Analytics and central reporting for Azure Information Protection

Note

Are you looking for Microsoft Information Protection? The Azure Information Protection unified labeling client is currently in maintenance mode. We recommend enabling Microsoft Information Protection's built-in labeling for your Office 365 applications. Learn more.

This article describes how to use the auditing solution from Microsoft Purview to view audit events generated from the Azure Information Protection Unified Labeling client. Audit events emitted to the Microsoft 365 unified audit log for central reporting are viewable in the Activity explorer, which can help you track the adoption of your labels that classify and protect your organization's data.

Audit enables you to do perform the following steps:

  • Aggregate data from your Azure Information Protection clients, Azure Information Protection scanners and Microsoft Defender for Cloud Apps.
  • View audit events in the Microsoft 365 unified audit log and Office 365 activity log for your organization.
  • Query, view and detect audit events in Activity explorer with a graphical interface in the compliance portal.

Audit events from the Microsoft 365 unified audit log

The AIP Unified Labeling client includes the Add-in for Office, the Scanner, the Viewer for Windows, the client PowerShell, and the Classify-and-Protect shell extension for Windows. All these components generate audit events that show up in the Office 365 activity logs and can be queried using the Office 365 Management Activity API.

Audit events enable an administrator to:

  • Monitor labeled and protected documents and emails across your organization.
  • Monitor user access to labeled documents and emails, and track document classification changes.

Microsoft 365 unified audit log event schema

The five events (also called “AuditLogRecordType”) specific to AIP listed below, and more details about each can be found within the API reference.

Value Member name Description
93 AipDiscover Azure Information Protection (AIP) scanner events.
94 AipSensitivityLabelAction AIP sensitivity label events.
95 AipProtectionAction AIP protection events.
96 AipFileDeleted AIP file deletion events.
97 AipHeartBeat AIP heartbeat events.

This information is accessible in the Microsoft 365 unified audit log for your organization and can be viewed in the Activity explorer.

Query Audit Events in Activity Explorer

image

The Activity explorer in the Microsoft Purview compliance portal is a graphical interface to view audit events emitted to the Microsoft 365 unified audit log. An administrator of the tenant can use built-in queries to determine whether the policies and controls implemented by your organization is effective. With up to 30 days of data available, an administrator can set filters and clearly see when and how sensitive data is handled within your organization.

To see AIP-specific activity, an administrator can begin with the following filters:

  • Activity type:
    • Label applied
    • Label changed
    • Label removed
    • Label file read
  • Application:
    • Azure Information Protection Word add-in
    • Azure Information Protection Excel add-in
    • Azure Information Protection PowerPoint add-in
    • Azure Information Protection Outlook add-in

An administrator might not see all the options in the filter, or may see more; the filter values depend on what activities are captured for your tenant. For more information about the Activity explorer, see:

Information collected and sent to Microsoft Purview from the AIP Unified Labeling client

To generate these reports, endpoints send the following types of information to the Microsoft 365 unified audit log:

  • The label action. For example, set a label, change a label, add or remove protection, automatic and recommended labels.

  • The label name before and after the label action.

  • Your organization's tenant ID.

  • The user ID (email address or UPN).

  • The name of the user's device.

  • The IP address of the user's device.

  • The relevant process name, such as outlook or msip.app.

  • The name of the application that performed the labeling, such as Outlook or File Explorer

  • For documents: The file path and file name of documents that are labeled.

  • For emails: The email subject and email sender for emails that are labeled.

  • The sensitive information types (predefined and custom) that were detected in content.

  • The Azure Information Protection client version.

  • The client operating system version.

Prevent the AIP clients from sending auditing data

To prevent the Azure Information Protection unified labeling client from sending auditing data, configure a label policy advanced setting.

Content matches for deeper analysis

Azure Information Protection lets you collect and store the actual data that's identified as being a sensitive information type (predefined or custom). For example, this can include credit card numbers that are found, as well as social security numbers, passport numbers, and bank account numbers. The content matches are displayed when you select an entry from Activity logs, and view the Activity Details.

By default, Azure Information Protection clients don't send content matches. To change this behavior so that content matches are sent, configure an advanced setting in a label policy.

Prerequisites

Audit events are enabled by default for your organization. To view audit events in Microsoft Purview, review the licensing requirements for basic and Audit (Premium) solutions.

Next steps

After reviewing the information in the reports, you may want to learn more about how to configure Microsoft Purview's auditing solution for your organization.