Azure Information Protection audit log reference (public preview)
Note
Are you looking for Microsoft Purview Information Protection? The Azure Information Protection unified labeling client is currently in maintenance mode. We recommend enabling Microsoft Purview Information Protection's built-in labeling for your Office 365 applications. Learn more.
As of March 18, 2022, we are sunsetting the AIP audit log and analytics, with a full retirement date of September 30, 2022. For more information, see Removed and retired services.
This article lists the activity events for which Azure Information Protection audit logs are generated. Azure Information Protection collects data from desktop apps only, and not from mobile devices. For more information, see the details in the Platform columns in this article.
The Azure Information Protection audit log feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Access audit logs
Access audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling client | Windows, SharePoint, OneDrive | Office | Generated each time a labeled or protected file is opened. Note: For protected files, Access audit logs are generated only when the file is opened and the content is successfully decrypted and exposed to the user. For protected emails in Outlook, Access audit logs are also generated each time the user attempts to open an encrypted email, even if the decryption is blocked due to a lack of permissions. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time a labeled or protected file is accessed by a third-party application that supports it. |
| RMS service | Windows | Office | Generated each time a labeled or protected document is accessed. |
Access denied audit logs
Access denied audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| RMS service | Windows | Office | Generated each time a user attempts to access a protected document for which they have no permissions. |
Change protection audit logs
Change protection audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling client | Windows, SharePoint, OneDrive | Office | Generated each time the protection on an unlabeled document is changed manually. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time the protection on an unlabeled document is changed manually. Generated only if supported by the third-party application. |
Discover audit logs
Discover audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling scanner | Windows | Office | Generated each time a file is scanned by the AIP scanner. The log includes the following details: - Matched information types - Labels |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time a file is scanned by a third-party application that supports it. The log includes the following details: - Matched information types - Labels |
| Azure Information Protection unified labeling viewer | Windows | AIP Unified Labeling Viewer | Generated each time a labeled or protected file is opened within the organization. |
Downgrade label audit logs
Downgrade label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling scanner and client | Windows, SharePoint, One Drive | Office | Generated each time a document label is updated with a less sensitive label. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time a document label is updated with a less sensitive label. Generated only if supported by the third-party application. |
File removed audit logs
Note
File removed audit logs are supported only in Azure Information Protection scanner version 2.7.96.0 and later.
File removed audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection scanner, Unified labeling client | Windows | Office and supported file types | Generated each time the AIP scanner detects that a previously scanned file has been removed. |
New label audit logs
New label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling scanner and client | Windows, SharePoint, One Drive | Office | Generated each time new label is applied. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time a new document label is applied. Generated only when supported by the third-party application. |
New protection audit logs
New protection audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling client | Windows, SharePoint, One Drive | Office | Generated each time protection is newly added manually, without a label. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time protection is newly added manually, without a label. Generated only when supported by the third-party application. |
Remove label audit logs
Remove label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling scanner and client | Windows, SharePoint, One Drive | Office | Generated each time a label is removed. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time a label is removed. Generated only when supported by the third-party application. |
Remove protection audit logs
Remove protection audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling client | Windows, SharePoint, One Drive | Office | Generated each time protection is manually removed, without a label. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time protection is manually removed, without a label. Generated only when supported by the third-party application. |
Upgrade label audit logs
Upgrade label audit logs are generated for the following activities:
| Reported by | Platform | Application | Action / Description |
|---|---|---|---|
| Azure Information Protection unified labeling scanner and client | Windows, SharePoint, One Drive | Office | Generated each time a document label is updated with a more sensitive label. |
| Microsoft Information Protection (MIP) SDK | Any | Third-party applications | Generated each time a document label is updated with a more sensitive label. Generated only when supported by the third-party application. |
Next steps
AIP audit logs are also sent to the Microsoft 365 Activity Explorer, where they may be displayed with different names.
For more information, see:
- Get started with activity explorer
- Labeling activity reference in activity explorer, including mapping between names displayed in AIP and in the Microsoft 365 activity explorer
- Central reporting for Azure Information Protection (public preview)
To prevent the Azure Information Protection unified labeling client from sending auditing data, configure a label policy advanced setting.