Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Copilot for M365

Task 1.1: Search the audit log for Copilot interactions in Microsoft Purview

When auditing Copilot interactions, Microsoft Purview Audit captures detailed events including user interactions with Copilot, the Microsoft 365 service where the activity occurred, and references to any accessed files stored in Microsoft 365. If these files have sensitivity labels, this information is also recorded. To search for these interactions with your M365 license, follow these steps:

  1. Sign into the Microsoft Purview compliance portal.

  2. If prompted, in the Welcome to the new Microsoft Purview portal dialog box, select the I agree to the terms of data flow disclosure, and Privacy Statements checkbox, and then select Try now.

  3. Select the Audit solution card.
    • If the Audit solution card isn’t displayed, select View all solutions and then select Audit from the Core section.
  4. Configure your search on the Search tab.
    • Set the Start date and End date for your search.

  5. Enter relevant keywords or phrases in the Keyword Search.

    Use asterisks (*) to replace special characters.

  6. The Admin Units menu, may not be available.

    Administrative units let you subdivide your organization into smaller units and assign specific administrators that can manage only the members of those units. Microsoft Purview role groups allow you to assign admins to specific administrative units. Microsoft Purview solutions that support administrative unit will then restrict visibility and management permissions to the members of the unit.

  7. Under Activities - friendly names, search for Copilot and select Interacted with Copilot.

    l5a1.png

    For precise searches, use Activities - operations names and enter CopilotInteraction as the operation name for Copilot activities.

  8. On the Record types dropdown menu, search for Copilot and then select CopilotInteraction.

    a2.png

  9. In the Search name box, enter Copilot Interaction.

  10. Enter specific users in the Users box or leave it blank to return entries for all users (and service accounts) in your organization.

  11. Enter File, folder, or site names for targeted searches or leave this box blank to return entries for all files and folders in your organization.

  12. Select Search to start your search job.

A maximum of 10 search jobs can be run in parallel for one user account. If a user requires more than 10 search jobs, they must wait for an In progress job to finish or delete a search job.

Limitations and considerations for auditing Copilot interactions

When implementing compliance management solutions for Copilot in Microsoft 365, it’s important to be aware of the limitations and considerations:

  • Scope of auditing: Auditing captures the occurrence of Copilot activities, such as search events, but doesn’t record the actual user prompts or responses. For detailed interaction data, eDiscovery tools should be used.

  • Admin-related changes exclusion: Changes related to Copilot administration, such as configuration adjustments, aren’t currently captured in the auditing logs.

  • Device Identity Information: Device identity information, which can be important for comprehensive auditing, isn’t included in the audit details for Copilot activities.

Application-specific limitations:

  • Copilot in Teams: When transcripts are turned off, auditing capabilities for Copilot interactions aren’t supported. Actions involving referencing transcripts aren’t captured in the audit logs.

  • Identification of Source App: The source of Copilot interactions is identified by the app name in the audit logs, such as Copilot in Word or Copilot in Teams.

Learn more:

Microsoft Purview data security and compliance protections for Microsoft Copilot

Considerations for deploying Microsoft Purview data security and compliance protections for Copilot

Auditing solutions in Microsoft Purview

Audit log activities