Admin Guide: Azure Information Protection unified labeling client files and client usage logging
Note
Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?
The Azure Information Protection add-in for Office is now in maintenance mode and we recommend you use labels that are built in to your Office 365 apps and services. Learn more about the support status of other Azure Information Protection components.
After you have installed the Azure Information Protection unified labeling client, you might need to know where files are located and monitor how the client is being used.
Usage logging is supported with the Azure Information Protection unified labeling client version 2.12.62 and higher.
Turn on usage logging
To turn on support for usage logging for both the unified labeling client and scanner, set the registry key as follows:
- Registry path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnableLoggingAuditEventsToEventLog
- Type: DWORD
- Value: 1
Log file locations
Client and scanner log files are located in the following locations on your unified labeling client machine:
- \ProgramFiles (x86)\Microsoft Azure Information Protection (64-bit operating systems only)
- \Program Files\Microsoft Azure Information Protection (32-bit operating systems only)
- %localappdata%\Microsoft\MSIP
Client-side usage logging
Note
Client-side usage logging is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The unified labeling client logs user activity to the local Windows event log Applications and Services Logs > Azure Information Protection.
Logged events for the client include the following information:
Client version
IP addresses of the signed in user
File name and location
Action:
Set label: Information ID 101
Remove label: Information ID 104
Discover label: Information ID 106
Apply custom protection: Information ID 201
Remove custom protection: Information ID 202
The events for Outlook warn, justify, and block messages require advanced client settings. For more information, see Implement pop-up messages in Outlook that warn, justify, or block emails being sent.
Scanner-side usage logging
Scanner activities are logged to the following local Windows event log: Applications and Services Logs > Azure Information Protection Scanner
Logged events for the scanner include the following information:
Computer name of the scanner machine
SID (Security identifier) of the signed in scanner user
Action, one of the following message types:
Info messages, one of the following messages:
Scan started: Information ID 1001
Scan finished: Information ID 1002
Change event: Information ID 1003
Discover event: Information ID 1004
File removed: Information ID 1005
DLP rule matched: Information ID 1006
Permissions report: Information ID 1007
Warning message:
Warning message: Information ID 2001
Scan canceled: Information ID 2002
Error message, one of the following messages:
Unknown error: Information ID 3001
No automatic labeling conditions: Information ID 3002
Database error: Information ID 3003
Database schema error: Information ID 3004
No policies found: Information ID 3005
No DLP policies found: Information ID 3006
No content scan jobs found: Information ID 3007
Event data, for more information depending on the action type
Next steps
For more information, see: