Introducing ActorInfoString: A New Era of Audit Log Accuracy in Exchange Online
How ActorInfoString Elevates Security and Transparency We’re excited to introduce ActorInfoString, a significant new feature in the Exchange Online (EXO) audit schema that enhances the depth and accuracy of your audit logs. While ClientInfoString provides valuable client application information, the addition of ActorInfoString offers even more detail by capturing the True UserAgent, supporting greater clarity when tracking the origin of actions within your Exchange Online environment. ActorInfoString solves this by recording the exact user agent responsible for each audited event. This improvement means that, once enabled, audit logs will present an unambiguous record of which client, device, or application performed a given operation. Security analysts and compliance teams can more easily identify access patterns, trace suspicious activity, and meet regulatory requirements with confidence. Currently, ActorInfoString exists in production but is not yet enabled by default. This phased approach allows for careful testing and integration with your log management tools. Once live, you’ll see ActorInfoString alongside existing fields such as ClientInfoString, helping you distinguish between generalized client data and the actual source acting in your tenants. Key Benefits: Clarity: Reveals the true user agent behind every action. Better Security: Makes it easier to investigate incidents and threats. Compliance: Strengthens audit trials for regulatory standards. Future-Readiness: Prepares your monitoring for evolving audit needs. Example (simplified log entry): Date: 2025-04-24T14:25:59Z User: john.doe@yourdomain.com Operation: MailItemAccessed ClientInfoString: “Client=Rest;Client=RESTSystem;; ActorInfoString: “Client=REST;Client=RESTSystem;Mozilla\/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) Powershell\/5.1.22621.3958 Invoke-MgGraphRequest[AppId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx What to expect Customers can expect to see the effects of ActorInfoString in their audit logs by the end of May 2025. There’s no action required to prepare—this update introduces a single, non-disruptive field addition, like how DeviceId was incorporated previously. Existing audit schema fields, records, and integrations remain untouched, ensuring a seamless transition as you gain richer insights without any service impact or data loss. As we prepare to enable ActorInfoString for all customers, now is the ideal time to review your log collection and analysis tools to ensure a smooth transition. Stay tuned for official documentation and release notes, and get ready for a more transparent, secure, and insightful Exchange Online experience.Microsoft Exchange Online: Search-MailboxAuditLog and New-MailboxAuditLogSearch will retire
Important Update The licensing for the migration tool related to the deprecation of the Search-MailboxAuditLog cmdlet is specifically designed for customers with extended audit log retention set in Exchange. Customers can choose to migrate their historical data to Audit Premium with Extended Retention plan in Purview, which is an E5 add-on. Audit Premium with Extended Retention plan is an advanced auditing solution that provides extended data retention capabilities. This plan is essential for organizations that need to meet stringent regulatory requirements and ensure comprehensive audit logging. The migration tool applies to customers with >1 year retention set on their existing audit logs in Exchange. Documentation will be made available prior to June 2025. Overview As part of our ongoing efforts to improve the logging capabilities of Exchange Online, we are sharing our timeline for decommissioning the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets. This change is a significant step towards enhancing our audit logging infrastructure and ensuring compliance with data retention standards. For our earlier communication on the subject please see this blog post. Background We are working on streamlining the audit log search experience and we are deprecating older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet, which has been around for a while, offers several advantages, including: Support for a greater variety of record types, making it more versatile. More filtering options, allowing for more precise results. Range of output formats to suit your needs. After March 1, 2025, existing data generated by mailbox audit logging will be accessible only as a historical record (with data only up to March 1). After March 1, 2025, existing data generated for customers with auditing enabled can be accessed only via the Search-UnifiedAuditLog cmdlet. To make things simpler and more efficient, we recommend you use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here. Timeline March 1, 2025: New audit log data will no longer be written to the mailbox. Existing data will be available as a historic record allowing for administrative review, modification and download of the logs. June 2025: Customers are provided documentation as well as migration tool described below to migrate their data to Search-UnifiedAuditLog for long-term auditing retention. June 2025: Audit log data in mailboxes will become a static, read-only record that used for historical searches. End of 2025: Former cmdlets Search-MailboxAuditLog and New-MailboxAuditLogSearch will no longer be available in Exchange Online. Migration Tool If you suspect that some legacy Exchange mailbox audit logs are not present in the Unified Audit Log you can use this upcoming migration tool to move that data into the UAL. This optional self-service migration tool can be run by tenant administrators. To assist, we will provide documentation that includes a guide for use. Our documentation will include common issues and their resolutions. By following these steps, you will be able to achieve a smooth and efficient migration while maintaining compliance and data integrity. Migration Overview To ensure seamless migration we suggest the following steps: Begin by reviewing your current usage to identify any scripts, tools, or applications that depend on the specified cmdlets. Engage with your legal and compliance teams to ensure all regulatory requirements are met. Make sure auditing is enabled for your tenant to maintain data integrity. Once the migration tool is available, utilize it to prevent data loss and transition to the Search-UnifiedAuditLog. Below is a comparison grid showcasing the differences between the Exchange cmdlets and the Purview cmdlet: Feature/Capability Search-MailboxAuditLog & New-MailboxAuditLogSearch Search-UnifiedAuditLog (Purview) Record Types Supported Exchange Only Extensive Filtering Options Standard Modern Data Retention Varies 180 days Compliance Limited Full Compliance User Experience Fragmented Unified Audit logging is turned on by default for Microsoft 365 organizations. Please verify the auditing status for your organization. Feedback If you have any feedback about this change, you can reach out to our exchangeonlinesearch-mailboxauditlogmigration@service.microsoft.com group. We are always happy to hear from you and assist in any way we can.How to deploy Microsoft Purview DSPM for AI to secure your AI apps
Microsoft Purview Data Security Posture Management (DSPM for AI) is designed to enhance data security for the following AI applications: Microsoft Copilot experiences, including Microsoft 365 Copilot. Enterprise AI apps, including ChatGPT enterprise integration. Other AI apps, including all other AI applications like ChatGPT consumer, Microsoft Copilot, DeepSeek, and Google Gemini, accessed through the browser. In this blog, we will dive into the different policies and reporting we have to discover, protect and govern these three types of AI applications. Prerequisites Please refer to the prerequisites for DSPM for AI in the Microsoft Learn Docs. Login to the Purview portal To begin, start by logging into Microsoft 365 Purview portal with your admin credentials: In the Microsoft Purview portal, go to the Home page. Find DSPM for AI under solutions. 1. Securing Microsoft 365 Copilot Discover potential data security risks in Microsoft 365 Copilot interactions In the Overview tab of DSPM for AI, start with the tasks in “Get Started” and Activate Purview Audit if you have not yet activated it in your tenant to get insights into user interactions with Microsoft Copilot experiences In the Recommendations tab, review the recommendations that are under “Not Started”. Create the following data discovery policies to discover sensitive information in AI interactions by clicking into each of them and select “Create policies”. Detect risky interactions in AI apps - This public preview Purview Insider Risk Management policy helps calculate user risk by detecting risky prompts and responses in Microsoft 365 Copilot experiences. Click here to learn more about Risky AI usage policy. With the policies to discover sensitive information in Microsoft Copilot experiences in place, head back to the Reports tab of DSPM for AI to discover any AI interactions that may be risky, with the option to filter to Microsoft Copilot Experiences, and review the following for Microsoft Copilot experiences: Total interactions over time (Microsoft Copilot) Sensitive interactions per AI app Top unethical AI interactions Top sensitivity labels references in Microsoft 365 Copilot Insider Risk severity Insider risk severity per AI app Potential risky AI usage Protect sensitive data in Microsoft 365 Copilot interactions From the Reports tab, click on “View details” for each of the report graphs to view detailed activities in the Activity Explorer. Using available filters, filter the results to view activities from Microsoft Copilot experiences based on different Activity type, AI app category and App type, Scope, which support administrative units for DSPM for AI, and more. Then drill down to each activity to view details including the capability to view prompts and response with the right permissions. To protect the sensitive data in interactions for Microsoft 365 Copilot, review the Not Started policies in the Recommendations tab and create these policies: Information Protection Policy for Sensitivity Labels - This option creates default sensitivity labels and sensitivity label policies. If you've already configured sensitivity labels and their policies, this configuration is skipped. Protect sensitive data referenced in Microsoft 365 Copilot - This guides you through the process of creating a Purview Data Loss Prevention (DLP) policy to restrict the processing of content with specific sensitivity labels in Copilot interactions. Click here to learn more about Data Loss Prevention for Microsoft 365 Copilot. Protect sensitive data referenced in Copilot responses - Sensitivity labels help protect files by controlling user access to data. Microsoft 365 Copilot honors sensitivity labels on files and only shows users files they already have access to in prompts and responses. Use Data assessments to identify potential oversharing risks, including unlabeled files. Stay tuned for an upcoming blog post on using DSPM for AI data assessments! ommended action to protect sensitive data referenced in Copilot responses Use Copilot to improve your data security posture - Data Security Posture Management combines deep insights with Security Copilot capabilities to help you identify and address security risks in your org. Once you have created policies from the Recommendations tab, you can go to the Policies tab to review and manage all the policies you have created across your organization to discover and safeguard AI activity in one centralized place, as well as edit the policies or investigate alerts associated with those policies in solution. Note that additional policies not from the Recommendations tab will also appear in the Policies tab when DSPM for AI identifies them as policies to Secure and govern all AI apps. Govern the prompts and responses in Microsoft 365 Copilot interactions Understand and comply with AI regulations by selecting “Guided assistance to AI regulations” in the Recommendations tab and walking through the “Actions to take”. From the Recommendations tab, create a Control unethical behavior in AI Purview Communications Compliance policy to detect sensitive information in prompts and responses and address potentially unethical behavior in Microsoft Copilot experiences and ChatGPT for Enterprise. This policy covers all users and groups in your organization. To retain and/or delete Microsoft 365 Copilot prompts and responses, setup a Data Lifecycle policy by navigating to Microsoft Purview Data Lifecycle Management and find Retention Policies under the Policies header. You can also preserve, collect, analyze, review, and export Microsoft 365 Copilot interactions by creating an eDiscovery case. 2. Securing Enterprise AI apps Please refer to this amazing blog on Unlocking the Power of Microsoft Purview for ChatGPT Enterprise | Microsoft Community Hub for detailed information on how to integrate with ChatGPT for enterprise, the Purview solutions it currently supports through Purview Communication Compliance, Insider Risk Management, eDiscovery, and Data Lifecycle Management. Learn more about the feature also through our public documentation. 3. Securing other AI Microsoft Purview DSPM for AI currently supports the following list of AI sites. Be sure to also check out our blog on the new Microsoft Purview data security controls for the browser & network to secure other AI apps. Discover potential data security risks in prompts sent to other AI apps In the Overview tab of DSPM for AI, go through these three steps in “Get Started” to discover potential data security risk in other AI interactions: Install Microsoft Purview browser extension ser extension For Windows users: The Purview extension is not necessary for the enforcement of data loss prevention on the Edge browser but required for Chrome to detect sensitive info pasted or uploaded to AI sites. The extension is also required to detect browsing to other AI sites through an Insider Risk Management policy for both Edge and Chrome browser. Therefore, Purview browser extension is required for both Edge and Chrome in Windows. For MacOS users: The Purview extension is not necessary for the enforcement of data loss prevention on macOS devices, and currently, browsing to other AI sites through Purview Insider Risk Management is not supported on MacOS, therefore, no Purview browser extension is required for MacOS. Onboard devices to Microsoft Purview Extend your insights for data discovery – this one-click collection policy will setup three separate Purview detection policies for other AI apps: Detect sensitive info shared in AI prompts in Edge – a Purview collection policy that detects prompts sent to ChatGPT consumer, Micrsoft Copilot, DeepSeek, and Google Gemini in Microsoft Edge and discovers sensitive information shared in prompt contents. This policy covers all users and groups in your organization in audit mode only. Detect when users visit AI sites – a Purview Insider Risk Management policy that detects when users use a browser to visit AI sites. Detect sensitive info pasted or uploaded to AI sites – a Purview Endpoint Data loss prevention (eDLP) policy that discovers sensitive content pasted or uploaded in Microsoft Edge, Chrome, and Firefox to AI sites. This policy covers all users and groups in your org in audit mode only. With the policies to discover sensitive information in other AI apps in place, head back to the Reports tab of DSPM for AI to discover any AI interactions that may be risky, with the option to filter by Other AI Apps, and review the following for other AI apps: Total interactions over time (other AI apps) Total visits (other AI apps) Sensitive interactions per AI app Insider Risk severity Insider risk severity per AI app Protect sensitive info shared with other AI apps From the Reports tab, click on “View details” for each of the report graphs to view detailed activities in the Activity Explorer. Using available filters, filter the results to view activities based on different Activity type, AI app category and App type, Scope, which support administrative units for DSPM for AI, and more. To protect the sensitive data in interactions for other AI apps, review the Not Started policies in the Recommendations tab and create these policies: Fortify your data security – This will create three policies to manage your data security risks with other AI apps: 1) Block elevated risk users from pasting or uploading sensitive info on AI sites – this will create a Microsoft Purview endpoint data loss prevention (eDLP) policy that uses adaptive protection to give a warn-with-override to elevated risk users attempting to paste or upload sensitive information to other AI apps in Edge, Chrome, and Firefox. This policy covers all users and groups in your org in test mode. Learn more about adaptive protection in Data loss prevention. 2) Block elevated risk users from submitting prompts to AI apps in Microsoft Edge – this will create a Microsoft Purview browser data loss prevention (DLP) policy, and using adaptive protection, this policy will block elevated, moderate, and minor risk users attempting to put information in other AI apps using Microsoft Edge. This integration is built-in to Microsoft Edge. Learn more about adaptive protection in Data loss prevention. 3) Block sensitive info from being sent to AI apps in Microsoft Edge - this will create a Microsoft Purview browser data loss prevention (DLP) policy to detect inline for a selection of common sensitive information types and blocks prompts being sent to AI apps while using Microsoft Edge. This integration is built-in to Microsoft Edge. Once you have created policies from the Recommendations tab, you can go to the Policies tab to review and manage all the policies you have created across your organization to discover and safeguard AI activity in one centralized place, as well as edit the policies or investigate alerts associated with those policies in solution. Note that additional policies not from the Recommendations tab will also appear in the Policies tab when DSPM for AI identifies them as policies to Secure and govern all AI apps. Conclusion Microsoft Purview DSPM for AI can help you discover, protect, and govern the interactions from AI applications in Microsoft Copilot experiences, Enterprise AI apps, and other AI apps. We recommend you review the Reports in DSPM for AI routinely to discover any new interactions that may be of concern, and to create policies to secure and govern those interactions as necessary. We also recommend you utilize the Activity Explorer in DSPM for AI to review different Activity explorer events while users interacting with AI, including the capability to view prompts and response with the right permissions. We will continue to update this blog with new features that become available in DSPM for AI, and stay tuned for another blog post on addressing oversharing for deploying Microsoft 365 Copilot with Microsoft Purview DSPM for AI Data Assessments! Follow-up Reading Check out this blog on the details of each recommended policies in DSPM for AI: Microsoft Purview – Data Security Posture Management (DSPM) for AI | Microsoft Community Hub Address oversharing concerns with Microsoft 365 blueprint - aka.ms/Copilot/Oversharing Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn Considerations for deploying Microsoft Purview AI Hub and data security and compliance protections for Microsoft 365 Copilot and Microsoft Copilot | Microsoft Learn Commonly used properties in Copilot audit logs - Audit logs for Copilot and AI activities | Microsoft Learn Supported AI sites by Microsoft Purview for data security and compliance protections | Microsoft Learn Where Copilot usage data is stored and how you can audit it - Microsoft 365 Copilot data protection and auditing architecture | Microsoft Learn Downloadable whitepaper: Data Security for AI Adoption | Microsoft Public roadmap for DSPM for AI - Microsoft 365 Roadmap | Microsoft 365Explore how to secure AI by attending our Learn Live Series
Register to attend Learn Live: Security for AI with Microsoft Purview and Defender for Cloud starting April 15 In this month-long webinar series, IT pros and security practitioners can hone their security skillsets with a deeper understanding of AI-centric challenges, opportunities, and best practices using Microsoft Security solutions. Each session will follow a hosted demo format and cover a Microsoft Learn module (topics listed below). You can ask the SMEs questions via the chat as they show you how to use Microsoft Purview and Microsoft Defender for Cloud to protect your organization in the age of AI. Learn Live dates/topics include: April 15 at 12pm PST – Manage AI Data Security Challenges with Microsoft Purview: Microsoft Purview helps you strengthen data security in AI environments, providing tools to handle challenges from AI technology. Learn to safeguard your data and adapt to evolving security challenges in AI technology. This session will help you: Understand sensitivity labels in Microsoft 365 Copilot Secure against generative AI data exposure with endpoint Data Loss Prevention Detect generative AI usage with Insider Risk Management Dynamically protect sensitive data with Adaptive Protection April 22 at 12pm PST – Manage Compliance with Microsoft Purview with Microsoft 365 Copilot: Use Microsoft Purview for compliance management with Microsoft 365 Copilot. You'll learn how to handle compliance aspects of Copilot's AI functionalities through Purview. This session will teach you how to: Audit Copilot interactions within Microsoft 365 using Microsoft Purview Investigate Copilot interactions using Microsoft Purview eDiscovery Manage Copilot data retention with Microsoft Purview Data Lifecycle Management Monitor and mitigate risks in Copilot interactions using Microsoft Purview Communication Compliance April 29 at 12pm PST – Identify and Mitigate AI Data Security Risks: Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorized data exposure. Learn how to configure DSPM for AI, track AI interactions, run data assessments, and apply security controls to reduce risks associated with AI usage. You will learn how to: Explain the purpose and benefits of Microsoft Purview DSPM for AI Set up and configure DSPM for AI to monitor AI interactions Identify and analyze AI security risks using reports and insights Run and review AI data assessments to detect oversharing risks Apply security policies, such as DLP and sensitivity labels, to protect AI-referenced data May 13 at 10am PST – Enable Advanced Protection for AI Workloads with Microsoft Defender for Cloud: As organizations use and develop AI applications, they need to address new and amplified security risks. Prepare your environment for secure AI adoption to safeguard your data and identify threats to your AI. This session will help you: Understand how Defender for Cloud can protect AI workloads Enable threat protection workloads for AI Gain application and end user context for AI alerts Register today for these new sessions. We look forward to seeing you! If you’re unable to attend a session, don’t worry—the recordings will be made available on-demand via YouTube.Microsoft Purview Best Practices
Microsoft Purview is a solution that helps organizations manage data and compliance. It also uses AI to classify data, monitor compliance, and identify risks. Key features include data discovery, classification, governence, retention, compliance management, encryption, and access controls. Purview ensures data security, prevents insider threats, and helps implement data loss prevention policies to meet compliance requirements. Hello everyone - This is just a short introduction, I am Dogan Colak. I have been working as an M365 Consultant for about 5 years, holding certifications such as MCT, SC-100, SC-200, SC-300, and MS-102, with a focus on Security & Compliance. This year, I am excited to share what I have learned with the Microsoft Technology Community. In the coming days, I will be publishing videos and articles based on the training agenda I have created. I will also share these articles on LinkedIn, so feel free to follow me there. I am always open to feedback and suggestions. See you soon!Introducing the Microsoft Purview Audit Search Graph API
The new Microsoft Purview Audit Search Graph API will enable the programmatic search and retrieval of relevant audit logs with improvements in search completeness, reliability, and performance. This API serves as an improved alternative to the existing PowerShell cmdlet, Search-UnifiedAuditLog.
How to use Log Analytics log data exported to Storage Accounts
In this blog post I explore some options for accessing logs that were archived in Azure storage account containers, either through export from Log Analytics and Sentinel or through a custom Logic App. This is to address exceptional cases where you need those archived data, for example for historical context during an investigation.
