Microsoft 365 Copilot Rename Means Exactly What?

By now, I’m sure that people understand that Microsoft has two chat apps available for Microsoft 365 users:

• Microsoft Copilot, which is limited to making queries against the Microsoft LLMs. The app is available without a license to anyone who signs into their Entra ID account before they can use Microsoft Copilot, which is why it’s sometimes referred to as Microsoft Copilot (for users with Entra accounts). This app started as Bing Chat Enterprise before the Copilot branding team applied their magic. To be fair, the addition of enterprise data protection to Microsoft Copilot in September 2024 improved the app greatly.
• Microsoft 365 Copilot, which can include Graph content (data stored in SharePoint Online, OneDrive for Business, Teams, and Exchange Online) in its queries against the Microsoft LLMs (the Graph content “grounds” the queries). This app is also called BizChat, and I use that name for the remainder of this article. User accounts must hold a $360/year Microsoft 365 Copilot license before they can use BizChat.

The naming used for these apps and the Microsoft 365 Copilot suite (a Copilot for every app, like Copilot in Word, Copilot in Teams, Copilot in Outlook, etc.) has evolved since the original launch in March 2023. In that time, probably far too many brain cells have been sacrificed to keep up with Microsoft’s marketing machinations as they seek to drive Copilot deep into the consciousness of Microsoft employees and customers alike.

The January 2025 Change

Message center notification MC958903 (16 December 2024) marks yet another turn in the naming game. In mid-January 2025, Microsoft will introduce changes “to simplify the user experience.”

• Microsoft Copilot becomes Microsoft 365 Copilot Chat. The app will be able to use Copilot agents for the first time. Agents that access web content are free, but using agents that access work data (Graph data) must be paid for on a pay-as-you-go (metered consumption) basis.
• The current Microsoft 365 app, which includes a Copilot icon to access Copilot in its navigation bar, becomes Microsoft 365 Copilot, complete with a new M365Copilot.com URL to “make it easier to discover.” Depending on their licensing status, the Copilot icon brings people to either Microsoft 365 Copilot Chat or BizChat. The app will receive a UI makeover to “support future AI-first experiences” like exposing Copilot Pages. The changes are detailed in MC958905 and include a new icon that I thoroughly dislike (see Figure 1).

All of this was discussed at the Ignite 2024 conference in Chicago last month. I paid little attention at the time because I ignored most of the marketing fluff from the conference, preferring to wait to see the details emerge. If you’re interested, the keynote is still online, complete with a very brief mention of a rename (Figure 2).

The Confusion Between Product and App

I dislike renaming Microsoft Copilot to be Microsoft 365 Copilot Chat because it complicates what should be a simple differentiation between users who have Microsoft 365 Copilot licenses and those who do not. Once you apply the Microsoft 365 brand to an app, a certain implication exists that the app has something to do with Microsoft 365 and enjoys some access to Microsoft 365 content (which it doesn’t have).

I guess the chat app that can’t access Microsoft 365 content has some relationship with Microsoft 365 because it’s available through the Microsoft 365 Copilot app, but the connection is tenuous at best and difficult for people who don’t track the minutiae of changes within the service. It took me several readings of MC958903 before the details sunk in. I suspect that I am not alone.

I’m sure that Microsoft will point to its fabled telemetry to justify the decision. They always do. However, I think this is more of the “let’s brand everything with the <insert latest product du jour name here> name here” tactic seen in the past with Windows, Office, and .Net. The problem is that telemetry seldom highlights the potential for future confusion of the sort that’s likely when this change emerges.

Tiring Pace of Branding Changes

Everyone understands that Microsoft is making a big bet to be the leader in AI. Microsoft is spending a ton of money to build their leadership, including a reported $19 billion spend reported in their Q4 FY24 results. But the constant mantra of Copilot everywhere is starting to wear. It will be a relief when the tsunami subsides and we can all get back to productive work, with or without Copilot’s assistance.

Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Poorly Thought-Out Decision will Reduce the Effectiveness and Usefulness of the Search-UnifiedAuditLog Cmdlet

On December 12, Microsoft published message center notification MC955752 to inform tenant administrators of a fundamental and problematic change in the way the Search-UnifiedAuditLog cmdlet behaves. In a nutshell, Microsoft proposes to make high completeness searches the only type of supported audit log search. That would be fine if these searches worked and were capable of finishing in a reasonable time. The problem is that high completeness searches are unreliable and take too long to complete.

Microsoft says that high completeness searches focus on retrieving a complete set of audit results in response to administrator queries. By contrast, they characterize the current behavior of the Search-UnifiedAuditLog cmdlet as speedy but can return “a subset of results.” My experience is that the current default tends to return too many results, which is why you should always sort the output set to exclude duplicates.

Microsoft then goes on to say that, out of the goodness of their hearts, they’re changing the way the Search-UnifiedAuditLog cmdlet works so that it will always run high completeness searches starting in late January 2025. To be fair, Microsoft notes that “search queries may take longer to finish.” I guess that they cannot get away from the fact that high completeness searches take between ten and twenty times longer to complete than the current searches.

A Complete Mess

I dislike the proposed change because I believe that making all audit log searches “highly complete” will affect scripts running in production today in ways that Microsoft has not anticipated.

As far as I can tell, the developers think about audit log searches as simple activities to recover audit log data. Those working with tenants use audit log searches for many other purposes, from forensic investigations following potential attacks to extracting audit results on an ongoing basis for ingestion into an external SIEM. Some ISVs use the cmdlet to extract audit information for their customers to use as the basis for some reporting.

Another example is where Microsoft engineering uses the Search-UnifiedAuditLog cmdlet to find evidence of the Exchange Web Services App Impersonation RBAC role in use. The script provided by Exchange engineering quickly becomes unusable when every iteration to find audit records takes ten minutes to complete.

Many scripts call the Search-UnifiedAuditLog cmdlet to find evidence of specific user activity. The searches might return just one or two records, enough to prove that someone is active, or they might deliver a more comprehensive assessment of the actions taken by a user account during a day. Waiting for ten minutes for a high completeness search to complete makes it impracticable for these scripts to use Search-UnifiedAuditLog (or the Graph API).

The Unreliability of High Completeness Searches

An even bigger problem is the unreliability of high completeness searches. I pointed this problem out when Microsoft released the feature in preview in April 2024. Things don’t seem to have improved much since. As an example, I ran the script to find SharePoint file operations to identify the last accessed time for documents, which is information that the Graph API for SharePoint cannot return. The search u looks for specific operations over a set period and is typical of the normal usage in Microsoft 365 tenants:

Write-Host ("Searching for SharePoint file operations in the {0} site between {1} and {2}" -f $TargetSite, $StartDate, $EndDate)
[array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType "SharePointFileOperation" -ResultSize 5000 -SessionCommand ReturnLargeSet -Formatted -ObjectIds $TargetSearchSite
If (!($Records)) {
    Write-Host "No audit records found"
    Break
}
# Remove any duplicates
$Records = $Records | Sort-Object Identity -Unique | Sort-Object {$_.CreationDate -as [DateTime]} 
Write-Host ("{0} SharePoint Online file operations audit records found" -f $Records.Count)

Running against the site I use to store the source documents for articles, a normal search retrieved 3,879 records in 31.02 seconds. This time included the sort to remove duplicates. Running the same search with the high completeness flag set resulted in a series of failures. For example:

Measure-Command {[array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType "SharePointFileOperation" -ResultSize 5000 -SessionCommand ReturnLargeSet -Formatted -ObjectIds $TargetSearchSite -HighCompleteness}

WARNING: Failed to process request via HighCompleteness flag, returning HttpRequestException. Exception: InternalServerError , Reason: Internal Server Error.

Days              : 0
Hours             : 0
Minutes           : 8
Seconds           : 11
Milliseconds      : 42
Ticks             : 4910423270
TotalDays         : 0.0056833602662037
TotalHours        : 0.136400646388889
TotalMinutes      : 8.18403878333333
TotalSeconds      : 491.042327
TotalMilliseconds : 491042.327

In fact, despite many attempts over several days, the search never completed. Failures happened after six, seven, or eight minutes, even during the weekend when the service experiences light demand. Using high completeness searches was a deeply unsatisfying experience that doesn’t cast a good light on Microsoft engineering or software testing.

The Microsoft Imperative to Constrain Resource Demand

Microsoft has history in messing around with the Search-UnifiedAuditLog cmdlet in ways that affect production scripts. In September 2023, they changed the way searches worked so that fewer results were returned by default. Microsoft didn’t make any announcement at the time and denied that any change had occurred even though the evidence was clear and obvious that the cmdlet now functioned in a dramatically different way.

It seems to me that Microsoft is a victim of the audit log’s success. When it was first introduced, the audit log ingested data from core workloads like Entra ID, Exchange Online, and SharePoint Online for a relatively small number of events. Eight years later, thousands of different events are ingested from multiple workloads, which increases the resources required to store and process audit events. Another extra demand for resources came when Microsoft had to up the retention period for Purview Audit standard customers from 90 to 180 days. Conserving resources is why the Audit search in the Purview portal (Figure 1) only performs asychronous searches and doesn’t use the Search-UnifiedAuditLog cmdlet.

Microsoft points to the AuditLog Query Graph API as a method for programmatic access to audit data. This is true, but setting up and running AuditLog Query searches takes substantially more effort than running Search-UnifiedAuditLog does, even using the Microsoft Graph PowerShell SDK cmdlets to interact with the API. It’s one thing for Microsoft to switch the Audit search solution in the Purview portal to use the Graph API; it’s quite another to ask customers to upgrade all their PowerShell scripts to replace Search-UnifiedAuditLog. Making this suggestion in the message center notification displays a callous lack of appreciation about how paying customers use Microsoft software.

A Problematic and Concerning Change

The lack of robustness in high completeness searches is nothing but problematic. If you can’t rely on searches completing, you can’t include search processing in scripts. Although running interactive synchronous searches obviously takes more resources, it’s how paying customers extract value from the audit log.

Changing audit searches to high completeness is bad. It might save Microsoft some computing resources, it will impact production processes by forcing Microsoft 365 tenants to use unreliable and fallible methods to access what is, after all, their audit data. Microsoft should leave well enough alone and fix high completeness to make it an optional, slow, but (when fixed) dependable alternative for audit log searches.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Outlook Classic. OWA, and the New Outlook All Get the Org Explorer

Now that we’ve all recovered from the news about the retirement of Viva Goals, a possibly more important change in the world of Viva is the removal of the requirement for a Viva Suite license for access to the Org Explorer feature in Outlook (Figure 1). Microsoft introduced the need for potential Org Explorer users to have a Viva Suite license in February 2023 after originally saying that a Microsoft 365 E3 or E5 license was sufficient.

According to MC939925 (last updated 5 December 2024), rollout of Org Explorer to Outlook users will start in mid-January 2025 and complete by mid-April 2025. The Org Explorer is available for Outlook classic, OWA, and the new Outlook for Windows. Microsoft 365 roadmap item 421191 says that the feature is available to all Microsoft 365 commercial customers, which implies that anyone with a paid-for Microsoft 365 license can use the Org Explorer.

The Need for Directory Sanity

I never understood why Microsoft decided that it was a good idea to license the Org Explorer as a premium Viva feature. The explorer reveals the same kind of information that’s shown by the Microsoft 365 user profile card (without the ability to add custom properties to what’s displayed about users).

It seems like the folks who put together the Viva licensing strategy cast around to find features they could include to justify premium pricing and decided that the Org Explorer was a good fit. It’s yet another of the Microsoft 365 licensing oddities, like demanding an E5 license to add a default retention or sensitivity label to SharePoint document libraries. I had a Viva Suite license at one point, which is how I tested access to the Org Explorer, but after losing that license, I never noticed that the Org Explorer was no longer available in Outlook, which summarized the value I received from the feature.

Even though I might not have discovered much value in the Org Explorer, I think it’s fair to say that those working in large enterprises, especially when offices are distributed and/or multinational, might consider the Explorer to be a useful tool. Like user profile cards, the usefulness of something like the Explorer is highly dependent on the accuracy of the information stored in Entra ID. For instance, if reporting relationships (managers and direct reports) are not maintained in Entra ID, it’s impossible for a tool like the Org Explorer to build a coherent view of the organizational structure.

Some organizations prefer to store reporting relationships in HR databases and don’t synchronize this information with Entra ID. In such a situation, the view of the organization constructed by the Org Explorer is unlikely to be helpful or accurate.

Outlook’s Toggle into the Future

Speaking of Outlook classic, in MC949965 (December 6, 2024), Microsoft says that in April 2026, they will “toggle” enterprise users of Outlook classic to use the new Outlook for Windows. Fortunately, users will be able to recognize Microsoft’s mistake and immediately switch back if they choose. Conditions that will prevent automatic toggling include:

• Tenants hide the switching toggle. Hiding the toggle is the easiest way to stop Microsoft automatically moving Outlook classic clients to the new Outlook.
• Tenants choose an admin-driven migration.
• Outlook accesses on-premises mailboxes.

Microsoft wants to give users the opportunity to try the new Outlook, something that might be better appreciated if the client worked better than it does now. New features like pinning and snoozing messages might be appreciated by some, but I suspect that many in the Outlook community don’t care too much about these things.

Still, who knows what might transpire between now and fifteen months’ time? All the lingering issues that stop people switching now might be solved and everyone will be happy to adopt the new client before Microsoft support for the classic client ceases in 2029.

Change Keeps on Happening

Product retirements, licensing changes, and client upgrades are just part and parcel of Microsoft 365 life. It’s hard to keep track of everything that happens. Even we have a hard time, and we’ve been tracking the ins and outs of change across Office 365 and Microsoft 365 since 2014.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Easier Than Running Set-SPOSite to Configure Individual Sites with the Block Download Policy

In February 2023, I wrote about the SharePoint Online Block Download policy. At the time, the only way to assign the block download policy to a site was to run the Set-SPOSite cmdlet to update site settings. This isn’t a difficult operation and it’s likely that relatively few sites contain the level of confidential information that creates the need to block users from downloading documents.

Using PowerShell to maintain the block access policy for individual sites is not a problem. However, managing which sites have a block download policy is easier with a container management label. If configured for a container management label, SharePoint Online applies the block download policy automatically along with all the other controls set in the label to each site that receives the label.

Configuring a Container Management Label to Block Downloads

When Microsoft introduces new controls to control site behavior through container management labels, PowerShell is often the initial method chosen to apply the settings. External sharing is an example of a setting first enabled in PowerShell and later configurable through the GUI for sensitivity labels in the Microsoft Purview portal. Even though the block download policy has been available for a while, the block download policy is still considered an advanced setting that must be configured through PowerShell.

The first step is to connect to Exchange Online PowerShell and to the compliance endpoint:

Connect-ExchangeOnline
Connect-IPPSSession

To update the block download policy, run the Set-Label cmdlet to configure the advanced settings for the labels that will apply the control. In the following example, I configure settings for a label with the display name Limited Access to:

• Set the block download policy to True (the policy is active).
• Exclude site owners from the block download policy.
• Exclude the members of a selected group from the block download policy. Pass the object identifier for the group. If you want to specify several groups, separate the object identifiers with commas. You can use security or Microsoft 365 groups.

Set-Label -Identity 'Limited Access' -AdvancedSettings @{BlockDownloadPolicy="true"}
Set-Label -Identity 'Limited Access' -AdvancedSettings @{ExcludeBlockDownloadPolicySiteOwners = "true"}
Set-Label -Identity 'Limited Access' -AdvancedSettings @{ExcludedBlockDownloadGroupIds="2c2f5287-a88a-4e14-ba22-503d8b0bf3b3"}

The Effect on Users

After updating label settings, it takes about 24 hours for the policy to become effective. A background timer job detects that new label settings are available and applies them to the sites with the label. Afterward, when a user opens a site with a label that contains the block download policy settings, SharePoint Online checks if the user is a site owner or is on the excluded user list. If not, SharePoint Online applies the block download policy, and the user is restricted to working with content online (Figure 1).

The most obvious effect of the block download policy is that users must edit Office files with the browser apps. This is because SharePoint cannot download temporary copies of files for the Office desktop apps to work with.

If you don’t know if sites have assigned container management labels, run the script described in this article. For more details about how the Block Download policy works, read Microsoft’s documentation.

Advantages of Policy Assignment via Sensitivity Labels

The advantage of applying settings through sensitivity labels is obvious: once an administrator assigns a label to a container, the container inherits all the label settings. There’s no need for administrators to discover the syntax to apply individual settings to sites. You still can apply the block download policy to sites by running the Set-SPOSite cmdlet, but policy assignment via sensitivity labels is more convenient and less prone to error. It also means greater consistency in site settings because administrators know that once they apply a container management label to a site, the site automatically picks up all the settings from the label.

Using the Block Download policy requires the Microsoft SharePoint advanced management license for all users who “benefit from the policy.” In other words, anyone who connects to a site where the policy is active must have an appropriate license.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Find Your Account with Microsoft Search to Update Your Details

Delve is scheduled for retirement on December 16, 2024. As noted previously, when Delve retires, users need a different mechanism to update their profile settings. Microsoft said that the replacement for user profile updates will be available through Microsoft search and promised that the replacement would be available before the demise of Delve. The option to update user profiles has duly arrived and should now be available in tenants.

The new option hasn’t yet replaced the My Microsoft 365 profile accessed by clicking the user profile photo in the top right-hand corner of Microsoft 365 browser interfaces. I’m sure that this will happen, but in the interim, you’ll need to go to Office.com and search to find your user profile. When you view your profile, you should see the option to Update your profile (Figure 1).

Eventually, the option to update user profile settings should appear in all apps where users can currently view their profile card.

Updating User Details

Generally speaking, updating a user profile is straightforward. Some updates show up faster when people view the user profile than the 24 hours expectation set by Microsoft when saving new values for the profile (Figure 2).

A Mixture of Properties

My issue with the current implementation is that it still surfaces some elements of the old SharePoint profile. For instance, if you click the link to “add more profile information,” you’re brought to the old Edit Details screen. For most tenants, there’s nothing on this screen that cannot be changed with the update profile screen, so I’m unsure what extra value the link delivers. Perhaps it’s to serve tenants who add custom user profile properties to SharePoint Online.

The duplication of some common properties shown on the profile card is more worrisome. Most properties relating to the organizational information stored about users is held in Entra ID, which is the authoritative source for directory information within Microsoft 365. These properties include the job title, department, company name, office location, and business address. They also include contact information like numbers for home, business, and mobile phones.

The issue is that the user profile card displays two sets of telephone numbers. One set are the values stored in Entra ID; the other are stored in SharePoint Online. Users can’t update Entra ID, but they can update their home and mobile numbers in the profile information in SharePoint (Figure 3). Oddly, users can update the business fax information in SharePoint Online, but the equivalent from Entra ID isn’t even shown.

Perhaps the desire is to allow users to publish both official (Entra ID) and unofficial contact details. That could very well be a good idea, if the same names weren’t used. For instance, Figure 4 shows my user profile. There are two values listed for mobile phone and business fax. Entra ID doesn’t store home phone numbers for users, so the profile uses the data from SharePoint Online.

A Missed Opportunity

While acknowledging that the implementation now being rolled out is to assist in the retirement of Delve by replacing how users update profile information, it seems like failing to rationalize the information displayed on the user profile card is a missed opportunity.

Most Microsoft 365 tenants don’t add custom user profile properties to SharePoint Online. The feature is a legacy inherited from the on-premises server that should be replaced by easier customization for user accounts within Entra ID. Given the core position of Entra ID within the Microsoft 365 ecosystem, it just doesn’t make sense to persist with a mechanism that, as far as I can tell, isn’t widely used.

You can add custom directory extensions or schema extensions to Entra ID, but using the extensions isn’t as easy as it should be. For instance, there’s no way to customize the user profile card to add custom directory or schema extensions in the same way as supported for Exchange custom attributes. It would be nice if Microsoft made it easy for administrators to create tenant-specific versions of the user profile card and for users to update their details. It’s possible to create and update profile cards today, but pulling everything together is just more complicated than it should be.

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Help Desks Don’t Use Federated Chat – But Attackers Do

A recent ReliaQuest report describes how attackers have started to use social engineering to reach out to Teams users via federated chat (1-to-1 external access) using display names crafted to make the users believe that they’re communicating with help desk staff. It’s a curious development in some respects because Microsoft clamped down on misuse of Teams federated chat from trial tenants in June 2024. Tenants now need paid licenses to use federated chat, with the idea being that if someone hands over a credit card to pay for subscriptions, they’re less likely to be an attacker.

The new block had some unexpected consequences. Since its implementation, people have tried to find ways around the block through various licensing arrangements that we don’t need to discuss in detail here. Obviously, the attackers must not be using a trial tenant.

Known Weaknesses for Attackers to Exploit

Security researchers first highlighted the potential weakness in federated chat some years ago through the GIFShell and JumpSec exploits, both of which were more of a research demonstration rather than a real attack.

Even so, the demonstrations were sufficient to cause some to question Microsoft’s default configuration for Teams which allows open access for federated chat with any other Microsoft 365 tenant that supports Teams. Given that Teams has 320 million monthly active users (a number that Microsoft hasn’t changed since October 2023), that figure implies that connections are available to most other Microsoft 365 tenants.

Open External Access for Teams is Asking for Trouble

I’m on record as saying that I don’t think it is wise for tenants to allow open access for federated chat. It seems better to secure external access by limiting federated connections to a set of known domains. Using an allow list for external access will block attempts to connect from unexpected tenants, but it comes with a price: the requirement to maintain the allow list.

PowerShell updates can reduce the work required to maintain the allow list. For instance, a good start is to populate the allow list with the domains belonging to guest accounts known to the tenant. Another approach is to find the tenants that users already communicate with using federated chat and build the allow list from those domains.

Teams is careful about warning users when connections come in from unknown sources. Sometimes, it even warns of inbound federated chat from a very well-known source, such as the warning shown in Figure 1 when Tim McMichael from Microsoft wanted to chat with me.

The warnings for unexpected contacts coming in through federated chat will be strengthened when Microsoft rolls out Brand impersonation protection for Teams messaging (see message center notification MC910976, last updated 27 November 2024, Microsoft 365 roadmap item 421190).

Brand impersonation protection means that users will be alerted if a new connection comes in from an external domain that impersonates a brand “commonly targeted by phishing attacks.” When this happens, Microsoft signals the potential risk and advises the user to proceed with caution and they’ll be forced to preview the message before deciding to accept or block the contact. In some respects, this is like what happens when Outlook alerts users when the email address from a new sender resembles the email address of someone that they already communicate with.

Brand Impersonation Block Rolling Out

Targeted release tenants already have brand impersonation protection. Microsoft says that they expect to complete worldwide deployment by mid-December 2024. Warnings about heightened risk are very helpful but users can still choose to go ahead and accept the connection. That’s why I still think it’s better to operate a known allow list for Teams external access.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Analyze the Audit Events for a User Over a Single Day

I’m speaking about decoding the Microsoft 365 audit log at the ESPC conference in Stockholm, Sweden today. As part of the preparation for the session, I wanted to create a demo to highlight some of the challenges of interpreting audit records to attendees. I have many examples of PowerShell scripts that perform different tasks, like finding the last accessed date for documents stored in SharePoint Online. These scripts work well and solve problems, but they don’t shine a light onto the biggest single issue with audit log data. That issue is the maddening inconsistency found in the audit data payload contained in audit records.

The Two Parts of Audit Log Records

Audit records have two parts. The first is a consistent set of properties that must be respected by workloads when they generate audit records. These properties include the unique identity (GUID) for the record, a timestamp, the name of the user or process who performed an action, and the name of the action. The second part is the audit payload, a JSON structure contained in the AuditData property. Microsoft 365 workloads like Exchange Online and SharePoint Online control what they insert into the audit payload for their events, and no consistency and sometimes no reason governs what turns up in audit payloads.

The lack of consistency means that anyone attempting to interpret audit data must figure out what the audit payload contains and put it into context with what you know about the action captured by the event. The content differs from Exchange Online to SharePoint Online to Teams to Planner to Entra ID. The lack of consistency and the obvious errors in audit data points to poor control and attention to detail by engineering groups, both the team responsible for the audit log and the teams responsible for generating workload events.

Investigating User Actions for a Day

To illustrate the problem, I decided to create a script to report details of all actions taken by an individual user over a single day. I developed the script by fetching the audit records (about 2,200) logged for me on 27 November 2024 and reporting what I found. I stripped UserLoggedIn events from the set because of the number (946) of sign-ins to different applications from multiple devices. Most of the sign-ins are silent and result from the renewal of an access token. Figure 1 shows what the output report looks like.

The set of actions spanned interactions with multiple workloads for user activities like creating and updating documents, sending messages via Exchange and Teams, and reading a Planner task list. It also included some administrative actions like conducting an eDiscovery search, running some Exchange PowerShell cmdlets, and so on. No set of audit events for any single user will be 100% representative of what you’ll find across Microsoft 365, but I am confident that the results found in this set of audit records demonstrates the problem.

The script unpacks the audit payload for each event to extract a small set of properties for the report. A large Switch statement is used to interpret each type of event. It would be practically impossible to include every possible event, so I concentrated on common events and some that illustrate the problem.

In some cases, some of the properties contained in compliance audit records are obscured through Base64 encoding. Unfortunately, the encoding is resistant to PowerShell decoding unless you remove spurious characters at the end of the string. For example, here’s how the script handles events for the Get-ComplianceSearch action (retrieve details of a content search):

"Get-ComplianceSearch" {
   $Action = 'Compliance search retrieved'
   If ($AuditData.Parameters -eq '-ResultSize "Unlimited"' ) {
      $Object = "All results"
    } Else {
      $Object = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String( $AuditData.Parameters.Split('"')[1].SubString(0,32)))
    }
      $Location = $AuditData.Workload
      $Workload = 'eDiscovery'
   }

Some audit events contain details for multiple events. This is done for very good reason as the actions being captured are very common and would otherwise flood the audit log with data. The MailItemsAccessed event is a good example. This event is now available to Purview Audit Standard (Office 365 E3) customers and captures details of email items accessed by a user. The audit payload for a MailItemsAccessed event can contain details of 20 or 30 messages. MailItemsAccessed events can also contain details of sync actions (see this article and the associated script for details).

You can download the script to generate a report of user audit events for a day from GitHub. It’s easy to add processing for other events if you wish.

Consistency Would Make Administration Easier

The bottom line is that interpreting audit events takes a lot of knowledge and persistence. Like anything else in technology, the combination brings you a long way. It’s regrettable that Microsoft has allowed a situation to develop where nearly 2,000-odd audit events might need different processing to extract real value. Life would be so much easier if audit data was more consistent.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.