdlet. The operations for this activity are different depending on how the label was removed: - Office for the web or an auto-labeling policy (FileSensitivityLabelRemoved) - Microsoft 365 apps (SensitivityLabelRemoved)

Additional auditing information for sensitivity labels:

• When you use sensitivity labels for Microsoft 365 Groups, and therefore Teams sites that are group-connected, the labels are audited with group management in Microsoft Entra ID. For more information, see Audit logs in Microsoft Entra ID.
• When you use sensitivity labels for Teams meeting invites, and Teams meeting options and chat, see Search the audit log for events in Microsoft Teams.
• When you use sensitivity labels with Power BI, see Audit schema for sensitivity labels in Power BI.
• When you use sensitivity labels with Microsoft Defender for cloud apps, see Governing connected apps and the labeling information for file governance actions.
• When you apply sensitivity labels by using the Microsoft Purview Information Protection client or scanner, or the Microsoft Information Protection (MIP) SDK, see Azure Information Protection audit log reference.

SharePoint list activities

The following table describes activities related to when users interact with lists and list items in SharePoint Online. Audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Friendly name	Operation	Description
Created list	ListCreated	A user created a SharePoint list.
Created list column	ListColumnCreated	A user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists.
Created list content type	ListContentTypeCreated	A user created a list content type. A list content type is a content type that's attached to one or more SharePoint lists.
Created list item	ListItemCreated	A user created an item in an existing SharePoint list.
Created site column	SiteColumnCreated	A user created a SharePoint site column. A site column is a column that isn't attached to a list. A site column is also a metadata structure that can be used by any list in a given web.
Created site content type	Site ContentType Created	A user created a site content type. A site content type is a content type that's attached to the parent site.
Deleted list	ListDeleted	A user deleted a SharePoint list.
Deleted list column	List Column Deleted	A user deleted a SharePoint list column.
Deleted list content type	ListContentTypeDeleted	A user deleted a list content type.
Deleted list item	List Item Deleted	A user deleted a SharePoint list item.
Deleted site column	SiteColumnDeleted	A user deleted a SharePoint site column.
Deleted site content type	SiteContentTypeDeleted	A user deleted a site content type.
Recycled list item	ListItemRecycled	A user moved a SharePoint list item to the Recycle Bin.
Restored list	ListRestored	A user restored a SharePoint list from the Recycle Bin.
Restored list item	ListItemRestored	A user restored a SharePoint list item from the Recycle Bin.
Updated list	ListUpdated	A user updated a SharePoint list by modifying one or more properties.
Updated list column	ListColumnUpdated	A user updated a SharePoint list column by modifying one or more properties.
Updated list content type	ListContentTypeUpdated	A user updated a list content type by modifying one or more properties.
Updated list item	ListItemUpdated	A user updated a SharePoint list item by modifying one or more properties.
Updated list view	ListViewUpdated	A user updated a SharePoint list view by modifying one or more properties.
Updated site column	SiteColumnUpdated	A user updated a SharePoint site column by modifying one or more properties.
Updated site content type	SiteContentTypeUpdated	A user updated a site content type by modifying one or more properties.

Sharing and access request activities

The following table describes the user sharing and access request activities in SharePoint Online and OneDrive for Business. For sharing events, the Detail column under Results identifies the name of the user or group the item was shared with and whether that user or group is a member or guest in your organization. For more information, see Use sharing auditing in the audit log.

Note

Users can be either members or guests based on the UserType property of the user object. A member is usually an employee, and a guest is usually a collaborator outside of your organization. When a user accepts a sharing invitation (and isn't already part of your organization), a guest account is created for them in your organization's directory. Once the guest user has an account in your directory, resources may be shared directly with them (without requiring an invitation).

Friendly name	Operation	Description
Added permission level to site collection	PermissionLevelAdded	A permission level was added to a site collection.
Accepted access request	AccessRequestAccepted	An access request to a site, folder, or document was accepted and the requesting user has been granted access.
Accepted sharing invitation	SharingInvitationAccepted	User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
Blocked sharing invitation	SharingInvitationBlocked	A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because: The target user's domain isn't included in the list of allowed domains. Or The target user's domain is included in the list of blocked domains. For more information about allowing or blocking external sharing based on domains, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
Created access request	AccessRequestCreated	User requests access to a site, folder, or document they don't have permissions to access.
Created a company shareable link	CompanyLinkCreated	User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't be used by guests.
Created an anonymous link	AnonymousLinkCreated	User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.
Created secure link	SecureLinkCreated	A secure sharing link was created to this item.
Created sharing invitation	SharingInvitationCreated	User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.
Deleted secure link	SecureLinkDeleted	A secure sharing link was deleted.
Denied access request	AccessRequestDenied	An access request to a site, folder, or document was denied.
Removed a company shareable link	CompanyLinkRemoved	User removed a company-wide link to a resource. The link can no longer be used to access the resource.
Removed an anonymous link	AnonymousLinkRemoved	User removed an anonymous link to a resource. The link can no longer be used to access the resource.
Shared file, folder, or site	SharingSet	User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource.
Updated access request	AccessRequestUpdated	An access request to an item was updated.
Updated an anonymous link	AnonymousLinkUpdated	User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
Updated sharing invitation	SharingInvitationUpdated	An external sharing invitation was updated.
Used an anonymous link	AnonymousLinkUsed	An anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address.
Unshared file, folder, or site	SharingRevoked	User (member or guest) unshared a file, folder, or site that was previously shared with another user.
Used a company shareable link	CompanyLinkUsed	User accessed a resource by using a company-wide link.
Used secure link	SecureLinkUsed	A user used a secure link.
User added to secure link	AddedToSecureLink	A user was added to the list of entities who can use a secure sharing link.
User removed from secure link	RemovedFromSecureLink	A user was removed from the list of entities who can use a secure sharing link.
Withdrew sharing invitation	SharingInvitationRevoked	User withdrew a sharing invitation to a resource.

Site administration activities

The following table lists events that result from site administration tasks in SharePoint Online. As previously explained, audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name	Operation	Description
Added allowed data location	AllowedDataLocationAdded	A SharePoint or global administrator added an allowed data location in a multi-geo environment.
Added exempt user agent	ExemptUserAgentSet	A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.
Added geo location admin	GeoAdminAdded	A SharePoint or global administrator added a user as a geo admin of a location.
Allowed user to create groups	AllowGroupCreationSet	Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
Canceled site geo move	SiteGeoMoveCancelled	A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Changed a sharing policy	SharingPolicyChanged	A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperties field in the detailed properties of the event record.
Changed device access policy	DeviceAccessPolicyChanged	A SharePoint or global administrator changed the unmanaged devices policy for your organization. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organization. Configuring this policy requires an Enterprise Mobility + Security subscription. For more information, see Control access from unmanaged devices.
Changed exempt user agents	CustomizeExemptUsers	A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form is returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.
Changed network access policy	NetworkAccessPolicyChanged	A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell. This type of policy controls who can access SharePoint and OneDrive resources in your organization based on authorized IP address ranges that you specify. For more information, see Control access to SharePoint Online and OneDrive data based on network location.
Completed migration job	MigrationJobCompleted	A migration job was successfully completed.
Completed site geo move	SiteGeoMoveCompleted	A site geo move that was scheduled by a global administrator in your organization was successfully completed. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Created Sent To connection	SendToConnectionAdded	A SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
Created site collection	SiteCollectionCreated	A SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.
Deleted orphaned hub site	HubSiteOrphanHubDeleted	A SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it. An orphaned hub is likely caused by the deletion of the original hub site.
Deleted Sent To connection	SendToConnectionRemoved	A SharePoint or global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
Deleted site	SiteDeleted	Site administrator deletes a site.
Enabled document preview	PreviewModeEnabledSet	Site administrator enables document preview for a site.
Enabled legacy workflow	LegacyWorkflowEnabledSet	Site administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
Enabled Office on Demand	OfficeOnDemandSet	Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires a Microsoft 365 subscription that includes full, installed Office applications.
Enabled result source for People Searches	PeopleResultsScopeSet	Site administrator creates the result source for People Searches for a site.
Enabled RSS feeds	NewsFeedEnabledSet	Site administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
Joined site to hub site	HubSiteJoined	A site owner associates their site with a hub site.
Modified site collection quota	SiteCollectionQuotaModified	Site administrator modifies the quota for a site collection.
Registered hub site	HubSiteRegistered	A SharePoint or global administrator creates a hub site. The results are that the site is registered to be a hub site.
Removed allowed data location	AllowedDataLocationDeleted	A SharePoint or global administrator removed an allowed data location in a multi-geo environment.
Removed geo location admin	GeoAdminDeleted	A SharePoint or global administrator removed a user as a geo admin of a location.
Renamed site	SiteRenamed	Site administrator or owner renames a site
Scheduled site geo move	SiteGeoMoveScheduled	A SharePoint or global administrator successfully schedules a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
Set host site	HostSiteSet	A SharePoint or global administrator changes the designated site to host personal or OneDrive for Business sites.
Set storage quota for geo location	GeoQuotaAllocated	A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.
Unjoined site from hub site	HubSiteUnjoined	A site owner disassociates their site from a hub site.
Unregistered hub site	HubSiteUnregistered	A SharePoint or global administrator unregisters a site as a hub site. When a hub site is unregistered, it no longer functions as a hub site.

Site permissions activities

The following table lists events related to assigning permissions in SharePoint and using groups to give (and revoke) access to sites. As previously explained, audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

Friendly name	Operation	Description
Added site collection admin	SiteCollectionAdminAdded	Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites. This activity is also logged when an admin gives themselves access to a user's OneDrive account (by editing the user profile in the SharePoint admin center or by using the Microsoft 365 admin center).
Added user or group to SharePoint group	AddedToGroup	User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.
Broke permission level inheritance	PermissionLevelsInheritanceBroken	An item was changed so that it no longer inherits permission levels from its parent.
Broke sharing inheritance	SharingInheritanceBroken	An item was changed so that it no longer inherits sharing permissions from its parent.
Created group	GroupAdded	Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
Deleted group	GroupRemoved	User deletes a group from a site.
Modified access request setting	WebRequestAccessModified	The access request settings were modified on a site.
Modified 'Members Can Share' setting	WebMembersCanShareModified	The Members Can Share setting was modified on a site.
Modified permission level on a site collection	PermissionLevelModified	A permission level was changed on a site collection.
Modified site permissions	SitePermissionsModified	Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group. NOTE: This operation has been deprecated in SharePoint Online. To find related events, you can search for other permission-related activities such as Added site collection admin, Added user or group to SharePoint group, Allowed user to create groups, Created group, and Deleted group.
Removed permission level from site collection	PermissionLevelRemoved	A permission level was removed from a site collection.
Removed site collection admin	SiteCollectionAdminRemoved	Site collection administrator or owner removes a person as a site collection administrator for a site. This activity is also logged when an admin removes themselves from the list of site collection administrators for a user's OneDrive account (by editing the user profile in the SharePoint admin center). To return this activity in the audit log search results, you have to search for all activities.
Removed user or group from SharePoint group	RemovedFromGroup	User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.
Requested site admin permissions	SiteAdminChangeRequest	User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.
Restored sharing inheritance	SharingInheritanceReset	A change was made so that an item inherits sharing permissions from its parent.
Updated group	GroupUpdated	Site administrator or owner changes the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.

Synchronization activities

The following table lists file synchronization activities in SharePoint Online and OneDrive for Business.

Friendly name	Operation	Description
Allowed computer to sync files	ManagedSyncClientAllowed	User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. For more information about this feature, see Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
Blocked computer from syncing files	UnmanagedSyncClientBlocked	User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. The sync relationship isn't allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. For information about this feature, see Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
Downloaded files to computer	FileSyncDownloadedFull	User downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
Downloaded file changes to computer	FileSyncDownloadedPartial	This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
Uploaded files to document library	FileSyncUploadedFull	User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
Uploaded file changes to document library	FileSyncUploadedPartial	This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).

SystemSync activities

The following table lists the activities for SystemSync that are logged in the Microsoft 365 audit log.

Friendly name	Operation	Description
Data Share Created	DataShareCreated	When the data export is created by the user.
Data Share Deleted	DataShareDeleted	When the data export is deleted by the user.
Generate Copy Of Lake Data	GenerateCopyOfLakeData	When the copy of Lake Data is generated.
Download Copy Of Lake Data	DownloadCopyOfLakeData	When the copy of Lake Data is downloaded.

User administration activities

The following table lists user administration activities that are logged when an admin adds or changes a user account by using the Microsoft 365 admin center or the Azure management portal.

Note

The operation names listed in the Operation column in the following table contain a period ( . ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (" ") to contain the operation name.

Activity	Operation	Description
Added user	Add user.	A user account was created.
Changed user license	Change user license.	The license assigned to a user what changed. To see what licenses were changes, see the corresponding Updated user activity.
Changed user password	Change user password.	A user changes their password. Self-service password reset has to be enabled (for all or selected users) in your organization to allow users to reset their password. You can also track self-service password reset activity in Microsoft Entra ID. For more information, see Reporting options for Microsoft Entra password management.
Deleted user	Delete user.	A user account was deleted.
Reset user password	Reset user password.	Administrator resets the password for a user.
Set property that forces user to change password	Set force change user password.	Administrator set the property that forces a user to change their password the next time the user signs in to Microsoft 365.
Set license properties	Set license properties.	Administrator modifies the properties of a licensed assigned to a user.
Updated user	Update user.	Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in Microsoft Entra audit Report Events.

Viva Goals activities

The following table lists the user and admin activities in Viva Goals that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Search the audit log details how you can search for the audit logs from the Microsoft Purview portal and the compliance portal. The user needs to be a global admin or have audit read permissions to access audit logs. You can use the Activities filter to search for specific activities and to list all Viva Goals activities you can choose 'VivaGoals' in the Record type filter. You can also use the date range boxes and the Users list to narrow the search results further.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name	Operation	Description
Organization created	Organization created	Admin or the user has created a new organization on Viva Goals.
User added	User added	A new user has been added to an organization on Viva Goals.
User deactivated	User deactivated	A user has been deactivated in an organization.
User deleted	User deleted	A user has been deleted from an organization on Viva Goals.
User logged in	User logged in	User has logged into Viva Goals.
Team added	Team added	A new team has been created within an organization on Viva Goals.
Team updated	Team updated	A team within an organization on Viva Goals has been modified or updated.
Team deleted	Team deleted	A team within an organization on Viva Goals has been deleted by the user.
Data exported	Data exported	A user has exported list of OKRs or list of users in an organization on Viva Goals.
Goals policy updated	Goals policy updated	The global admin has modified the policy or settings at the tenant level on Viva Goals. For example, the global admin has configured who can create organizations on Viva Goals.
Organization settings updated	Organization settings updated	The user (typically Organization owners or admins) has updated organization specific settings on Viva Goals.
Organization integrations updated	Organization integrations updated	The user (typically Organization owners or admins) has configured a third party integration or updated an existing third party integration for an organization on Viva Goals.
OKR or Project created	OKR or Project created	User has created an OKR or Project on Viva Goals.
OKR or Project updated	OKR or Project updated	An OKR/Project has been modified or a check-in has been made by the user or an integration on Viva Goals.
OKR or Project deleted	OKR or Project deleted	User has deleted an OKR or Project.
Dashboard created	Dashboard created	User has created a new dashboard on Viva Goals
Dashboard updated	Dashboard updated	User has updated a dashboard on Viva Goals
Dashboard deleted	Dashboard deleted	User has deleted a dashboard on Viva Goals.

Viva Engage activities

The following table lists the user and admin activities in Viva Engage that are logged in the audit log. To return Viva Engage-related activities from the audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results.

Note

Some Viva Engage audit activities are only available in Audit (Premium). That means users must be assigned the appropriate license before these activities are logged in the audit log. For more information, see Audit (Premium). For Audit (Premium) licensing requirements, see Auditing solutions in Microsoft 365.

In the following table, Audit (Premium) activities are highlighted with an asterisk (*).

Friendly name	Operation	Description
Changed data retention policy	SoftDeleteSettingsUpdated	Verified admin updates the setting for the network data retention policy to either Hard Delete or Soft Delete. Only verified admins can perform this operation.
Changed network configuration	NetworkConfigurationUpdated	Network or verified admin changes the Viva Engage network's configuration. This includes setting the interval for exporting data and enabling chat.
Changed network profile settings	ProcessProfileFields	Network or verified admin changes the information that appears on member profiles for network users network.
Changed private content mode	SupervisorAdminToggled	Verified admin turns Private Content Mode on or off. This mode lets an admin view the posts in private groups and view private messages between individual users (or groups of users). Only verified admins only can perform this operation.
Changed security configuration	NetworkSecurityConfigurationUpdated	Verified admin updates the Viva Engage network's security configuration. This includes setting password expiration policies and restrictions on IP addresses. Only verified admins can perform this operation.
Created file	FileCreated	User uploads a file.
Created group	GroupCreation	User creates a group.
Created message	MessageCreation	User creates a message.
Deleted group	GroupDeletion	A group is deleted from Viva Engage.
Deleted message	MessageDeleted	User deletes a message.
Downloaded file	FileDownloaded	User downloads a file.
Exported data	DataExport	Verified admin exports Viva Engage network data. Only verified admins can perform this operation.
Failed to access community	CommunityAccessFailure	User failed to access a community.
Failed to access file	FileAccessFailure	User failed to access a file.
Failed to access message	MessageAccessFailure	User failed to access a message.
Reacted to message	MarkedMessageChanged	User reacted to a message.
Remove curated topic*	RemoveCuratedTopic	User removes a curated topic.
Shared file	FileShared	User shares a file with another user.
Suspended network user	NetworkUserSuspended	Network or verified admin suspends (deactivates) a user from Viva Engage.
Suspended user	UserSuspension	User account is suspended (deactivated).
Updated file description	FileUpdateDescription	User changes the description of a file.
Updated file name	FileUpdateName	User changes the name of a file.
Updated message	MessageUpdated	User updates a message.
Viewed file	FileVisited	User views a file.
Viewed message	MessageViewed	User views a message.

Viva Pulse activities

The following table lists the user and admin activities in Viva Pulse that are logged for auditing. The table includes the friendly name that's displayed in the Activities column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

Search the audit log details how you can search for the audit logs from the Microsoft Purview portal and the compliance portal. The user needs to be a global admin or have audit read permissions to access audit logs. You can use the Activities filter to search for specific activities and to list all Viva Pulse activities you can choose VivaPulse in the Record type filter. You can also use the date range boxes and the Users list to narrow the search results further.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Friendly name	Operation	Description
User submitted response to a pulse survey	PulseSubmit	Admin or user provided feedback for a Viva Pulse feedback request.
User created a Pulse survey	PulseCreate	New Viva Pulse feedback request is created.
User extended their pulse survey deadline	PulseExtendDeadline	The deadline for the existing Viva Pulse feedback request was extended.
User invited additional users to Pulse survey	PulseInvite	Additional users were invited to an existing Viva Pulse feedback request.
User canceled a Pulse survey	PulseCancel	User canceled a Pulse survey.
User shared a pulse report	PulseShareResults	Viva Pulse feedback result was shared with users.
User created a Pulse draft	PulseCreateDraft	User created a Pulse draft.
User deleted a Pulse draft	PulseDeleteDraft	User deleted a Pulse draft.
Admin deleted an user's data	PulseDeleteUserData	Admin deleted an user's data.
Admin updated tenant's settings	PulseTenantSettingsUpdate	Admin updated an organization setting for Viva Pulse.

Windows 365 Customer Lockbox activities

The following table lists the user and admin activities in Windows 365 Customer Lockbox that are logged in the audit log. To return Windows 365 Customer Lockbox-related activities from the audit log, select Windows365CustomerLockbox under Record types. Use the date range boxes and the Users list to narrow the search results.

Friendly name	Operation	Description
Trigger device remediation	Trigger device remediation	Trigger device remediation.
Upload folder to blob	Upload folder to blob	Compress and upload customer device's folder to blob.
Check PowerShell Execution Policy	Check PowerShell Execution Policy	Check PowerShell execution policy.
Install RD agent	Install RD agent	Install RD agent on the device of the user.
Run hybrid AADJ extension	Run hybrid AADJ extension	Run hybrid AADJ extension on the device of the user.
Create VmExtension Request	Create VmExtention Request	Creates VM extension requests to execute VM extension to run custom scripts on the customer device.
Trigger orchestrator	Trigger orchestrator	Trigger orchestrator for the user.
Trigger generic action by SaaF	Trigger generic action by SaaF	Trigger device action (Retargeting, EnableRdpAccessForCitrix, DisableRdpAccessFprCitrix) for user.
Trigger generic action	Trigger generic action	Trigger device action for user.
Trigger generic action with options	Trigger generic action with options	Trigger device action with option parameters, more powerful than that of trigger generic action.
Create new work items (Scheduler)	Create new work items (Scheduler)	Create new work items, For example, Provision, Deprovision, Reprovision etc.
Post Remote Action Operation	Post Remote Action Operation	Post Remote Action, plus polling the result by GetActions operation.
OCE Run Commands on VM	OCE Run Commands on VM	Run commands by tenantID, deviceID list, and script.
Create LogCollection Request	Create LogCollection Request	Create log collection request to Cloud PC.
Trigger CMD Agent Canary check.	Trigger CMD Agent Canary check.	Trigger CMD Agent Canary check on specific device.
Execute AppHealthPlugin	Execute AppHealthPlugin	Execute AppHealthPlugin.
Backfill CMD Agent	AddDevicesToBackfill Operation	Backfill CMD Agent on Cloud PC.
Reinstall CMD Agent	AddDevicesToReinstall Operation	Reinstall CMD Agent on demand.
Bulk reinstall CMD Agent	TriggerClientAgentCheckBulkAction Operation	Bulk reinstall CMD agent on demand.
Create Remote Action Operation in ActionModeratorService	Create Remote Action Operation in ActionModeratorService	Create remote action by tenantID, workspaceID, actionType, actionParameters.