แก้ไข

แชร์ผ่าน


Audit logging for Mesh

Audit logging help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. This article summarizes how to query and request audit logs for Microsoft Mesh operations and events. Some operations are Mesh specific, while others are associated with other M365 operations, such as M365: Exchange, SharePoint, Microsoft Entra (Azure AD) operations, Microsoft Teams, etc.

With audit logging for Mesh, an admin can gather insights into individual or bulk operations that relate to User Activity or operations which result from interactions with M365 services for Microsoft Mesh.

Audit logging for Mesh can be done using Microsoft Purview or Exchange Online PowerShell.

Note

Microsoft Mesh has two main offerings for users: Immersive spaces in Teams and custom immersive spaces. Audit logging does not treat these offerings as independent and thus the events in the audit may refer to either offering or both offerings, depending on the event you query.

Examples of user activity and operations that an admin may be interested in for Mesh are:

  • End-users in Mesh in Teams / Mesh Browser - joining Mesh sessions.

  • Mesh Administrators and Users creating Events on Mesh Portal.

  • Content Creators using Mesh Toolkit (Mesh Uploader) to create and upload artifacts.

Auditable events for Microsoft Mesh

The audit events that are currently available are listed below. Events are generated based on user activity in Mesh Admin portal, or session/template customization activity in the Mesh application.

Event Name Description
EnvironmentDeleted Delete a Mesh Environment.
EnvironmentPublished Publish a new version of a Mesh Environment.
ComponentCreated Create a session component for a given Mesh session.
ComponentDeleted Delete a session component of a given Mesh session.
TemplateCreated Create a new Mesh World/Collection Template.
TemplateDeleted Delete Mesh World Template contents and metadata.
TemplateUpdated Update an existing Mesh World/Collection Template.
WorldCreated Create a Mesh World/Collection.
WorldDeleted Delete a Mesh World/Collection.
WorldUpdated Update a Mesh World/Collection.
WorldMembersAdded Add members to the Mesh World/Collection.
WorldOwnersAdded Add owners of a Mesh World/Collection.
WorldMembersRemoved Remove a member from a Mesh World/Collection.
WorldOwnersRemoved Remove an owner from a Mesh World/Collection.
EnvironmentStorageCreated Create a new storage location for a Mesh Environment.
SessionMetadataCreated Create Mesh World/Collection Session Metadata.
SessionMetadataDeleted Delete Mesh World/Collection Session Metadata.
SessionMetadataUpdated Update Mesh World/Collection Session Metadata.
SessionMetadataTemplateCreated Create a template customization for Mesh World/Collection.
SessionEnvironmentSet Set the environment for a collaboration session.
SessionJoin Mesh service provisioned the necessary system resources and provided the client application with the information required to join a Mesh session.

Some clarification on what the terminology in these events refers to:

  • Session: refers to sessions when certain things are configured for environments or meetings. There are three types of sessions that are captured by audit logs:

    • Template Customization Session: logs are captured when a user customizes an event template and saves changes in the Mesh application.
    • Event Customization Session: logs are captured when a user customizes a single event and saves changes in the Mesh application.
    • Event Session: logs are captured when a Mesh event occurs. Typically, the configuration is immutable since components cannot be placed by users in a live event, for example.
  • World : refers to Collections in Mesh on the web. Collections is a bucket that holds environments and templates of environments that are used in Mesh events. Audit logs capture when a user creates a Collection, deletes a Collection, adds members to a Collection, adds Owners to a Collection, or removes Owners from a collection.

  • Component: refers to the Objects that are rendered in an environment when a session is started for an event, template, or customization session. If a user attempts to enter an environment, the components in that environment are loaded and captured by component logs.

Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations.

Prerequisites for Purview audit logging solutions

See how to get started with Microsoft Purview audit logging solutions.

See how to search the audit log in Microsoft Purview.

Export, configure, and view audit log records

How to export, configure, and view audit log records.