Azure Information Protection audit log reference (public preview)

Note

Are you looking for Microsoft Information Protection? The Azure Information Protection unified labeling client is currently in maintenance mode. We recommend enabling Microsoft Information Protection's built-in labeling for your Office 365 applications. Learn more.

As of March 18, 2022, we are sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022. For more information, see Removed and retired services.

This article lists the activity events for which Azure Information Protection audit logs are generated. Azure Information Protection collects data from desktop apps only, and not from mobile devices. For more information, see the details in the Platform columns in this article.

The Azure Information Protection audit log feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Access audit logs

Access audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling client Windows, SharePoint, OneDrive Office Generated each time a labeled or protected file is opened.

Note: For protected files, Access audit logs are generated only when the file is opened and the content is successfully decrypted and exposed to the user.
For protected emails in Outlook, Access audit logs are also generated each time the user attempts to open an encrypted email, even if the decryption is blocked due to a lack of permissions.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time a labeled or protected file is accessed by a third-party application that supports it.
RMS service Windows Office Generated each time a labeled or protected document is accessed.

Access denied audit logs

Access denied audit logs are generated for the following activities:

Reported by Platform Application Action / Description
RMS service Windows Office Generated each time a user attempts to access a protected document for which they have no permissions.

Change protection audit logs

Change protection audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling client Windows, SharePoint, OneDrive Office Generated each time the protection on an unlabeled document is changed manually.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time the protection on an unlabeled document is changed manually.
Generated only if supported by the third-party application.

Discover audit logs

Discover audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling scanner Windows Office Generated each time a file is scanned by the AIP scanner.
The log includes the following details:
- Matched information types
- Labels
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time a file is scanned by a third-party application that supports it.
The log includes the following details:
- Matched information types
- Labels
Azure Information Protection unified labeling viewer Windows AIP Unified Labeling Viewer Generated each time a labeled or protected file is opened within the organization.

Downgrade label audit logs

Downgrade label audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling scanner and client Windows, SharePoint, One Drive Office Generated each time a document label is updated with a less sensitive label.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time a document label is updated with a less sensitive label.
Generated only if supported by the third-party application.

File removed audit logs

Note

File removed audit logs are supported only in Azure Information Protection scanner version 2.7.96.0 and later.

File removed audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection scanner, Unified labeling client Windows Office and supported file types Generated each time the AIP scanner detects that a previously scanned file has been removed.

New label audit logs

New label audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling scanner and client Windows, SharePoint, One Drive Office Generated each time new label is applied.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time a new document label is applied.
Generated only when supported by the third-party application.

New protection audit logs

New protection audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling client Windows, SharePoint, One Drive Office Generated each time protection is newly added manually, without a label.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time protection is newly added manually, without a label.
Generated only when supported by the third-party application.

Remove label audit logs

Remove label audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling scanner and client Windows, SharePoint, One Drive Office Generated each time a label is removed.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time a label is removed.
Generated only when supported by the third-party application.

Remove protection audit logs

Remove protection audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling client Windows, SharePoint, One Drive Office Generated each time protection is manually removed, without a label.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time protection is manually removed, without a label.
Generated only when supported by the third-party application.

Upgrade label audit logs

Upgrade label audit logs are generated for the following activities:

Reported by Platform Application Action / Description
Azure Information Protection unified labeling scanner and client Windows, SharePoint, One Drive Office Generated each time a document label is updated with a more sensitive label.
Microsoft Information Protection (MIP) SDK Any Third-party applications Generated each time a document label is updated with a more sensitive label.
Generated only when supported by the third-party application.

Next steps

AIP audit logs are also sent to the Microsoft 365 Activity Explorer, where they may be displayed with different names.

For more information, see:

To prevent the Azure Information Protection unified labeling client from sending auditing data, configure a label policy advanced setting.