Office 365 Management Activity API schema (2024)

Table of Contents
In this article Office 365 Management API schemas Common schema Enum: AuditLogRecordType - Type: Edm.Int32 Enum: User Type - Type: Edm.Int32 Enum: AuditLogScope - Type: Edm.Int32 Complex Type AppAccessContext Enum: ItemType - Type: Edm.Int32 Enum: EventSource - Type: Edm.Int32 Project schema Enum: Project Action - Type: Edm.Int32 Enum: Project Entity - Type: Edm.Int32 Exchange Admin schema Exchange Mailbox schema Enum: LogonType - Type: Edm.Int32 ExchangeMailboxAuditGroupRecord schema ExchangeMailboxAuditRecord schema ExchangeItem complex type ExchangeFolder complex type Azure Active Directory Base schema Enum: AzureActiveDirectoryEventType - Type -Edm.Int32 Azure Active Directory Account Logon schema Enum: CredentialType - Type: Edm.Int32 Enum: LoginType - Type: Edm.Int32 Enum: AuthenticationMethod - Type: Edm.Int32 Azure Active Directory schema Complex Type IdentityTypeValuePair Enum: IdentityType - Type: Edm.Int32 Azure Active Directory Secure Token Service (STS) Logon schema DLP schema ExchangeMetadata complex type EndpointMetadata complex type PolicyDetails complex type Rules complex type ConditionsMatched complex type SensitiveInformation complex type SensitiveInformationDetailedClassificationAttributes complex type SensitiveInformationDetections complex type ExceptionInfo complex type Security and Compliance Center schema Security and Compliance Alerts schema Yammer schema Data Center Security Base schema Enum: DataCenterSecurityEventType - Type: Edm.Int32 Data Center Security Cmdlet schema Microsoft Teams schema MicrosoftTeamsMember complex type Enum: MemberRoleType - Type: Edm.Int32 KeyValuePair complex type Enum: AddOnType - Type: Edm.Int32 HostedContent complex type Message complex type Microsoft Defender for Office 365 and Threat Investigation and Response schema Email message events Detection technologies AttachmentData complex type SystemOverrides complex type AuthDetails complex type Enum: FileVerdict - Type: Edm.Int32 Enum: Policy - Type: Edm.Int32 Enum: PolicyAction - Type: Edm.Int32 URL time-of-click events Enum: URLClickAction - Type: Edm.Int32 File events FileData complex type Enum: SourceWorkload - Type: Edm.Int32 Submission schema Submission events Automated investigation and response events in Office 365 Main investigation schema Actions Entities Hygiene events schema Power BI schema MembershipInformationType complex type SharingInformationType complex type Dynamics 365 schema Dynamics 365 base schema Dynamics 365 entity operation schema Workplace Analytics schema Quarantine schema Enum: RequestType - Type: Edm.Int32 Enum: RequestSource - Type: Edm.Int32 Microsoft Forms schema Enum: FormsUserTypes - Type: Edm.Int32 Enum: FormTypes - Type: Edm.Int32 MIP label schema Encrypted message portal events schema Communication compliance Exchange schema Enum: ExchangeDetails - Type: ExchangeDetails Enum: AttachmentDetails - Type: Edm.Int32 Reports schema Compliance connector schema Enum: FailureType - Type: Edm.Int32 Attachment complex type SystemSync schema DataLakeExportOperationAuditRecord AipDiscover AipSensitivityLabelAction AipProtectionAction AipFileDeleted AipHeartBeat Viva Goals schema Microsoft Planner schema Enum: ResultStatus - Type: Edm.Int32 PlannerPlan record type Enum: ContainerType - Type Edm.Int32 Enum: PlanAccessLevel - Type Edm.Int32 PlannerCopyPlan record type PlannerTask record type PlannerRoster record type PlannerPlanList record type PlannerTaskList record type PlannerTenantSettings record type PlannerRosterSensitivityLabel record type Enum: SensitivityLabelAssignmentMethod - Type Edm.Int32 Microsoft Project for the web schema ProjectForThewebProject record type ProjectForThewebTask record type ProjectForThewebRoadmap record type ProjectForThewebRoadmapItem record type Complex Type AdditionalInfo ProjectForThewebProjectSetting record type ProjectForThewebRoadampSetting record type ProjectForThewebAssignedToMeSetting record type In this article FAQs References

Edit

Share via

  • Article

The Office 365 Management Activity API schema is provided as a data service in two layers:

  • Common schema. The interface to access core Office 365 auditing concepts such as Record Type, Creation Time, User Type, and Action as well as to provide core dimensions (such as User ID), location specifics (such as Client IP address), and service-specific properties (such as Object ID). It establishes consistent and uniform views for users to extract all Office 365 audit data in a few top level views with the appropriate parameters, and provides a fixed schema for all the data sources, which significantly reduces the cost of learning. Common schema is sourced from product data that is owned by each product team, such as Exchange, SharePoint, Azure Active Directory, Yammer, and OneDrive for Business. The Object ID field can be extended by Microsoft 365 product teams to add service-specific properties.

  • Service-specific schema. Built on top of the Common schema to provide a set of Microsoft 365 service-specific attributes; for example, SharePoint schema, OneDrive for Business schema, and Exchange admin schema.

Office 365 Management API schemas

This article provides details on the Common schema as well as service-specific schemas. The following table describes the available schemas.

Name of schemaDescription
Common schemaThe view to extract Record Type, User ID, Client IP, User type and Action along with core dimensions such as user properties (such as UserID), location properties (such as Client IP), and service-specific properties (such as Object Id).
Copilot schemaEvents include how and when to interact with Copilot, in which Microsoft 365 service the activity took place, and references to the files stored in Microsoft 365 that were accessed during the interaction.
SharePoint Base schemaExtends the Common schema with the properties specific to all SharePoint audit data.
SharePoint File OperationsExtends the SharePoint Base schema with the properties specific to file access and manipulation in SharePoint.
SharePoint List OperationsExtends the SharePoint Base schema with the properties specific to interactions with lists and list items in SharePoint Online.
SharePoint Sharing schemaExtends the SharePoint Base schema with the properties specific to file sharing.
SharePoint schemaExtends the SharePoint Base schema with the properties specific to SharePoint, but unrelated to file access and manipulation.
Project schemaExtends the SharePoint Base schema with the properties specific to Project.
Exchange Admin schemaExtends the Common schema with the properties specific to all Exchange admin audit data.
Exchange Mailbox schemaExtends the Common schema with the properties specific to all Exchange mailbox audit data.
Microsoft Entra ID Base schemaExtends the Common schema with the properties specific to all Microsoft Entra audit data.
Microsoft Entra account Logon schemaExtends the Microsoft Entra ID Base schema with the properties specific to all Microsoft Entra logon events.
Microsoft Entra ID Secure STS Logon schemaExtends the Microsoft Entra ID Base schema with the properties specific to all Microsoft Entra ID Secure Token Service (STS) logon events.
Microsoft Entra schemaExtends the Common schema with the properties specific to all Microsoft Entra audit data.
DLP schemaExtends the Common schema with the properties specific to Data Loss Prevention events.
Security and Compliance Center schemaExtends the Common schema with the properties specific to all Security and Compliance Center events.
Security and Compliance Alerts schemaExtends the Common schema with the properties specific to all Office 365 security and compliance alerts.
Yammer schemaExtends the Common schema with the properties specific to all Yammer events.
Data Center Security Base schemaExtends the Common schema with the properties specific to all data center security audit data.
Data Center Security Cmdlet schemaExtends the Data Center Security Base schema with the properties specific to all data center security cmdlet audit data.
Microsoft Teams schemaExtends the Common schema with the properties specific to all Microsoft Teams events.
Microsoft Defender for Office 365 and Threat Investigation and Response schemaExtends the Common schema with the properties specific to Defender for Office 365 and threat investigation and response data.
Submission schemaExtends the Common schema with the properties specific to user and admin submissions in Microsoft Defender for Office 365.
Automated investigation and response events schemaExtends the Common schema with the properties specific to Office 365 automated investigation and response (AIR) events. To see an example, see Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the O365 Management API.
Hygiene events schemaExtends the Common schema with the properties specific to events in Exchange Online Protection and Microsoft Defender for Office 365.
Power BI schemaExtends the Common schema with the properties specific to all Power BI events.
Dynamics 365 schemaExtends the Common schema with the properties specific to Dynamics 365 events.
Workplace Analytics schemaExtends the Common schema with the properties specific to all Microsoft Workplace Analytics events.
Quarantine schemaExtends the Common schema with the properties specific to all quarantine events.
Microsoft Forms schemaExtends the Common schema with the properties specific to all Microsoft Forms events.
MIP label schemaExtends the Common schema with the properties specific to sensitivity labels manually or automatically applied to email messages.
Encrypted message portal event schemaExtends the Common schema with the properties specific to encrypted message portal accessed by external recipients.
Communication compliance Exchange schemaExtends the Common schema with the properties specific to the Communication compliance offensive language model.
Reports schemaExtends the Common schema with the properties specific to all reports events.
Compliance connector schemaExtends the Common schema with the properties specific to importing non-Microsoft data by using data connectors.
SystemSync schemaExtends the Common schema with the properties specific to data ingested via SystemSync.
Viva Goals schemaExtends the Common schema with the properties specific to all Viva Goals events.
Microsoft Planner schemaExtends the Common schema with the properties specific to Microsoft Planner events.
Microsoft Project for the web schemaExtends the Common schema with the properties specific to Microsoft Project For The web events.

Common schema

EntityType Name: AuditRecord

ParameterTypeMandatory?Description
IdCombination GUIDEdm.GuidYesUnique identifier of an audit record.
RecordTypeSelf.AuditLogRecordTypeYesThe type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.
CreationTimeEdm.DateYesThe date and time in Coordinated Universal Time (UTC) when the user performed the activity.
OperationEdm.StringYesThe name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.
OrganizationIdEdm.GuidYesThe GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserTypeSelf.UserTypeYesThe type of user that performed the operation. See the UserType table for details on the types of users.
UserKeyEdm.StringYesAn alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
WorkloadEdm.StringYesThe Office 365 service where the activity occurred.
ResultStatusEdm.StringNoIndicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.

Important: Different workloads may overwrite the value of the ResultStatus property. For example, for Microsoft Entra ID STS logon events, a value of Succeeded for ResultStatus indicates only that the HTTP operation was successful; it doesn't mean the logon was successful. To determine if the actual logon was successful or not, see the LogonError property in the Microsoft Entra ID STS Logon schema. If the logon failed, the value of this property will contain the reason for the failed logon attempt.

ObjectIdEdm.stringNoFor SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
UserIdEdm.stringYesThe UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see The app@sharepoint user in audit records.
ClientIPEdm.StringYesThe IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.

Also, for Microsoft Entra ID-related events, the IP address isn't logged and the value for the ClientIP property is null.

ScopeSelf.AuditLogScopeNoWas this event created by a hosted O365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
AppAccessContextCollectionSelf.AppAccessContextNoThe application context for the user or service principal that performed the action.

Enum: AuditLogRecordType - Type: Edm.Int32

AuditLogRecordType

ValueMember nameDescription
1ExchangeAdminEvents from the Exchange admin audit log.
2ExchangeItemEvents from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.
3ExchangeItemGroupEvents from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
4SharePointSharePoint events.
6SharePointFileOperationSharePoint file operation events.
7OneDriveOneDrive for Business events.
8AzureActiveDirectoryMicrosoft Entra ID events.
9AzureActiveDirectoryAccountLogonMicrosoft Entra ID OrgId logon events (deprecated).
10DataCenterSecurityCmdletData Center security cmdlet events.
11ComplianceDLPSharePointData loss protection (DLP) events in SharePoint and OneDrive for Business.
13ComplianceDLPExchangeData loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.
14SharePointSharingOperationSharePoint sharing events.
15AzureActiveDirectoryStsLogonSecure Token Service (STS) logon events in Microsoft Entra ID.
16SkypeForBusinessPSTNUsagePublic Switched Telephone Network (PSTN) events from Skype for Business.
17SkypeForBusinessUsersBlockedBlocked user events from Skype for Business.
18SecurityComplianceCenterEOPCmdletAdmin actions from the Security & Compliance Center.
19ExchangeAggregatedOperationAggregated Exchange mailbox auditing events.
20PowerBIAuditPower BI events.
21CRMDynamics 365 events.
22YammerYammer events.
23SkypeForBusinessCmdletsSkype for Business events.
24DiscoveryEvents for eDiscovery activities performed by running content searches and managing eDiscovery cases in the Security & Compliance Center.
25MicrosoftTeamsEvents from Microsoft Teams.
28ThreatIntelligencePhishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.
29MailSubmissionSubmission events from Exchange Online Protection and Microsoft Defender for Office 365.
30MicrosoftFlowMicrosoft Power Automate (formerly called Microsoft Flow) events.
31AeDAdvanced eDiscovery events.
32MicrosoftStreamMicrosoft Stream events.
33ComplianceDLPSharePointClassificationEvents related to DLP classification in SharePoint.
34ThreatFinderCampaign-related events from Microsoft Defender for Office 365.
35ProjectMicrosoft Project events.
36SharePointListOperationSharePoint List events.
37SharePointCommentOperationSharePoint comment events.
38DataGovernanceEvents related to retention policies and retention labels in the Security & Compliance Center
39KaizalaKaizala events.
40SecurityComplianceAlertsSecurity and compliance alert signals.
41ThreatIntelligenceUrlSafe links time-of-block and block override events from Microsoft Defender for Office 365.
42SecurityComplianceInsightsEvents related to insights and reports in the Office 365 security and compliance center.
43MIPLabelEvents related to the detection in the Transport pipeline of email messages that have been tagged (manually or automatically) with sensitivity labels.
44WorkplaceAnalyticsWorkplace Analytics events.
45PowerAppsAppPower Apps events.
46PowerAppsPlanSubscription plan events for Power Apps.
47ThreatIntelligenceAtpContentPhishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Microsoft Defender for Office 365.
48LabelContentExplorerEvents related to data classification content explorer.
49TeamsHealthcareEvents related to the Patients application in Microsoft Teams for Healthcare.
50ExchangeItemAggregatedEvents related to the MailItemsAccessed mailbox auditing action.
51HygieneEventEvents related to outbound spam protection.
52DataInsightsRestApiAuditData Insights REST API events.
53InformationBarrierPolicyApplicationEvents related to the application of information barrier policies.
54SharePointListItemOperationSharePoint list item events.
55SharePointContentTypeOperationSharePoint list content type events.
56SharePointFieldOperationSharePoint list field events.
57MicrosoftTeamsAdminTeams admin events.
58HRSignalEvents related to HR data signals that support the Insider risk management solution.
59MicrosoftTeamsDeviceTeams device events.
60MicrosoftTeamsAnalyticsTeams analytics events.
61InformationWorkerProtectionEvents related to compromised user alerts.
62CampaignEmail campaign events from Microsoft Defender for Office 365.
63DLPEndpointEndpoint DLP events.
64AirInvestigationAutomated incident response (AIR) events.
65QuarantineQuarantine events.
66MicrosoftFormsMicrosoft Forms events.
67ApplicationAuditApplication audit events.
68ComplianceSupervisionExchangeEvents tracked by the Communication compliance offensive language model.
69CustomerKeyServiceEncryptionEvents related to the customer key encryption service.
70OfficeNativeEvents related to sensitivity labels applied to Office documents.
71MipAutoLabelSharePointItemAuto-labeling events in SharePoint.
72MipAutoLabelSharePointPolicyLocationAuto-labeling policy events in SharePoint.
73MicrosoftTeamsShiftsTeams Shifts events.
75MipAutoLabelExchangeItemAuto-labeling events in Exchange.
76CortanaBriefingBriefing email events.
78WDATPAlertsEvents related to alerts generated by Windows Defender for Endpoint.
82SensitivityLabelPolicyMatchEvents generated when the file labeled with a sensitivity label is opened or renamed.
83SensitivityLabelActionEvent generated when sensitivity labels are applied, updated, or removed from a file.
84SensitivityLabeledFileActionEvents generated when a file labeled with a sensitivity label is opened or renamed.
85AttackSimEvents related to user activities in Attack Simulation & Training in Microsoft Defender for Office 365.
86AirManualInvestigationEvents related to manual investigations in Automated investigation and response (AIR).
87SecurityComplianceRBACSecurity and compliance RBAC events.
88UserTrainingEvents related to user training in Attack Simulation & Training in Microsoft Defender for Office 365.
89AirAdminActionInvestigationEvents related to admin actions in Automated investigation and response (AIR).
90MSTICThreat intelligence events in Microsoft Defender for Office 365.
91PhysicalBadgingSignalEvents related to physical badging signals that support the Insider risk management solution.
93AipDiscoverAIP scanner events
94AipSensitivityLabelActionAIP sensitivity label events
95AipProtectionActionAIP protection events
96AipFileDeletedAIP file deletion events
97AipHeartBeatAIP heartbeat events
98MCASAlertsEvents corresponding to alerts triggered by Microsoft Cloud App Security.
99OnPremisesFileShareScannerDlpEvents related to scanning for sensitive data on file shares.
100OnPremisesSharePointScannerDlpEvents related to scanning for sensitive data in SharePoint.
101ExchangeSearchEvents related to using Outlook on the web (OWA) to search for mailbox items.
102SharePointSearchEvents related to searching an organization's SharePoint home site.
103PrivacyInsightsPrivacy insight events.
105MyAnalyticsSettingsMyAnalytics events.
106SecurityComplianceUserChangeEvents related to modifying or deleting a user.
107ComplianceDLPExchangeClassificationExchange DLP classification events.
109MipExactDataMatchExact Data Match (EDM) classification events.
113MS365DCustomDetectionEvents related to custom detection actions in Microsoft 365 Defender.
147CoreReportingSettingsReports settings events.
148ComplianceConnectorEvents related to importing non-Microsoft data using data connectors in the Microsoft Purview compliance portal.
154OMEPortalEncrypted message portal event logs generated by external recipients.
174DataShareOperationEvents related to sharing of data ingested via SystemSync.
181EduDataLakeDownloadOperationEvents related to the export of SystemSync ingested data from the lake.
183MicrosoftGraphDataConnectOperationEvents related to extractions done by Microsoft Graph Data Connect.
186PowerPagesSiteActivities related to Power Pages site.
188PlannerPlanMicrosoft Planner plan events.
189PlannerCopyPlanMicrosoft Planner copy plan events.
190PlannerTaskMicrosoft Planner task events.
191PlannerRosterMicrosoft Planner roster and roster membership events.
192PlannerPlanListMicrosoft Planner plan list events.
193PlannerTaskListMicrosoft Planner task list events.
194PlannerTenantSettingsMicrosoft Planner tenant settings events.
195ProjectForThewebProjectMicrosoft Project for the web project events.
196ProjectForThewebTaskMicrosoft Project for the web task events.
197ProjectForThewebRoadmapMicrosoft Project for the web roadmap events.
198ProjectForThewebRoadmapItemMicrosoft Project for the web roadmap item events.
199ProjectForThewebProjectSettingsMicrosoft Project for the web project tenant settings events.
200ProjectForThewebRoadmapSettingsMicrosoft Project for the web roadmap tenant settings events.
216Viva GoalsViva Goals events.
217MicrosoftGraphDataConnectConsentEvents for consent actions performed by tenant admins for Microsoft Graph Data Connect applications.
218AttackSimAdminEvents related to admin activities in Attack Simulation & Training in Microsoft Defender for Office 365.
230TeamsUpdatesTeams Updates App Events.
231PlannerRosterSensitivityLabelMicrosoft Planner roster sensitivity label events.
237DefenderExpertsforXDRAdminMicrosoft Defender Experts Administrator action events.
251VfamCreatePolicyViva Access Management policy create events.
252VfamUpdatePolicyViva Access Management policy update events.
253VfamDeletePolicyViva Access Management policy delete events.
261CopilotInteractionCopilot interaction events.
287ProjectForThewebAssignedToMeSettingsMicrosoft Project for the web assigned to me tenant settings events.

Enum: User Type - Type: Edm.Int32

User Type

ValueMember nameDescription
0RegularA regular user.
1ReservedA reserved user.
2AdminAn administrator.
3DcAdminA Microsoft datacenter operator.
4SystemA system account.
5ApplicationAn application.
6ServicePrincipalA service principal.
7CustomPolicyA custom policy.
8SystemPolicyA system policy.

Enum: AuditLogScope - Type: Edm.Int32

AuditLogScope

ValueMember nameDescription
0OnlineThis event was created by a hosted O365 service.
1OnpremThis event was created by an on-premises server.

Complex Type AppAccessContext

ParametersTypeMandatory?Description
AADSessionIdEdm.StringNoThe Microsoft Entra SessionId of the Entra sign-in that was performed by the app on behalf of the user.
APIIdEdm.StringNoThe Id for the API pathway that is used to access the resource; for example access via the Microsoft Graph API.
ClientAppIdEdm.StringNoThe Id of the Microsoft Entra app that performed the access on behalf of the user.
ClientAppNameEdm.StringNoThe name of the Microsoft Entra app that performed the access on behalf of the user.
CorrelationIdEdm.StringNoAn identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
UniqueTokenIdEdm.StringNoUniqueTokenId gets set if the Microsoft Entra token is available for the request. It's a unique, per-token identifier that is case-sensitive.
IssuedAtTimeEdm.DateNo"Issued At" gets set if the Microsoft Entra token is available for the request and it indicates when the authentication for this Microsoft Entra token occurred.
ParameterTypeMandatory?Description
SiteEdm.GuidNoThe GUID of the site where the file or folder accessed by the user is located.
ItemTypeEdm.String String="Microsoft.Office.Audit.Schema.SharePoint.ItemType"NoThe type of object that was accessed or modified. See the ItemType table for details on the types of objects.
EventSourceEdm.String String="Microsoft.Office.Audit.Schema.SharePoint.EventSource"NoIdentifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel.
SourceNameEdm.StringNoThe entity that triggered the audited operation. Possible values are SharePoint or ObjectModel.
UserAgentEdm.StringNoInformation about the user's client or browser. This information is provided by the client or browser.
MachineDomainInfoEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoInformation about device sync operations. This information is reported only if it's present in the request.
MachineIdEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoInformation about device sync operations. This information is reported only if it's present in the request.
ListItemUniqueIdEdm.GuidNoThe Guid of uniquely an identifiable item of list. This information is present only if it is applicable.
ListIdEdm.GuidNoThe Guid of the list. This information is present only if it is applicable.
ApplicationIdEdm.StringNoThe ID of the application performing the operation.
ApplicationDisplayNameEdm.StringNoThe display name of the application performing the operation.
IsWorkflowEdm.BooleanNoThis is set to True if SharePoint Workflows triggered the audited event.

Enum: ItemType - Type: Edm.Int32

ItemType

ValueMember nameDescription
0InvalidThe item is none of the other item types (that are listed in this table).
1FileThe item is a file.
5FolderThe item is a folder.
6webThe item is a web.
7SiteThe item is a site.
8TenantThe item is a tenant.
9DocumentLibraryThe item is a document library.
11PageThe item is a Page.

Enum: EventSource - Type: Edm.Int32

EventSource

ValueMember nameDescription
0SharePointThe event source is SharePoint.
1ObjectModelThe event source is ObjectModel.
Member nameDescription
AccessInvitationAcceptedThe recipient of an invitation to view or edit a shared file (or folder) has accessed the shared file by clicking on the link in the invitation.
AccessInvitationCreatedUser sends an invitation to another person (inside or outside their organization) to view or edit a shared file or folder on a SharePoint or OneDrive for Business site. The details of the event entry identifies the name of the file that was shared, the user the invitation was sent to, and the type of the sharing permission selected by the person who sent the invitation.
AccessInvitationExpiredAn invitation sent to an external user expires. By default, an invitation sent to a user outside of your organization expires after 7 days if the invitation isn't accepted.
AccessInvitationRevokedThe site administrator or owner of a site or document in SharePoint or OneDrive for Business withdraws an invitation that was sent to a user outside your organization. An invitation can be withdrawn only before it's accepted.
AccessInvitationUpdatedThe user who created and sent an invitation to another person to view or edit a shared file (or folder) on a SharePoint or OneDrive for Business site resends the invitation.
AccessRequestApprovedThe site administrator or owner of a site or document in SharePoint or OneDrive for Business approves a user request to access the site or document.
AccessRequestCreatedUser requests access to a site or document in SharePoint or OneDrive for Business that they don't have permission to access.
AccessRequestRejectedThe site administrator or owner of a site or document in SharePoint declines a user request to access the site or document.
ActivationEnabledUsers can browser-enable form templates that don't contain form code, require full trust, enable rendering on a mobile device, or use a data connection managed by a server administrator.
AdministratorAddedToTermStoreTerm store administrator added.
AdministratorDeletedFromTermStoreTerm store administrator deleted.
AllowGroupCreationSetSite administrator or owner adds a permission level to a SharePoint or OneDrive for Business site that allows a user assigned that permission to create a group for that site.
AppCatalogCreatedApp catalog created to make custom business apps available for your SharePoint Environment.
AuditPolicyRemovedDocument LifeCycle Policy has been removed for a site collection.
AuditPolicyUpdateDocument LifeCycle Policy has been updated for a site collection.
AzureStreamingEnabledSetA video portal owner has allowed video streaming from Azure.
CollaborationTypeModifiedThe type of collaboration allowed on sites (for example, intranet, extranet, or public) has been modified.
ConnectedSiteSettingModifiedUser has either created, modified or deleted the link between a project and a project site or the user modifies the synchronization setting on the link in Project web app.
CreateSSOApplicationTarget application created in Secure store service.
CustomFieldOrLookupTableCreatedUser created a custom field or lookup table/item in Project web app.
CustomFieldOrLookupTableDeletedUser deleted a custom field or lookup table/item in Project web app.
CustomFieldOrLookupTableModifiedUser modified a custom field or lookup table/item in Project web app.
CustomizeExemptUsersGlobal administrator customized the list of exempt user agents in SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file instead of an entire web page. This makes indexing InfoPath forms faster.
DefaultLanguageChangedInTermStore*Language setting changed in the terminology store.
DelegateModifiedUser created or modified a security delegate in Project web app.
DelegateRemovedUser deleted a security delegate in Project web app.
DeleteSSOApplicationAn SSO application was deleted.
eDiscoveryHoldAppliedAn In-Place Hold was placed on a content source. In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint.
eDiscoveryHoldRemovedAn In-Place Hold was removed from a content source. In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint.
eDiscoverySearchPerformedAn eDiscovery search was performed using an eDiscovery site collection in SharePoint.
EngagementAcceptedUser accepts a resource engagement in Project web app.
EngagementModifiedUser modifies a resource engagement in Project web app.
EngagementRejectedUser rejects a resource engagement in Project web app.
EnterpriseCalendarModifiedUser copies, modifies or delete an enterprise calendar in Project web app.
EntityDeletedUser deletes a timesheet in Project web app.
EntityForceCheckedInUser forces a check-in on a calendar, custom field or lookup table in Project web app.
ExemptUserAgentSetGlobal administrator adds a user agent to the list of exempt user agents in the SharePoint admin center.
FileAccessedUser or system account accesses a file on a SharePoint or OneDrive for Business site. System accounts can also generate FileAccessed events.
FileCheckOutDiscardedUser discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
FileCheckedInUser checks in a document that they checked out from a SharePoint or OneDrive for Business document library.
FileCheckedOutUser checks out a document located in a SharePoint or OneDrive for Business document library. Users can check out and make changes to documents that have been shared with them.
FileCopiedUser copies a document from a SharePoint or OneDrive for Business site. The copied file can be saved to another folder on the site.
FileDeletedUser deletes a document from a SharePoint or OneDrive for Business site.
FileDeletedFirstStageRecycleBinUser deletes a file from the recycle bin on a SharePoint or OneDrive for Business site.
FileDeletedSecondStageRecycleBinUser deletes a file from the second-stage recycle bin on a SharePoint or OneDrive for Business site.
FileDownloadedUser downloads a document from a SharePoint or OneDrive for Business site.
FileFetchedThis event has been replaced by the FileAccessed event, and has been deprecated.
FileModifiedUser or system account modifies the content or the properties of a document located on a SharePoint or OneDrive for Business site.
FileMovedUser moves a document from its current location on a SharePoint or OneDrive for Business site to a new location.
FilePreviewedUser previews a document on a SharePoint or OneDrive for Business site.
FileRecycledUser moves a document into the SharePoint or OneDrive Recycle Bin.
FileRenamedUser renames a document on a SharePoint or OneDrive for Business site.
FileRestoredUser restores a document from the recycle bin of a SharePoint or OneDrive for Business site.
FileSyncDownloadedFullUser downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
FileSyncDownloadedPartialThis event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
FileSyncUploadedFullUser uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
FileSyncUploadedPartialThis event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
FileUploadedUser uploads a document to a folder on a SharePoint or OneDrive for Business site.
FileViewedThis event has been replaced by the FileAccessed event, and has been deprecated.
FolderCopiedUser copies a folder from a SharePoint or OneDrive for Business site to another location in SharePoint or OneDrive for Business.
FolderCreatedUser creates a folder on a SharePoint or OneDrive for Business site.
FolderDeletedUser deletes a folder from a SharePoint or OneDrive for Business site.
FolderDeletedFirstStageRecycleBinUser deletes a folder from the recycle bin on a SharePoint or OneDrive for Business site .
FolderDeletedSecondStageRecycleBinUser deletes a folder from the second-stage recycle bin on a SharePoint or OneDrive for Business site.
FolderModifiedUser modifies a folder on a SharePoint or OneDrive for Business site. This event includes folder metadata changes, such as tags and properties.
FolderMovedUser moves a folder from a SharePoint or OneDrive for Business site.
FolderRecycledUser moves a folder into the SharePoint or OneDrive Recycle Bin.
FolderRenamedUser renames a folder on a SharePoint or OneDrive for Business site.
FolderRestoredUser restores a folder from the Recycle Bin on a SharePoint or OneDrive for Business site.
GroupAddedSite administrator or owner creates a group for a SharePoint or OneDrive for Business site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
GroupRemovedUser deletes a group from a SharePoint or OneDrive for Business site.
GroupUpdatedSite administrator or owner changes the settings of a group for a SharePoint or OneDrive for Business site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.
LanguageAddedToTermStoreLanguage added to the terminology store.
LanguageRemovedFromTermStoreLanguage removed from the terminology store.
LegacyWorkflowEnabledSetSite administrator or owner adds the SharePoint Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
LookAndFeelModifiedUser modifies a quick launch, gantt chart formats, or group formats. Or the user creates, modifies, or deletes a view in Project web app.
ManagedSyncClientAllowedUser successfully establishes a sync relationship with a SharePoint or OneDrive for Business site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. For more information, see Use SharePoint Online PowerShell to enable OneDrive sync for domains that are on the safe recipients list.
MaxQuotaModifiedThe maximum quota for a site has been modified.
MaxResourceUsageModifiedThe maximum allowable resource usage for a site has been modified.
MySitePublicEnabledSetThe flag enabling users to have public MySites has been set by the SharePoint administrator.
NewsFeedEnabledSetSite administrator or owner enables RSS feeds for a SharePoint or OneDrive for Business site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
ODBNextUXSettingsNew UI for OneDrive for Business has been enabled.
OfficeOnDemandSetSite administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires an Office 365 subscription that includes full, installed Office applications.
PageViewedUser views a page on a SharePoint site or OneDrive for Business site. This does not include viewing document library files from a SharePoint site or One Drive for Business site on a browser.
PeopleResultsScopeSetSite administrator creates or changes the result source for People Searches for a SharePoint site.
PermissionSyncSettingModifiedUser modifies the project permission sync settings in Project web app.
PermissionTemplateModifiedUser creates, modifies or deletes a permissions template in Project web app.
PortfolioDataAccessedUser accesses portfolio content (driver library, driver prioritization, portfolio analyses) in Project web app.
PortfolioDataModifiedUser creates, modifies, or deletes portfolio data (driver library, driver prioritization, portfolio analyses) in Project web app.
PreviewModeEnabledSetSite administrator enables document preview for a SharePoint site.
ProjectAccessedUser accesses project content in Project web app.
ProjectCheckedInUser checks in a project that they checked out from a Project web app.
ProjectCheckedOutUser checks out a project located in a Project web app. Users can check out and make changes to projects that they have permission to open.
ProjectCreatedUser creates a project in Project web app.
ProjectDeletedUser deletes a project in Project web app.
ProjectForceCheckedInUser forces a check in on a project in Project web app.
ProjectModifiedUser modifies a project in Project web app.
ProjectPublishedUser publishes a project in Project web app.
ProjectWorkflowRestartedUser restarts a workflow in Project web app.
PWASettingsAccessedUser access the Project web app settings via CSOM.
PWASettingsModifiedUser modifies the a Project web app configuration.
QueueJobStateModifiedUser cancels or restarts a queue job in Project web app.
QuotaWarningEnabledModifiedStorage quota warning modified.
RenderingEnabledBrowser-enabled form templates will be rendered by InfoPath forms services.
ReportingAccessedUser accessed the reporting endpoint in Project web app.
ReportingSettingModifiedUser modifies the reporting configuration in Project web app.
ResourceAccessedUser accesses an enterprise resource content in Project web app.
ResourceCheckedInUser checks in an enterprise resource that they checked out from Project web app.
ResourceCheckedOutUser checks out an enterprise resource located in Project web app.
ResourceCreatedUser creates an enterprise resource in Project web app.
ResourceDeletedUser deletes an enterprise resource in Project web app.
ResourceForceCheckedInUser forces a checkin of an enterprise resource in Project web app.
ResourceModifiedUser modifies an enterprise resource in Project web app.
ResourcePlanCheckedInOrOutUser checks in or out a resource plan in Project web app.
ResourcePlanModifiedUser modifies a resource plan in Project web app.
ResourcePlanPublishedUser publishes a resource plan in Project web app.
ResourceRedactedUser redacts an enterprise resource removing all personal information in Project web app.
ResourceWarningEnabledModifiedResource quota warning modified.
SSOGroupCredentialsSetGroup credentials set in Secure store service.
SSOUserCredentialsSetUser credentials set in Secure store service.
SearchCenterUrlSetSearch center URL set.
SecondaryMySiteOwnerSetA user has added a secondary owner to their MySite.
SecurityCategoryModifiedUser creates, modifies or deletes a security category in Project web app.
SecurityGroupModifiedUser creates, modifies or deletes a security group in Project web app.
SendToConnectionAddedGlobal administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
SendToConnectionRemovedGlobal administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
SharedLinkCreatedUser creates a link to a shared file in SharePoint or OneDrive for Business. This link can be sent to other people to give them access to the file. A user can create two types of links: a link that allows a user to view and edit the shared file, or a link that allows the user to just view the file.
SharedLinkDisabledUser disables (permanently) a link that was created to share a file.
SharingInvitationAccepted*User accepts an invitation to share a file or folder. This event is logged when a user shares a file with other users.
SharingRevokedUser unshares a file or folder that was previously shared with other users. This event is logged when a user stops sharing a file with other users.
SharingSetUser shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization.
SiteAdminChangeRequestUser requests to be added as a site collection administrator for a SharePoint site collection. Site collection administrators have full control permissions for the site collection and all subsites.
SiteCollectionAdminAdded*Site collection administrator or owner adds a person as a site collection administrator for a SharePoint or OneDrive for Business site. Site collection administrators have full control permissions for the site collection and all subsites.
SiteCollectionCreatedGlobal administrator creates a new site collection in your SharePoint organization.
SiteRenamedSite administrator or owner renames a SharePoint or OneDrive for Business site
StatusReportModifiedUser creates, modifies or deletes a status report in Project web app.
SyncGetChangesUser clicks Sync in the action tray on in SharePoint or OneDrive for Business to synchronize any changes to file in a document library to their computer.
SyntexBillingSubscriptionSettingsChangedThe Syntex Billing subscription settings have changed. This event is triggered when a Syntex trial expires.
TaskStatusAccessedUser accesses the status of one or more tasks in Project web app.
TaskStatusApprovedUser approves a status update of one or more tasks in Project web app.
TaskStatusRejectedUser rejects a status update of one or more tasks in Project web app.
TaskStatusSavedUser saves a status update of one or more tasks in Project web app.
TaskStatusSubmittedUser submits a status update of one or more tasks in Project web app.
TimesheetAccessedUser accesses a timesheet in Project web app.
TimesheetApprovedUser approves timesheet in Project web app.
TimesheetRejectedUser rejects a timesheet in Project web app.
TimesheetSavedUser saves a timesheet in Project web app.
TimesheetSubmittedUser submits a status timesheet in Project web app.
UnmanagedSyncClientBlockedUser tries to establish a sync relationship with a SharePoint or OneDrive for Business site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
UpdateSSOApplicationTarget application updated in Secure store service.
UserAddedToGroupSite administrator or owner adds a person to a group on a SharePoint or OneDrive for Business site. Adding a person to a group grants the user the permissions that were assigned to the group.
UserRemovedFromGroupSite administrator or owner removes a person from a group on a SharePoint or OneDrive for Business site. After the person is removed, they no longer are granted the permissions that were assigned to the group.
WorkflowModifiedUser creates, modifies, or deletes an Enterprise Project Type or Workflow phases or stages in Project web app.

The file-related SharePoint events listed in the "File and folder activities" section in Search the audit log in the compliance center use this schema.

ParameterTypeMandatory?Description
SiteUrlEdm.StringYesThe URL of the site where the file or folder accessed by the user is located.
SourceRelativeUrlEdm.StringNoThe URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.
SourceFileNameEdm.StringYesThe name of the file or folder accessed by the user.
SourceFileExtensionEdm.StringNoThe file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder.
DestinationRelativeUrlEdm.StringNoThe URL of the destination folder where a file is copied or moved. The combination of the values for SiteURL, DestinationRelativeURL, and DestinationFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file that was copied. This property is displayed only for FileCopied and FileMoved events.
DestinationFileNameEdm.StringNoThe name of the file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
DestinationFileExtensionEdm.StringNoThe file extension of a file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
UserSharedWithEdm.StringNoThe user that a resource was shared with.
SharingTypeEdm.StringNoThe type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter.
SourceLabelEdm.StringNoThe original label of the file before it's changed by a user action.
DestinationLabelEdm.StringNoThe final label of the file after it's changed by a user action.
SensitivityLabelOwnerEmailEdm.StringNoThe email address of the owner of the sensitivity label.
SensitivityLabelIdEdm.StringNoThe current sensitivity label ID of the file.

The SharePoint lists and list item related events listed in the "SharePoint list activities" section in Search the audit log in the compliance center use this schema.

ParameterTypeMandatory?Description
ListTitleEdm.StringNoThe title of the SharePoint list.
ListNameEdm.StringNoThe name of the SharePoint list.
ListUrlEdm.StringNoThe URL of the list relative to the containing website.
ListBaseTypeEdm.StringNoSpecifies the base type for a list.
ListBaseTemplateTypeEdm.StringNoThe list definition type on which the list is based.
IsHiddenListEdm.BooleanNoThis value is set to True if the SharePoint list is hidden.
IsDocLibEdm.BooleanNoThis value is set to True if the SharePoint list is of the type Document Library.

The file share-related SharePoint events. They are different from file- and folder-related events in that a user is taking an action that has some effect on another user. For information about the SharePoint Sharing schema, see Use sharing auditing in the audit log.

ParameterTypeMandatory?Description
TargetUserOrGroupNameEdm.StringNoStores the UPN or name of the target user or group that a resource was shared with.
TargetUserOrGroupTypeEdm.StringNoIdentifies whether the target user or group is a Member, Guest, Group, or Partner.
EventDataXML codeNoConveys follow-up information about the sharing action that has occurred, such as adding a user to a group or granting edit permissions.
SiteUrlEdm.StringNoThe URL of the site where the file or folder accessed by the user is located.
SourceRelativeUrlEdm.StringNoThe URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.
SourceFileNameEdm.StringNoThe name of the file or folder accessed by the user.
SourceFileExtensionEdm.StringNoThe file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder.
UniqueSharingIdEdm.StringNoThe unique sharing ID associated with the sharing operation.

The SharePoint events listed in Search the audit log in the compliance center (excluding the file and folder events) use this schema.

ParameterTypeMandatory?Description
CustomEventEdm.StringNoOptional string for custom events.
EventDataEdm.StringNoOptional payload for custom events.
ModifiedPropertiesCollection(ModifiedProperty)NoThe property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object.

Project schema

ParameterTypeMandatory?Description
EntityEdm.StringYesProjectEntity the audit was for.
ActionEdm.StringYesProjectAction that was taken.
OnBehalfOfResIdEdm.GuidNoThe resource Id the action was taken on behalf of.

Enum: Project Action - Type: Edm.Int32

Project action

Member nameDescription
AcceptedThe user accepted an event or workflow.
AccessedThe user accessed an entity.
ActivatedThe user activated an entity, event or workflow.
CancelledThe user cancelled an event or workflow.
CheckedInThe user check in an entity.
CheckedOutThe user checkout an entity.
CopiedThe user copied an entity.
CreatedThe user created an entity.
DeactivatedThe user deactivated an entity.
DeletedThe user deleted an entity.
ExportedThe user exported an entity.
ForceCheckedInThe user caused an entity to be force checked in.
ModifiedThe user modified an entity.
PublishedThe user published an entity.
RedactedThe user redacted an entity.
RejectedThe user rejected an entity.
RestartedThe user restarted an event or workflow.
SavedThe user saved an entity.
SentThe user sent an entity.
SubmittedThe user submitted an entity for review or workflow.

Enum: Project Entity - Type: Edm.Int32

Project entity

Member nameDescription
CustomFieldRepresents an enterprise custom field.
DriverRepresents a portfolio driver.
DriverPrioritizationRepresents a portfolio prioritization.
EngagementRepresents a resource engagement.
EnterpriseCalendarRepresents a enterprise resource calendar.
EnterpriseProjectTypeRepresents an enterprise project type.
FiscalPeriodRepresents a fiscal period.
GanttChartFormatRepresents a gantt chart format.
GroupingFormatRepresents a view grouping format.
LineClassificationRepresents a timesheet line classification.
LookupTableRepresents a enterprise lookup table.
PermissionTemplateRepresents a security permission template.
PortfolioAnalysisRepresents a portfolio analysis.
ProjectRepresents a project.
QueueJobRepresents a queue job.
QuickLaunchRepresents a quick launch item.
ReportingRepresents the reporting endpoint.
ResourceRepresents an enterprise resource.
ResourcePlanRepresents a resource plan associated with A project.
SecurityCategoryRepresents a security category.
SecurityGroupRepresents a security group.
SettingRepresents a Project web app setting
StatusingRepresents a task status update.
StatusReportRepresents a status report.
TimeReportingPeriodRepresents a period of time for a timesheet
TimesheetRepresents a timesheet entity.
TimesheetAuditLogRepresents a timesheet audit log.
TimesheetManagerRepresents the manager of a timesheet.
UserDelegateRepresents a user delegation for another user.
ViewRepresents a view definition.
WorkflowPhaseRepresents a phase in a workflow.
WorkflowStageRepresents a stage in a workflow.

Exchange Admin schema

ParametersTypeMandatoryDescription
ModifiedObjectResolvedNameEdm.StringNoThis is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object.
ParametersCollection(Common.NameValuePair)NoThe name and value for all parameters that were used with the cmdlet that is identified in the Operations property.
ModifiedPropertiesCollection(Common.ModifiedProperty)NoThe property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified object.
ExternalAccessEdm.BooleanYesSpecifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator.
OriginatingServerEdm.StringNoThe name of the server from which the cmdlet was executed.
OrganizationNameEdm.StringNoThe name of the tenant.

Exchange Mailbox schema

ParametersTypeMandatoryDescription
LogonTypeSelf.LogonTypeNoIndicates the type of user who accessed the mailbox and performed the operation that was logged.
InternalLogonTypeSelf.LogonTypeNoReserved for internal use.
MailboxGuidEdm.StringNoThe Exchange GUID of the mailbox that was accessed.
MailboxOwnerUPNEdm.StringNoThe email address of the person who owns the mailbox that was accessed.
MailboxOwnerSidEdm.StringNoThe SID of the mailbox owner.
MailboxOwnerMasterAccountSidEdm.StringNoMailbox owner account's master account SID.
LogonUserSidEdm.StringNoThe SID of the user who performed the operation.
LogonUserDisplayNameEdm.StringNoThe user-friendly name of the user who performed the operation.
ExternalAccessEdm.BooleanYesThis is true if the logon user's domain is different from the mailbox owner's domain.
OriginatingServerEdm.StringNoThis is from where the operation originated.
OrganizationNameEdm.StringNoThe name of the tenant.
ClientInfoStringEdm.StringNoInformation about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.
ClientIPAddressEdm.StringNoThe IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
ClientMachineNameEdm.StringNoThe machine name that hosts the Outlook client.
ClientProcessNameEdm.StringNoThe email client that was used to access the mailbox.
ClientVersionEdm.StringNoThe version of the email client .

Enum: LogonType - Type: Edm.Int32

LogonType

ValueMember nameDescription
0OwnerThe mailbox owner.
1AdminA person with administrative privileges for someone's mailbox.
2DelegatedA person with the delegate privileges for someone's mailbox.
3TransportA transport service in the Microsoft datacenter.
4SystemServiceA service account in the Microsoft datacenter
5BestAccessReserved for internal use.
6DelegatedAdminA delegated administrator.

ExchangeMailboxAuditGroupRecord schema

ParametersTypeMandatory?Description
FolderSelf.ExchangeFolderNoThe folder where a group of items is located.
CrossMailboxOperationsEdm.BooleanNoIndicates if the operation involved more than one mailbox.
DestMailboxIdEdm.GuidNoSet only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID.
DestMailboxOwnerUPNEdm.StringNoSet only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox.
DestMailboxOwnerSidEdm.StringNoSet only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox.
DestMailboxOwnerMasterAccountSidEdm.StringNoSet only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner.
DestFolderSelf.ExchangeFolderNoThe destination folder, for operations such as Move.
FoldersCollection(Self.ExchangeFolder)NoInformation about the source folders involved in an operation; for example, if folders are selected and then deleted.
AffectedItemsCollection(Self.ExchangeItem)NoInformation about each item in the group.

ExchangeMailboxAuditRecord schema

ParametersTypeMandatory?Description
ItemSelf.ExchangeItemNoRepresents the item upon which the operation was performed
ModifiedPropertiesCollection(Edm.String)NoTBD
SendAsUserSmtpEdm.StringNoSMTP address of the user who is being impersonated.
SendAsUserMailboxGuidEdm.GuidNoThe Exchange GUID of the mailbox that was accessed to send email as.
SendOnBehalfOfUserSmtpEdm.StringNoSMTP address of the user on whose behalf the email is sent.
SendOnBehalfOfUserMailboxGuidEdm.GuidNoThe Exchange GUID of the mailbox that was accessed to send mail on behalf of.

ExchangeItem complex type

ParametersTypeMandatory?Description
IdEdm.StringYesThe store ID.
SubjectEdm.StringNoThe subject line of the message that was accessed.
ParentFolderEdm.ExchangeFolderNoThe name of the folder where the item is located.
AttachmentsEdm.StringNoA list of the names and file size of all items that are attached to the message.

ExchangeFolder complex type

ParametersTypeMandatory?Description
IdEdm.StringYesThe store ID of the folder object.
PathEdm.StringNoThe name of the mailbox folder where the message that was accessed is located.

Azure Active Directory Base schema

ParametersTypeMandatory?Description
AzureActiveDirectoryEventTypeSelf.AzureActiveDirectoryEventTypeYesThe type of Microsoft Entra event.
ExtendedPropertiesCollection(Common.NameValuePair)NoThe extended properties of the Microsoft Entra event.
ModifiedPropertiesCollection(Common.ModifiedProperty)NoThis property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.

Enum: AzureActiveDirectoryEventType - Type -Edm.Int32

AzureActiveDirectoryEventType

Member nameDescription
AccountLogonThe account login event.
AzureApplicationAuditEventThe Azure application security event.

Azure Active Directory Account Logon schema

ParametersTypeMandatory?Description
ApplicationEdm.StringNoThe application that triggers the account login event, such as Office 15.
ClientEdm.StringNoDetails about the client device, device OS, and device browser that was used for the of the account login event.
LoginStatusEdm.Int32YesThis property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms.
UserDomainEdm.StringYesThe Tenant Identity Information (TII).

Enum: CredentialType - Type: Edm.Int32

ValueMember nameDescription
-1OtherOther authentication.
0PasswordUser credential is username and password.
1MobilePhoneUser credential is mobile phone.
2SecretQuestionUser credential is secret question.
3SecurePinUser credential is secure PIN.
4SecurePinResetUser credential is secure PIN reset.
11EasyIDUser credential is EasyID.
14PasswordIndexCredentialTypeUser credential is PasswordIndexCredentialType.
16DeviceUser credential is a device.
17ForeignRealmIndexUser credential is ForeignRealmIndex.

Enum: LoginType - Type: Edm.Int32

ValueMember nameDescription
-1OtherOther i type.
1InitialAuthLogin with initial authentication
2CookieCopyLogin with cookie.
3SilentReAuthLogin with silent re-authentication.

Enum: AuthenticationMethod - Type: Edm.Int32

ValueMember nameDescription
0MinThe authentication method is a Min
1PasswordThe authentication method is a password.
2DigestThe authentication method is a digest.
3ProxyAuthThe authentication method is a ProxyAuth.
4InfoCardThe authentication method is an InfoCard
5DATokenThe authentication method is a DAToken.
6Sha1RememberMyPasswordThe authentication method is a Sha1RememberMyPassword.
7LMPasswordHashThe authentication method is an LMPasswordHash.
8ADFSFederatedTokenThe authentication method is an ADFSFederatedToken.
9EIDThe authentication method is an EID.
10DeviceIDThe authentication method is a DeviceID.
11MD5The authentication method is MD5.
12EncProxyPasswordHashThe authentication method is a EncProxyPasswordHash.
13LWAFederationThe authentication method is a LWAFederation.
14Sha1HashedPasswordThe authentication method is a Sha1HashedPassword.
15SecurePinThe authentication method is a secure Pin.
16SecurePinResetThe authentication method is a secure PIN reset.
17SAML20PostSimpleSignThe authentication method is a SAML20PostSimpleSign.
18SAML20PostThe authentication method is a SAML20Post.
19OneTimeCodeThe authentication method is a one-time code.

Azure Active Directory schema

ParametersTypeMandatory?Description
ActorCollection(Self.IdentityTypeValuePair)NoThe user or service principal that performed the action.
ActorContextIdEdm.StringNoThe GUID of the organization that the actor belongs to.
ActorIpAddressEdm.StringNoThe actor's IP address in IPV4 or IPV6 address format.
InterSystemsIdEdm.StringNoThe GUID that track the actions across components within the Office 365 service.
IntraSystemsIdEdm.StringNoThe GUID that's generated by Azure Active Directory to track the action.
SupportTicketIdEdm.StringNoThe customer support ticket ID for the action in "act-on-behalf-of" situations.
TargetCollection(Self.IdentityTypeValuePair)NoThe user that the action (identified by the Operation property) was performed on.
TargetContextIdEdm.StringNoThe GUID of the organization that the targeted user belongs to.

Complex Type IdentityTypeValuePair

ParametersTypeMandatory?Description
IDEdm.StringYesThe value of the identity given the type.
TypeSelf.IdentityTypeYesThe type of the identity.

Enum: IdentityType - Type: Edm.Int32

IdentityType

Member nameDescription
ClaimThe identity is a claim for authorization purpose.
NameThe audit action actor or target identity display name.
OtherThe identity of the actor is other type, such as the ObjectId in GUID generated by the Office 365 service.
PUIDThe audit action actor or the target passport unique ID (PUID).
SPNThe identity of a service principal if the action is performed by the Office 365 service.
UPNThe user principal name.

Azure Active Directory Secure Token Service (STS) Logon schema

ParametersTypeMandatory?Description
ApplicationIdEdm.StringNoThe GUID that represents the application that is requesting the login. The display name can be looked up via the Azure Active Directory Graph API.
ClientEdm.StringNoClient device information, provided by the browser performing the login.
DevicePropertiesCollection(Common.NameValuePair)NoThis property includes various device details, including Id, Display name, OS, Browser, IsCompliant, IsCompliantAndManaged, SessionId, and DeviceTrustType. The DeviceTrustType property can have the following values:

0 - Microsoft Entra registered
1 - Microsoft Entra joined
2 - Hybrid Microsoft Entra joined

ErrorCodeEdm.StringNoFor failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Azure Active Directory STS (AADSTS) error code. For descriptions of these error codes, see Authentication and authorization error codes. A value of 0 indicates a successful login.
LogonErrorEdm.StringNoFor failed logins, this property contains a user-readable description of the reason for the failed login.

DLP schema

DLP events are available for Exchange Online, Endpoint(devices) and SharePoint Online, and OneDrive For Business. Note that DLP events in Exchange are only available for events based on unified DLP policy (e.g. configured via Security & Compliance Center). DLP events based on Exchange Transport Rules are not supported.

DLP (Data Loss Prevention) events will always have UserKey="DlpAgent" in the common schema. There are three types of DlpEvents that are stored as the value of the Operation property of the common schema:

  • DlpRuleMatch - This indicates a rule was matched. These events exist in all Exchange, Endpoint(devices) and SharePoint Online and OneDrive for Business. For Exchange it includes false positive and override information. For SharePoint Online and OneDrive for Business, false positive and overrides generate separate events.

  • DlpRuleUndo - These only exist in SharePoint Online and OneDrive for Business, and indicate a previously applied policy action has been "undone" – either because of false positive/override designation by user, or because the document is no longer subject to policy (either due to policy change or change to content in doc).

  • DlpInfo - These only exist in SharePoint Online and OneDrive for Business and indicate a false positive designation but no action was "undone."

ParametersTypeMandatoryDescription
SharePointMetaDataSelf.SharePointMetadataNoDescribes metadata about the document in SharePoint or OneDrive for Business that contained the sensitive information.
ExchangeMetaDataSelf.ExchangeMetadataNoDescribes metadata about the email message that contained the sensitive information.
EndpointMetaDataSelf.EndpointMetadataNoDescribes metadata about the document in endpoint that contained the sensitive information
ExceptionInfoEdm.StringNoIdentifies reasons why a policy no longer applies and/or any information about false positive and/or override noted by the end user.
PolicyDetailsCollection(Self.PolicyDetails)YesInformation about 1 or more policies that triggered the DLP event.
SensitiveInfoDetectionIsIncludedBooleanYesIndicates whether the event contains the value of the sensitive data type and surrounding context from the source content. Accessing sensitive data requires the "Read DLP policy events including sensitive details" permission in Azure Active Directory.
ParametersTypeMandatory?Description
FromEdm.StringYesThe user who triggered the event. This will be either the FileOwner, LastModifier, or LastSharer.
itemCreationTimeEdm.DateYesDatetimestamp in UTC of when event logged.
SiteCollectionGuidEdm.GuidYesThe GUID of the site collection.
SiteCollectionUrlEdm.StringYesName of the SharePoint site.
FileNameEdm.StringYesName of the path.
FileOwnerEdm.StringYesThe document owner.
FilePathUrlEdm.StringYesThe URL of the document
DocumentLastModifierEdm.StringYesThe user who last modified the document.
DocumentSharerEdm.StringYesThe user who last modified sharing of the document.
UniqueIdEdm.StringYesA guid that identifies the file.
LastModifiedTimeEdm.DateTimeYesTimestamp in UTC for when doc was last modified.
IsViewableByExternalUsersEdm.BooleanYesDetermines if the file is accessible to any external user.

ExchangeMetadata complex type

ParametersTypeMandatory?Description
MessageIDEdm.StringYesThe message ID of the email that triggered the event.
FromEdm.StringYesThe user who sent the email.
ToCollection(Edm.String)NoA collection of email addresses that were on the To line of the message.
CCCollection(Edm.String)NoA collection of email addresses that were on the CC line of the message.
BCCCollection(Edm.String)NoA collection of email addresses that were on the BCC line of the message.
SubjectEdm.StringYesSubject of the email message.
SentEdm.DateTimeYesThe time in UTC of when the email was sent.
RecipientCountEdm.Int32YesThe total number of all recipients on the TO, CC, and BCC lines of the message.

EndpointMetadata complex type

ParametersTypeMandatory?Description
SensitiveInformationCollection(Self.SensitiveInformation)NoInformation about the type of sensitive information detected.
EnforcementModeEdm.StringYesIndicate whether the DLP Rule set to 1/2/3/4/5 depicting audit/warn(block with override)/warn and bypass/block/allow(audit without alerts) respectively.
FileExtensionEdm.StringNoThe file extension of the document that contained the sensitive information.
FileTypeEdm.StringNoThe file type of the document that conatined the sensitive information.
DeviceNameEdm.StringNoThe name of the device on which DLP rule match was detected.

PolicyDetails complex type

ParametersTypeMandatory?Description
PolicyIdEdm.GuidYesThe guid of the DLP policy for this event.
PolicyNameEdm.StringYesThe friendly name of the DLP policy for this event.
RulesCollection(Self.Rules)YesInformation about the rules within the policy that were matched for this event.

Rules complex type

ParametersTypeMandatory?Description
RuleIdEdm.GuidYesThe guid of the DLP rule for this event.
RuleNameEdm.StringYesThe friendly name of the DLP rule for this event.
ActionsCollection(Edm.String)NoA list of actions taken as a result of a DLP RuleMatch event.
OverriddenActionsCollection(Edm.String)NoA list of actions previously taken that were now undone as a result of a DLPRuleUndo event.
SeverityEdm.StringNoThe severity (Low, Medium and High) of the rule match.
RuleModeEdm.StringYesIndicate whether the DLP Rule was set to Enforce, Audit with Notify, or Audit only.
ConditionsMatchedSelf.ConditionsMatchedNoDetails about what conditions of the rule were matched for this event.

ConditionsMatched complex type

ParametersTypeMandatory?Description
SensitiveInformationCollection(Self.SensitiveInformation)NoInformation about the type of sensitive information detected.
DocumentPropertiesCollection(NameValuePair)NoInformation about document properties that triggered a rule match.
OtherConditionsCollection(NameValuePair)NoA list of key value pairs describing any other conditions that were matched.

SensitiveInformation complex type

ParametersTypeMandatory?Description
ConfidenceEdm.IntYesThe aggregated confidence of all pattern matches for the Sensitive Information Type.
CountEdm.IntYesThe total number of sensitive instances detected.
LocationEdm.StringNo
SensitiveTypeEdm.GuidYesA guid that identifies the type of sensitive data detected.
SensitiveInformationDetectionsSelf.SensitiveInformationDetectionsNoAn array of objects that contain sensitive information data with the following details – matched value and context of matched value.
SensitiveInformationDetailedClassificationAttributesCollection(SensitiveInformationDetailedConfidenceLevelResult)YesInformation about the count of sensitive information type detected for each of the three confidence levels (High, Medium and Low) and wether it matches the DLP rule or not
SensitiveInformationTypeNameEdm.StringNoThe name of the sensitive information type.
UniqueCountEdm.Int32YesThe unique count of sensitive instances detected.

SensitiveInformationDetailedClassificationAttributes complex type

ParametersTypeMandatory?Description
ConfidenceEdm.int32YesThe confidence level of the pattern that was detected.
CountEdm.Int32YesThe number of sensitive instances detected for a partcular confidence level.
IsMatchEdm.BooleanYesIndicates if the given count and confidence level of the sensitive type detected results in a DLP rule match.

SensitiveInformationDetections complex type

DLP sensitive data is only available in the activity feed API to users that have been granted "Read DLP sensitive data" permissions.

ParametersTypeMandatory?Description
DetectedValuesCollection(Common.NameValuePair)YesAn array of sensitive information that was detected. Information contains key value pairs with Value = matched value (eg. Value of credit card) and Context = an excerpt from source content that contains the matched value.
ResultsTruncatedEdm.BooleanYesIndicates if the logs were truncated due to large number of results.

ExceptionInfo complex type

ParametersTypeMandatory?Description
ReasonEdm.StringNoFor a DLPRuleUndo event, this indicates why the rule no longer applies, which can be one of 3 reasons: Override, Document Change, or Policy Change
FalsePositiveEdm.BooleanNoIndicates whether the user designated this event as a false positive.
JustificationEdm.StringNoIf the user chose to override policy, any user-specified justification is captured here.
RulesCollection(Edm.Guid)NoA collection of guids for each rule that was designated as a false positive or override, or for which an action was undone.

Security and Compliance Center schema

ParametersTypeMandatoryDescription
StartTimeEdm.DateNoThe date and time at which the cmdlet was executed.
ClientRequestIdEdm.StringNoA GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
CmdletVersionEdm.StringNoThe build version of the cmdlet when it was executed.
EffectiveOrganizationEdm.StringNoThe GUID for the organization impacted by the cmdlet. (Deprecated: This parameter will stop appearing in the future.)
UserServicePlanEdm.StringNoThe Exchange Online Protection service plan assigned to the user that executed the cmdlet.
ClientApplicationEdm.StringNoIf the cmdlet was executed by an application, as opposed to remote PowerShell, this field contains that application's name.
ParametersEdm.StringNoThe name and value for parameters that were used with the cmdlet that do not include Personally Identifiable Information.
NonPiiParametersEdm.StringNoThe name and value for parameters that were used with the cmdlet that include Personally Identifiable Information. (Deprecated: This field will stop appearing in the future and its content merged with the Parameters field.)

Security and Compliance Alerts schema

Alert signals include:

  • All alerts generated based on .
  • Office 365 related alerts generated in Office 365 Cloud App Security and Microsoft Cloud App Security.

The UserId and UserKey of these events are always SecurityComplianceAlerts. There are three types of alert events that are stored as the value of the Operation property of the common schema:

  • AlertTriggered - A new alert is generated due to a policy match.

  • AlertEntityGenerated - A new entity is added to an alert. This event is only applicable to alerts generated based on Alert policies in the security and compliance center. Each generated alert can be associated with one or multiple of these events. For example, an alert policy is defined to trigger an alert if any user deletes more than 100 files in 5 minutes. If two users exceed the threshold around the same time, there will be two AlertEntityGenerated events, but only one AlertTriggered event.

  • AlertUpdated - An update was made to the metadata of an alert. This event is logged when the status of an alert is changed (for example, from "Active" to "Resolved") and when someone adds a comment to the alert.

ParametersTypeMandatoryDescription
AlertIdEdm.GuidYesThe Guid of the alert.
AlertTypeSelf.StringYesType of the alert. Alert types include:
  • System
  • Custom
NameEdm.StringYesName of the alert.
PolicyIdEdm.GuidNoThe Guid of the policy that triggered the alert.
StatusEdm.StringNoStatus of the alert. Statuses include:
  • Active

  • Investigating
  • Resolved
  • Dismissed
SeverityEdm.StringNoSeverity of the alert. Severity levels include:
  • Low
  • Medium
  • High
CategoryEdm.StringNoCategory of the alert. Categories include:
  • AccessGovernance
  • DataGovernance
  • DataLossPrevention
  • InsiderRiskManagement
  • MailFlow
  • ThreatManagement
  • Other
SourceEdm.StringNoSource of the alert. Sources include:
  • Office 365 Security & Compliance
  • Cloud App Security
CommentsEdm.StringNoComments left by the users who have viewed the alert. By default, it's "New alert".
DataEdm.StringNoThe detailed data blob of the alert or alert entity.
AlertEntityIdEdm.StringNoThe identifier for the alert entity. This parameter is only applicable to AlertEntityGenerated events.
EntityTypeEdm.StringNoType of the alert or alert entity. Entity types include:
  • User
  • Recipients
  • Sender
  • MalwareFamily
This parameter is only applicable to AlertEntityGenerated events.

Yammer schema

The Yammer events listed in will use this schema.

ParametersTypeMandatoryDescription
ActorUserIdEdm.StringNoEmail of user that performed the operation.
ActorYammerUserIdEdm.Int64NoID of user that performed the operation.
DataExportTypeEdm.StringNoReturns "data" if data export includes messages, notes, files, topics, users and groups; returns "user" if data export includes users only.
FileIdEdm.Int64NoID of the file in the operation.
FileNameEdm.StringNoName of the file in the operation. Will appear blank if not relevant to the operation.
GroupNameEdm.StringNoName of the group in the operation. Will appear blank if not relevant to the operation.
IsSoftDeleteEdm.BooleanNoReturns "true" if the network's data retention policy is set to Soft Delete; returns "false" if the network's data retention policy is set to Hard Delete.
MessageIdEdm.Int64NoID of the message in the operation.
YammerNetworkIdEdm.Int64NoNetwork ID of the user that performed the operation.
TargetUserIdEdm.StringNoEmail of target user in the operation. Will appear blank if not relevant to the operation.
TargetYammerUserIdEdm.Int64NoID of target user in the operation.
VersionIdEdm.Int64NoVersion ID of the file in the operation.

Data Center Security Base schema

ParametersTypeMandatory?Description
DataCenterSecurityEventTypeSelf.DataCenterSecurityEventTypeYesThe type of cmdlet event in lock box.

Enum: DataCenterSecurityEventType - Type: Edm.Int32

DataCenterSecurityEventType

Member nameDescription
DataCenterSecurityCmdletAuditEventThis is the enum value for cmdlet audit type event.

Data Center Security Cmdlet schema

ParametersTypeMandatory?Description
StartTimeEdm.DateYesThe start time of the cmdlet execution.
EffectiveOrganizationEdm.StringYesThe name of the tenant that the elevation/cmdlet was targeted at.
ElevationTimeEdm.DateYesThe start time of the elevation.
ElevationApproverEdm.StringYesThe name of a Microsoft manager.
ElevationApprovedTimeEdm.DateNoThe timestamp for when the elevation was approved.
ElevationRequestIdEdm.GuidYesA unique identifier for the elevation request.
ElevationRoleEdm.StringNoThe role the elevation was requested for.
ElevationDurationEdm.Int32YesThe duration for which the elevation was active.
GenericInfoEdm.StringNoUsed for comments and other generic information.

Microsoft Teams schema

ParametersTypeMandatory?Description
ActionEdm.StringNoFor shared channel events, the action taken by the invitee or the channel owner for a share with team invite.
AddOnGuidEdm.GuidNoA unique identifier for the add-on that generated the event.
AddOnNameEdm.StringNoThe name of the add-on that generated the event.
AddOnTypeSelf.AddOnTypeNoThe type of add-on that generated this event.
ChannelGuidEdm.GuidNoA unique identifier for the channel being audited.
ChannelNameEdm.StringNoThe name of the channel being audited.
ChannelTypeEdm.StringNoThe type of channel being audited (Standard/Private).
ExtraPropertiesCollection(Self.KeyValuePair)NoA list of extra properties.
HostedContentsCollection(Self.HostedContent)NoA collection of chat or channel message hosted contents.
InviteeEdm.StringNoFor shared channel events, the UPN of the invitee team owner who accepts or declines the invite for a share with team invite.
MembersCollection(Self.MicrosoftTeamsMember)NoA list of users within a Team.
MessageIdEdm.StringNoAn identifier for a chat or channel message.
MessageURLsEdm.StringNoPresent for any URL sent in Teams messages.
MessagesCollection(Self.Message)NoA collection of chat or channel messages.
MessageSizeInBytesEdm.Int64NoThe size of a chat or channel message in bytes with UTF-16 encoding.
NameEdm.StringNoOnly present for settings events. Name of the setting that changed.
NewValueEdm.StringNoOnly present for settings events. New value of the setting.
OldValueEdm.StringNoOnly present for settings events. Old value of the setting.
SubscriptionIdEdm.StringNoA unique identifier of a Microsoft Graph change notification subscription.
TabTypeEdm.StringNoOnly present for tab events. The type of tab that generated the event.
TeamGuidEdm.GuidNoA unique identifier for the team being audited.
TeamNameEdm.StringNoThe name of the team being audited.

MicrosoftTeamsMember complex type

ParametersTypeMandatory?Description
UPNEdm.StringNoThe user principal name of the user.
RoleSelf.MemberRoleTypeNoThe role of the user within the team.
DisplayNameEdm.StringNoThe display name of the user.

Enum: MemberRoleType - Type: Edm.Int32

MemberRoleType

ValueMember nameDescription
0MemberA user who is a member of the team.
1OwnerA user who is the owner of the team.
2GuestA user who is not a member of the team.

KeyValuePair complex type

ParametersTypeMandatory?Description
KeyEdm.StringNoThe key of the key-value pair.
ValueEdm.StringNoThe value of the key-value pair.

Enum: AddOnType - Type: Edm.Int32

AddOnType

ValueMember nameDescription
1BotA Microsoft Teams bot.
2ConnectorA Microsoft Teams connector.
3TabA Microsoft Teams tab.

HostedContent complex type

ParametersTypeMandatory?Description
IdEdm.StringYesA unique identifier of the message hosted content.
SizeInBytesEdm.Int64NoThe message hosted content size in bytes.

Message complex type

ParametersTypeMandatory?Description
AADGroupIdEdm.StringNoA unique identifier of the group in Azure Active Directory that the message belongs to.
IdEdm.StringYesA unique identifier of the chat or channel message.
ChannelGuidEdm.StringNoA unique identifier of the channel the message belongs to.
ChannelNameEdm.StringNoThe name of the channel the message belongs to.
ChannelTypeEdm.StringNoThe type of the channel the message belongs to.
ChatNameEdm.StringNoThe name of the chat the message belongs to.
ChatThreadIdEdm.StringNoA unique identifier of the chat the message belongs to.
ParentMessageIdEdm.StringNoA unique identifier of the parent chat or channel message.
SizeInBytesEdm.Int64NoThe size of the message in bytes with UTF-16 encoding.
TeamGuidEdm.StringNoA unique identifier of the team the message belongs to.
TeamNameEdm.StringNoThe name of the team the message belongs to.
VersionEdm.StringNoThe version of the chat or channel message.

Microsoft Defender for Office 365 and Threat Investigation and Response schema

Microsoft Defender for Office 365 and Threat Investigation and Response events are available for Office 365 customers who have an Defender for Office 365 Plan 1, Defender for Office 365 Plan 2, or an E5 subscription. Each event in the Defender for Office 365 feed corresponds to the following that were determined to contain a threat:

  • An email message sent by or received by a user in the organization with detections that are made on messages at delivery time and from Zero hour auto purge.

  • URLs clicked by a user in the organization that were detected as malicious at time-of-click based on Safe Links in Defender for Office 365 protection.

  • A file within SharePoint Online, OneDrive for Business, or Microsoft Teams that was detected as malicious by Microsoft Defender for Office 365 protection.

  • An alert that is triggered and that started an automated investigation.

Note

Microsoft Defender for Office 365 and Office 365 Threat Investigation and Response (formerly known as Office 365 Threat Intelligence) capabilites are now part of Defender for Office 365 Plan 2, with additional threat protection capabilities. To learn more, see Microsoft Defender for Office 365 plans and pricing and the Defender for Office 365 Service Description.

Email message events

ParametersTypeMandatory?Description
AttachmentDataCollection(Self.AttachmentData)NoData about attachments in the email message that triggered the event.
DetectionTypeEdm.StringYesThe type of detection (for example, Inline - detected at delivery time; Delayed - detected after delivery; ZAP - messages removed by Zero hour auto purge). Events with ZAP detection type will typically be preceded by a message with a Delayed detection type.
DetectionMethodEdm.StringYesThe method or technology used by Defender for Office 365 for the detection.
InternetMessageIdEdm.StringYesThe Internet Message Id.
NetworkMessageIdEdm.StringYesThe Exchange Online Network Message Id.
P1SenderEdm.StringYesThe return path of sender of the email message.
P2SenderEdm.StringYesThe from sender of the email message.
PolicySelf.PolicyYesThe type of filtering policy (for example Anti-spam or Anti-phish) and related action type (such as High Confidence Spam, Spam, or Phish) relevant to the email message.
PolicySelf.PolicyActionYesThe action configured in the filtering policy (for example, Move to Junk Mail folder or Quarantine) relevant to the email message.
P2SenderEdm.StringYesThe From: sender of the email message.
RecipientsCollection(Edm.String)YesAn array of recipients of the email message.
SenderIpEdm.StringYesThe IP address that submitted the email of Office 365. The IP address is displayed in either an IPv4 or IPv6 address format.
SubjectEdm.StringYesThe subject line of the message.
VerdictEdm.StringYesThe message verdict.
MessageTimeEdm.DateYesDate and time in Coordinated Universal Time (UTC) the email message was received or sent.
EventDeepLinkEdm.StringYesDeep-link to the email event in Explorer or Real-time reports in the Office 365 Security & Compliance Center.
Delivery ActionEdm.StringYesThe original delivery action on the email message.
Original Delivery locationEdm.StringYesThe original delivery location of the email message.
Latest Delivery locationEdm.StringYesThe latest delivery location of the email message at the time of the event.
DirectionalityEdm.StringYesIdentifies whether an email message was inbound, outbound, or an intra-org message.
ThreatsAndDetectionTechEdm.StringYesThe threats and the corresponding detection technologies. This field exposes all the threats on an email message, including the latest addition on spam verdict. For example, ["Phish: [Spoof DMARC]","Spam: [URL malicious reputation]"]. The different detection threat and detection technologies are described below.
AdditionalActionsAndResultsCollection(Edm.String)NoThe additional actions that were taken on the email, such as ZAP or Manual Remediation. Also includes the corresponding results.
ConnectorsEdm.StringNoThe names and GUIDs of the connectors associated with the email.
AuthDetailsCollection(Self.AuthDetails)NoThe authentication checks that are done for the email. Also includes the values for SPF, DKIM, DMARC, and CompAuth.
SystemOverridesCollection(Self.SystemOverrides)NoOverrides that are applicable to the email. These can be system or user overrides.
Phish Confidence LevelEdm.StringNoIndicates the confidence level associated with Phish verdict. It can be Normal or High.

Note

We recommend that you use the new ThreatsAndDetectionTech field because it shows multiple verdicts and the updated detection technologies. This field also aligns with the values you would see within other experiences like Threat Explorer and Advanced Hunting.

Detection technologies

NameDescription
Advanced filterPhishing signals based on machine learning.
Anti-malware engineDetection from anti-malware engines.
CampaignMessages identified as part of a campaign.
Domain reputationAnalysis based on domain reputation.
File detonationFile attachments found to be bad during detonated analysis.
File detonation reputationFile attachment marked as bad due to previous detonation reputation.
File reputationFile attachments marked bad due to bad reputation.
Fingerprint matchingThe message was marked as bad due to previous messages.
General filterPhishing signals based on rules.
Impersonation brandThe file type of the attachment.
Impersonation domainImpersonation of domains that the customer owns or defines.
Impersonation userImpersonation of users defined by admin or learned through mailbox intelligence.
Mailbox intelligence impersonationImpersonation based on mailbox intelligence.
Mixed analysis detectionMultiple filters contributed to the verdict for this message.
Spoof DMARCDMARC authentication failure for messages.
Spoof external domainSender is trying to spoof some other domain.
Spoof intra-orgSender is trying to spoof the recipient domain.
URL detonationThe message was considered bad due to a previous malicious URL detonation.
URL detonation reputationThe message was considered bad due to malicious URL detonation.
URL malicious reputationThe message was considered bad due a malicious URL.

AttachmentData complex type

AttachmentData

ParametersTypeMandatory?Description
FileNameEdm.StringYesThe file name of the attachment.
FileTypeEdm.StringYesThe file type of the attachment.
FileVerdictSelf.FileVerdictYesThe file malware verdict.
MalwareFamilyEdm.StringNoThe file malware family.
SHA256Edm.StringYesThe file SHA256 hash.

Note

Within the Malware family, you'll be able to see the exact MalwareFamily name (for example, HTML/Phish.VS!MSR) or Malicious Payload as a static string. A Malicious Payload should still be treated as malicious email when a specific name isn't identified.

SystemOverrides complex type

SystemOverrides

ParametersTypeMandatory?Description
DetailsEdm.StringNoThe details about the specific override (such as ETR or Safe Sender) that was applied.
FinalOverrideEdm.StringNoIndicates the override that impacted the delivery in the case of multiple overrides.
ResultEdm.StringNoIndicates whether the email was set to allowed or blocked based on the override.
SourceEdm.StringNoIndicates whether the override was user-configured or tenant-configured.

AuthDetails complex type

AuthDetails

ParametersTypeMandatory?Description
NameEdm.StringNoThe name of the specific auth check, such as DKIM or DMARC.
ValueEdm.StringNoThe value associated with the specific auth check, such as True or False.

Enum: FileVerdict - Type: Edm.Int32

FileVerdict

ValueMember nameDescription
0GoodNo threats detected.
1BadMalware found in attachment.
-1ErrorScan / analysis error.
-2TimeoutScan / analysis timeout.
-3PendingScan / analysis not complete.

Enum: Policy - Type: Edm.Int32

Policy type and action type

ValueMember nameDescription
1Anti-spam, HSPMHigh Confidence Spam (HSPM) action in the Anti-spam policy.
2Anti-spam, SPMSpam (SPM) action in the Anti-spam policy.
3Anti-spam, BulkBulk action in the Anti-spam policy.
4Anti-spam, PHSHPhish (PHSH) action in the Anti-spam policy.
5Anti-phish, DIMPDomain Impersonation (DIMP) action in the Anti-phish policy.
6Anti-phish, UIMPUser Impersonation (UIMP) action in the Anti-phish policy.
7Anti-phish, SPOOFSpoof action in the Anti-phish policy.
8Anti-phish, GIMPMailbox intelligence action in the Anti-phish policy.
9Anti-malware, AMPMalware policy action in the Anti-malware policy.
10Safe attachment, SAPPolicy action in the Safe attachments in Defender for Office 365 policy.
11Exchange transport rule, ETRPolicy action in the Exchange Transport Rule.
12Anti-malware, ZAPMMalware policy action in the Anti-malware policy applied to Zero-hour auto purge (ZAP).
13Anti-phish, ZAPPPhish policy action in the Anti-phish policy applied to ZAP.
14Anti-phish, ZAPSSpam policy action in the Anti-spam policy applied to ZAP.
15Anti-spam, High confidence phish email (HPHISH)High confidence Phish policy action in Anti-spam policy.
17Anti-spam, Outbound spam policy (OSPM)Policy action in the outbound spam filter policy in Anti-spam.

Enum: PolicyAction - Type: Edm.Int32

Policy action

ValueMember nameDescription
0MoveToJMFPolicy action is to move to Junk Mail folder.
1AddXHeaderPolicy action is to add X-header to the email message.
2ModifySubjectPolicy action is to modify subject in the email message with information specified by the filtering policy.
3RedirectPolicy action is to redirect email message to email address specificed by the filtering policy.
4DeletePolicy action is to delete (drop) the email message.
5QuarantinePolicy action is to quarantine the email message.
6NoActionPolicy is configured to take no action on the email message.
7BccMessagePolicy action is to Bcc the email message to email address specificed by the filtering policy.
8ReplaceAttachmentPolicy action is to replace the attachment in the email message as specified by the filtering policy.

URL time-of-click events

ParametersTypeMandatory?Description
UserIdEdm.StringYesIdentifier (for example, email address) for the user who clicked on the URL.
AppNameEdm.StringYesOffice 365 service from which the URL was clicked (for example, Mail).
URLClickActionSelf.URLClickActionYesClick action for the URL based on the organization's policies for Safe Links in Defender for Office 365.
SourceIdEdm.StringYesIdentifier for the Office 365 service from which the URL was clicked (for example, for mail this is the Exchange Online Network Message Id).
TimeOfClickEdm.DateYesThe date and time in Coordinated Universal Time (UTC) when the user clicked the URL.
URLEdm.StringYesURL clicked by the user.
UserIpEdm.StringYesThe IP address for the user who clicked the URL. The IP address is displayed in either an IPv4 or IPv6 address format.

Enum: URLClickAction - Type: Edm.Int32

URLClickAction

ValueMember nameDescription
2BlockpageUser blocked from navigating to the URL by Safe Links in Defender for Office 365.
3PendingDetonationPageUser presented with the detonation pending page by Safe Links in Defender for Office 365.
4BlockPageOverrideUser blocked from navigating to the URL by Safe Links in Defender for Office 365; however user overrode block to navigate to the URL.
5PendingDetonationPageOverrideUser presented with the detonation page by Safe Links in Defender for Office 365; however user overrode to navigate to the URL.

File events

ParametersTypeMandatory?Description
FileDataSelf.FileDataYesData about the file that triggered the event.
SourceWorkloadSelf.SourceWorkloadYesWorkload or service where the file was found (for example, SharePoint Online, OneDrive for Business, or Microsoft Teams)
DetectionMethodEdm.StringYesThe method or technology used by Microsoft Defender for Office 365 for the detection.
LastModifiedDateEdm.DateYesThe date and time in Coordinated Universal Time (UTC) when the file was created or last modified.
LastModifiedByEdm.StringYesIdentifier (for example, an email address) for the user who created or last modified the file.
EventDeepLinkEdm.StringYesDeep-link to the file event in Explorer or Real-time reports in the Security & Compliance Center.

FileData complex type

FileData

ParametersTypeMandatory?Description
DocumentIdEdm.StringYesUnique identifier for the file in SharePoint, OneDrive, or Microsoft Teams.
FileNameEdm.StringYesName of the file that triggered the event.
FilePathEdm.StringYesPath (location) for the file in SharePoint, OneDrive, or Microsoft Teams.
FileVerdictSelf.FileVerdictYesThe file malware verdict.
MalwareFamilyEdm.StringNoThe file malware family.
SHA256Edm.StringYesThe file SHA256 hash.
FileSizeEdm.StringYesSize for the file in bytes.

Enum: SourceWorkload - Type: Edm.Int32

SourceWorkload

ValueMember name
0SharePoint Online
1OneDrive for Business
2Microsoft Teams

Submission schema

Submission events are available for every Office 365 customers since it comes with security. This includes organizations that use Exchange Online Protection and Microsoft Defender for Office 365. Each event in the submission feed corresponds to false positives or false negatives that were submitted as an:

  • Admin submission. Messages, files, or URLs submitted to Microsoft for analysis.
  • User-reported item. Messages reported by end users to the admin or Microsoft for review.

Submission events

ParametersTypeMandatory?Description
AdminSubmissionRegisteredEdm.StringNoAdmin submission is registered and is pending for processing.
AdminSubmissionDeliveryCheckEdm.StringNoAdmin submission system checked the email's policy.
AdminSubmissionSubmittingEdm.StringNoAdmin submission system is submitting the email.
AdminSubmissionSubmittedEdm.StringNoAdmin submission system submitted the email.
AdminSubmissionTriageEdm.StringNoAdmin submission is triaged by grader.
AdminSubmissionTimeoutEdm.StringNoAdmin submission is timef out with no result.
UserSubmissionEdm.StringNoSubmission was first reported by an end user.
UserSubmissionTriageEdm.StringNoUser submission is triaged by grader.
CustomSubmissionEdm.StringNoMessage reported by a user was sent to the organization's custom mailbox as set in the user reported messages settings.
AttackSimUserSubmissionEdm.StringNoThe user-reported message was actually a phish simulation training message.
AdminSubmissionTablAllowEdm.StringNoAn allow was created at time of submission to immediately take action on similar messages while it is being rescanned.
SubmissionNotificationEdm.StringNoAdmin feedback is sent to end user.

Automated investigation and response events in Office 365

Office 365 automated investigation and response (AIR) events are available for Office 365 customers who have a subscription that includes Microsoft Defender for Office 365 Plan 2 or Office 365 E5. Investigation events are logged based on a change in investigation status. For example, when an administrator takes an action that changes the status of an investigation from Pending Actions to Completed, an event is logged.

Currently, only automated investigation are logged. (Events for manually generated investigations are coming soon.) The following status values are logged:

  • InvestigationStarted
  • Nothreatsfound
  • TerminatedbySystem
  • Pending Action
  • Threats Found
  • Remediated
  • Failed
  • Terminatedbythrottling
  • TerminatedByUser
  • Running

Main investigation schema

NameTypeDescription
InvestigationIdEdm.StringInvestigation ID/GUID
InvestigationNameEdm.StringName of the investigation
InvestigationTypeEdm.StringType of the investigation. Can take one of the following values:
- User-Reported Messages
- Zapped Malware
- Zapped Phish
- Url Verdict Change

(Manual investigations are currently not available and are coming soon.)

LastUpdateTimeUtcEdm.DateUTC time of the last update for an investigation
StartTimeUtcEdm.DateStart time for an investigation
StatusEdm.StringState of investigation, Running, Pending Actions, etc.
DeeplinkURLEdm.StringDeep link URL to an investigation in Office 365 Security & Compliance Center
ActionsCollection (Edm.String)Collection of actions recommended by an investigation
DataEdm.StringData string which contains more details about investigation entities, and information about alerts related to the investigation. Entities are available in a separate node within the data blob.

Actions

FieldTypeDescription
IDEdm.StringAction ID
ActionTypeEdm.StringThe type of the action, such as email remediation
ActionStatusEdm.StringValues include:
- Pending
- Running
- Waiting on resource
- Completed
- Failed
ApprovedByEdm.StringNull if auto approved; otherwise, the username/id (this is coming soon)
TimestampUtcEdm.DateTimeThe timestamp of the action status change
ActionIdEdm.StringUnique identifier for action
InvestigationIdEdm.StringUnique identifier for investigation
RelatedAlertIdsCollection(Edm.String)Alerts related to an investigation
StartTimeUtcEdm.DateTimeTimestamp of action creation
EndTimeUtcEdm.DateTimeAction final status update timestamp
Resource IdentifiersEdm.StringConsists of the Azure Active Directory tenant ID.
EntitiesCollection(Edm.String)List of one or more affected entities by action
Related Alert IDsEdm.StringAlert related to an investigation

Entities

MailMessage (email)

FieldTypeDescription
TypeEdm.String"mail-message"
FilesCollection (Self.File)Details about the files of this message's attachments
RecipientEdm.StringThe recipient of this mail message
UrlsCollection(Self.URL)The Urls contained in this mail message
SenderEdm.StringThe sender's email address
SenderIPEdm.StringThe sender's IP address
ReceivedDateEdm.DateTimeThe received date of this message
NetworkMessageIdEdm.GuidThe network message id of this mail message
InternetMessageIdEdm.StringThe internet message id of this mail message
SubjectEdm.StringThe subject of this mail message

IP

FieldTypeDescription
TypeEdm.String"ip"
AddressEdm.StringThe IP address as a string, such as 127.0.0.1

URL

FieldTypeDescription
TypeEdm.String"url"
UrlEdm.StringThe full URL to which an entity points

Mailbox (also equivalent to the user)

FieldTypeDescription
TypeEdm.String"mailbox"
MailboxPrimaryAddressEdm.StringThe mailbox's primary address
DisplayNameEdm.StringThe mailbox's display name
UpnEdm.StringThe mailbox's UPN

File

FieldTypeDescription
TypeEdm.String"file"
NameEdm.StringThe file name without path
FileHashesCollection (Edm.String)The file hashes associated with the file

FileHash

FieldTypeDescription
TypeEdm.String"filehash"
AlgorithmEdm.StringThe hash algorithm type, which can be one of these values:
- Unknown
- MD5
- SHA1
- SHA256
- SHA256AC
ValueEdm.StringThe hash value

MailCluster

FieldTypeDescription
TypeEdm.String"MailCluster"
Determines the type of entity being discussed
NetworkMessageIdsCollection (Edm.String)List of the mail message IDs that are part of the mail cluster
CountByDeliveryStatusCollections (Edm.String)Count of mail messages by DeliveryStatus string representation
CountByThreatTypeCollections (Edm.String)Count of mail messages by ThreatType string representation
ThreatsCollections (Edm.String)The threats of mail messages that are part of the mail cluster. Threats include values like Phish and Malware.
QueryEdm.StringThe query that was used to identify the messages of the mail cluster
QueryTimeEdm.DateTimeThe query time
MailCountEdm.intThe number of mail messages that are part of the mail cluster
SourceStringThe source of the mail cluster; the value of the cluster source.

Hygiene events schema

Hygiene events are related to outbound spam protection. These events are related to users who are restricted from sending email. For more information, see:

  • Outbound spam protection

  • Remove blocked users from the Restricted Users portal in Office 365

ParametersTypeMandatory?Description
AuditEdm.StringNoSystem information related to the hygiene event.
EventEdm.StringNoThe type of hygiene event. The values for this parameter are Listed or Delisted.
EventIdEdm.Int64NoThe ID of the hygiene event type.
EventValueEdm.StringNoThe user who was impacted.
ReasonEdm.StringNoDetails about the hygiene event.

Power BI schema

The Power BI events listed in Search the audit log in the Office 365 Protection Center will use this schema.

ParametersTypeMandatory?Description
AppNameEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe name of the app where the event occurred.
DashboardNameEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe name of the dashboard where the event occurred.
DataClassificationEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe data classification, if any, for the dashboard where the event occurred.
DatasetNameEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe name of the dataset where the event occurred.
MembershipInformationCollection(MembershipInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoMembership information about the group.
OrgAppPermissionEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoPermissions list for an organizational app (entire organization, specific users, or specific groups).
ReportNameEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe name of the report where the event occurred.
SharingInformationCollection(SharingInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoInformation about the person to whom a sharing invitation is sent.
SwitchStateEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoInformation about the state of various tenant level switches.
WorkSpaceNameEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe name of the workspace where the event occurred.

MembershipInformationType complex type

ParametersTypeMandatory?Description
MemberEmailEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe email address of the group.
StatusEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoNot currently populated.

SharingInformationType complex type

ParametersTypeMandatory?Description
RecipientEmailEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe email address of the recipient of a sharing invitation.
RecipientNameEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe name of the recipient of a sharing invitation.
ResharePermissionEdm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"NoThe permission being granted to the recipient.

Dynamics 365 schema

The audit records for events related to model-driven apps in Dynamics 365 events use both a base and an entity operation schema. For more information, see Enable and use Activity Logging.

Dynamics 365 base schema

ParametersTypeMandatory?Description
CrmOrganizationUniqueNameEdm.StringYesThe unique name of the organization.
InstanceUrlEdm.StringYesThe URL to the instance.
ItemUrlEdm.StringNoThe URL to the record emitting the log.
ItemTypeEdm.StringNoThe name of the entity.
UserAgentEdm.StringNoThe unique identifier of the user GUID in the organization.
FieldsCollection(Common.NameValuePair)NoA JSON object that contains the property key-value pairs that were created or updated.

Dynamics 365 entity operation schema

Entity events from model-driven apps in Dynamics 365 use this schema to build on the Dynamics 365 base schema. This schema includes information about the entity operation that triggered the audited event.

ParametersTypeMandatory?Description
EntityIdEdm.GuidNoThe unique identifier of the entity.
EntityNameEdm.StringYesThe name of the entity in the organization. Example of entities include contact or authentication.
MessageEdm.StringYesThis parameter contains the operation that was performed in related to the entity. For example, if a new contact was created, the value of the Message property is Create and the corresponding value of the EntityName property is contact.
QueryEdm.StringNoThe parameters of the filter query that was used while executing the FetchXML operation.
PrimaryFieldValueEdm.StringNoIndicates the value for the attribute that is the primary field for the entity.

Workplace Analytics schema

The WorkPlace Analytics events listed in will use this schema.

ParametersTypeMandatory?Description
WpaUserRoleEdm.StringNoThe Workplace Analytics role of the user who performed the action.
ModifiedPropertiesCollection (Common.ModifiedProperty)NoThis property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.
OperationDetailsCollection (Common.NameValuePair)NoA list of extended properties for the setting that was changed. Each property will have a Name and Value.

Quarantine schema

The quarantine events listed in will use this schema. For more information about quarantine, see Quarantine email messages in Office 365.

ParametersTypeMandatory?Description
RequestTypeSelf.RequestTypeNoThe type of quarantine request performed by a user.
RequestSourceSelf.RequestSourceNoThe source of a quantine request can come from the Security & Compliance Center (SCC), a cmdlet, or a URLlink.
NetworkMessageIdEdm.StringNoThe network message id of quarantined email message.
ReleaseToEdm.StringNoThe recipient of the email message.

Enum: RequestType - Type: Edm.Int32

ValueMember nameDescription
0PreviewThis is a request from a user to preview an email message that is deemed to be harmful.
1DeleteThis is a request from a user to delete an email message that is deemed to be harmful.
2ReleaseThis is a request from a user to release an email message that is deemed to be harmful.
3ExportThis is a request from a user to export an email message that is deemed to be harmful.
4ViewHeaderThis is a request from a user to view the header an email message that is deemed to be harmful.
5Release requestThis is a release request from a user to release an email message that is deemed to be harmful.

Enum: RequestSource - Type: Edm.Int32

ValueMember nameDescription
0SCCThe Security & Compliance center (SCC) is the source where the request from a user to preview, delete, release, export, or view the header of a potentially harmful email message can originate from.
1CmdletA cmdlet is the source where the request from a user to preview, delete, release, export, or view the header of a potentially harmful email message can originate from.
2URLlinkThis is a source where the request from a user to preview, delete, release, export, or view the header of potentially harmful email message can originate from.

Microsoft Forms schema

The Microsoft Forms events listed in will use this schema.

ParametersTypeMandatory?Description
FormsUserTypesCollection(Self.FormsUserTypes)YesThe role of the user who performed the action. The values for this parameter are Admin, Owner, Responder, or Coauthor.
SourceAppEdm.StringYesIndicates if the action is from Forms website or from another App.
FormNameEdm.StringNoThe name of the current form.
FormIdEdm.StringNoThe Id of the target form.
FormTypesCollection(Self.FormTypes)NoIndicates whether this is a Form, Quiz, or Survey.
ActivityParametersEdm.StringNoJSON string containing activity parameters. See for more details.

Enum: FormsUserTypes - Type: Edm.Int32

FormsUserTypes

ValueForm User TypeDescription
0AdminAn administrator who has access to the form.
1OwnerA user who is the owner of the form.
2ResponderA user who has submitted a response to a form.
3CoauthorA user who has used a collaboration link provided by the form owner to login and edit a form.

Enum: FormTypes - Type: Edm.Int32

FormTypes

ValueForm TypesDescription
0FormForms that are created with the New Form option.
1QuizQuizzes that are created with the New Quiz option. A quiz is a special type of form that includes additional features such as point values, auto and manual grading, and commenting.
2SurveySurveys that are created with the New Survey option. A survey is a special type of form that includes additional features such as CMS integration and support for Flow rules.

MIP label schema

Events in the Microsoft Purview Information Protection label schema are triggered when Microsoft 365 detects an email message processed by agents in the Transport pipeline that has a sensitivity label applied to it. The sensitivity label may have been applied manually or automatically, and it may have been applied within or outside of the Transport pipeline. Sensitivity labels can be automatically applied to email messages by auto-apply label policies.

The intent of this audit schema is to represent the sum of all email activity that involves sensitivity labels. In other words, there should be an recorded audit activity for each email message that is sent to or from users in the organization that has a sensitivity label applied to it, regardless of when or how the sensitivity label was applied. For more information about sensitivity labels, see:

  • Learn about sensitivity labels

  • Apply a sensitivity label to content automatically

ParametersTypeMandatory?Description
SenderEdm.StringNoThe email address in the From field of the email message.
ReceiversCollection(Edm.String)NoAll email addresses in the To, CC, and Bcc fields of the email message.
ItemNameEdm.StringNoThe string in the Subject field of the email message.
LabelIdEdm.GuidNoThe GUID of the sensitiviy label applied to the email message.
LabelNameEdm.StringNoThe name of the sensitivity label applied to the email message.
LabelActionEdm.StringNoThe actions specified by the sensitivity label that were applied to the email message before the message entered the mail transport pipeline.
LabelAppliedDateTimeEdm.DateNoThe date the sensitivity label was applied to the email message.
ApplicationModeEdm.StringNoSpecifies how the sensitivity label was applied to the email message. The Privileged value indicates the label was manually applied by a user. The Standard value indicates the label was auto-applied by a client-side or service-side labeling process.

Encrypted message portal events schema

Events for enrypted message portal schema are triggered when when Purview Message Encryption detects an encrypted email message is accessed through the portal by an external recipient. The mail may have been encrypted manually with a sensitivity label or an RMS template, or automatically by a transport rule, a Data Loss Prevention policy, or an auto-labeling policy.

The intent of this audit schema is to represent the sum of all portal activity that involves accessing the encrypted mail by external recipients. In other words, there should be a recorded audit activity for a recipient that attempts to sign in to the portal and any activities related to accessing the encrypted mail. This includes mail sent to or from users in the organization when the mail has encryption applied to it, regardless of when or how the encryption was applied. For more information, see, Learn about encrypted message portal logs.

ParametersTypeMandatory?Description
MessageIdEdm.StringNoThe Id of the message.
RecipientEdm.StringNoRecipient email address.
SenderEdm.StringNoEmail address of sender.
AuthenticationMethodSelf.AuthenticationMethodNoAuthentication method when accessing the message, i.e. OTP, Yahoo, Gmail, Microsoft.
AuthenticationStatusSelf.AuthenticationStatusNo0 – Success, 1- Failure.
OperationStatusSelf.OperationStatusNo0 – Success, 1- Failure.
AttachmentNameEdm.StringNoName of the attachment.
OperationPropertiesCollection(Common.NameValuePair)NoExtra properties, i.e. number of OTP passcode sent, email subject, etc.

Communication compliance Exchange schema

The communication compliance events listed in the Office 365 audit log use this schema. This includes audit records for the SupervisoryReviewOLAudit operation that's generated when email message content contains offensive language identified by anti-spam models with a match accuracy of >= 99.5%.

ParametersTypeMandatory?Description
ExchangeDetailsExchangeDetailsNoProperties of the email message that triggered the SupervisoryReviewOLAudit event.

Enum: ExchangeDetails - Type: ExchangeDetails

ExchangeDetails

Member nameTypeDescription
NetworkMessageIdEdm.GuidThe network message ID of the email message.
InternetMessageIdEdm.StringThe internet message ID of the email message.
AttachmentDataCollection(AttachmentDetails)Information about files attached to the email message.
RecipientsCollection(Edm.String)The email addresses in the To, Cc, and Bcc fields of the email message.
SubjectEdm.StringThe text in the Subject field of the email message.
MessageTimeEdm.DateThe date and time the email message was sent.
FromEdm.StringThe email address in the From field of the email message.
DirectionalityEdm.StringThe origination status of the email message.

Enum: AttachmentDetails - Type: Edm.Int32

AttachmentDetails

Member nameTypeDescription
FileNameEdm.StringThe name of the file attached to the email message.
FileTypeEdm.StringThe file extension of the file attached to the email message.
SHA256Edm.StringThe SHA-256 hash of the file attached to the email message.

Reports schema

The Reports events listed in will use this schema.

ParametersTypeMandatory?Description
ModifiedPropertiesCollection (Common.ModifiedProperty)NoThis property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.

Compliance connector schema

Events in the compliance connector schema are triggered when items that are imported by a data connector are skipped or failed to be import to user mailboxes. For more information about data connectors, see Learn about connectors for third-party data.

ParametersTypeMandatory?Description
JobIdEdm.StringNoThis is a unique identifier of the data connector.
TaskIdEdm.StringNoUnique identifier of the periodic data connector instance. Data connectors import data in periodic intervals.
JobTypeEdm.StringNoThe name of the data connector.
ItemIdEdm.StringNoUnique identifier of the item (for example, an email message) being imported.
ItemSizeEdm.Int64NoThe size of the item being imported.
SourceUserIdEdm.StringNoThe unique identifier of the user from the third-party data source. For example, for a Slack data connector, this property specifies the user Id in Slack workspace.
FailureTypeSelf.FailureTypeNoIndicates the type of data import failure. For example, the value incorrectusermapping indicates the item wasn't imported because no user mapping between the third-party data source and Microsoft 365 could be found.
ResultMessageEdm.StringNoIndicates the type of failure, such as Duplicte message.
IsRetryEdm.BooleanNoIndicates whether the data connector retried to import the item.
AttachmentsCollection.AttachmentNoA list of attachments received from the third-party data source.

Enum: FailureType - Type: Edm.Int32

ValueMember name
0Default
1MailboxWrite

Attachment complex type

ParametersTypeMandatory?Description
FileNameEdm.StringNoThe name of the attachment.
DetailsEdm.StringNoOther details about the attachment.

SystemSync schema

Events in the SystemSync schema are triggered when the SystemSync ingested data is either exported via Data Lake or shared via other services.

DataLakeExportOperationAuditRecord

ParametersTypeMandatory?Description
DataStoreTypeDataStoreTypeYesIndicates which data store the data was downloaded from. Refer DataStoreType for all possible values.
UserActionDataLakeUserActionYesIndicates what action user had performed on the data store. Refer DataLakeUserAction for all possible values.
ExportTriggeredAtEdm.DateTimeOffsetYesIndicates when the data export was triggered.
NameOfDownloadedZipFileEdm.StringNoThe name of the compressed file the admin had downloaded from the Data Lake.
ParametersTypeMandatory?Description
InvitationDataShareInvitationTypeNoDetails of the invite sent to the recipient of the Data Share.
ParametersTypeMandatory?Description
ShareIdEdm.GuidYesSystem assigned identifier for the Data Share.
InviteesCollection(Edm.Guid)YesList of admin users the invite was sent to.
InviteeTenantIdEdm.GuidYesThe target tenant whom the invite is intended to.
ShareNameEdm.StringYesSystem assigned name for the Data Share.
SyncFrequencySelf.SyncFrequencyYesFrequency at which the data is synced to the destination storage account once share is established. See SyncFrequency for possible values.
SyncStartTimeEdm.DateTimeOffsetYesDate and time of first sync.

Enum: SyncFrequency - Type: Edm.Int32

ValueMember nameDescription
0HourlyIndicates the data will be synced every hour.
1DailyIndicates the data will be synced once a day.

Enum: DataStoreType - Type: Edm.Int32

ValueMember nameDescription
0CanonicalStoreIndicates data will be downloaded from Canonical store.
1StagingStoreIndicates data will be downloaded from Staging store.

Enum: DataLakeUserAction - Type: Edm.Int32

ValueMember nameDescription
0TriggerExportThe admin user triggered export from Data Lake.
1DownloadZipFileThe admin user downloaded the exported data.

MicrosoftGraphDataConnectOperation complex type

ParametersTypeMandatory?Description
ApplicationIdEdm.GuidYesThe application identification.
ApplicationNameEdm.StringYesThe application name.
PipelineNameEdm.StringYesThe pipeline name.
PipelineRunIdEdm.GuidNoThe identification of this pipeline run.
CopyActivityRunIdEdm.GuidNoThe identification of the ADF copy activity.
RunStartTimeEdm.DateYesDate and time of the extraction.
RunEndTimeEdm.DateYesDate and time of the extraction.
DatasetNameEdm.StringYesThe dataset name being extracted.
DatasetColumnsEdm.StringYesThe set of selected columns being extracted.
ScopeListEdm.StringYesThe scope of the extraction.
ScopeCountRequestedEdm.Int64NoThe requested scope count for this extraction.
ScopeCountDeliveredEdm.Int64NoThe delivered scope count for this extraction.
UndeliveredScopeEdm.StringNoThe undelivered scope of the extraction.
RowCountEdm.Int64NoThe number of rows extracted.
StatusEdm.StringYesThe extraction status.
ReasonEdm.StringNoThe error message in case of failure.

AipDiscover

The following table contains information related to Azure Information Protection (AIP) scanner events.

EventDescription
ApplicationIdThe ID of the application performing the operation.
ApplicationNameFriendly name of the application performing the operation. Outlook (for email), OWA (for email), Word (for file), Excel (for file), PowerPoint (for file).
ClientIPThe IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. The IP address is displayed in either an IPv4 or IPv6 address format.
CreationTimeThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
DataStateDescribes the state of the data.
DeviceNameThe device on which the activity happened.
IdGUID of the current record.
IsProtectedWhether protected: True/False
LocationThe location of the document with respect to the user's device. The possible values are unknown, localMedia, removableMedia, fileshare and cloud.
ObjectIdFile full path (URL). For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user.
OperationDescribes type of access.
OrganizationIdThe GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
PlatformDevice platform (Win, OSX, Android, iOS) 
ProcessNameThe relevant process name, eg. Outlook, msip.app, WinWord.
ProductVersionVersion of the AIP client.
ProtectionOwnerRights Management owner in UPN format.
ProtectionTypeProtection type can be template or ad-hoc.
RecordTypeThe type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records. For a complete updated list and full description of the Log RecordType, see theMicrosoft 365 Compliance audit log activities via O365 Management APIblog post. Here we only list the relevant MIP Record types.
ScopeWas this event created by a hosted O365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
SensitiveInfoTypeDataStores the datatype of the Sensitive Info type data.
SensitivityLabelIdThe current MIP sensitivity label GUID. Use cmdlt Get-Label to get the full values of the GUID.
TemplateIdTemplateID parameter to get a specific template. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.
UserIdThe UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
UserKeyAn alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
UserTypeThe type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
VersionVersion ID of the file in the operation.
WorkloadStores The Office 365 service where the activity occurred.

AipSensitivityLabelAction

The following table contains information related to AIP sensitivity label events.

EventDescription
ApplicationIdCorresponds to the Microsoft Entra Application ID.
ApplicationNameApplication friendly name of the application performing the operation.
CreationDateThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
DataStateSpecifies the state of the data.
DeviceNameThe name of the user's device.
IdentityThe identity of the user or service to be authenticated.
IsProtectedWhether protected: True/False
IsProtectedBeforeWhether the content was protected before change: True/False
IsValidBoolean
LocationThe location of the document with respect to the user's device. The possible values are unknown, localMedia, removableMedia, fileshare, and cloud.
ObjectStateSpecifies the state of the object.
OperationThe operation type for the audit log.The name of the user or admin activity. For a description of the most common operations/activities:
SensitivityLabelApplied
SensitivityLabelUpdated
SensitivityLabelRemoved
SensitivityLabelPolicyMatched
SensitivityLabeledFileOpened.
IdentityThe identity of the user or service to be authenticated.
PSComputerNameComputer Name
PSShowComputerNameThe value is False for documented edited in Office 365.
PlatformDevice platform (Win, OSX, Android, iOS). 
ProcessNameProcess that hosts MIP SDK.
ProductVersionVersion of the Azure Information Protection client that performed the audit action.
ProtectionTypeProtection type can be template or ad-hoc.
RecordTypeShows the value of Label Action. The operation type indicated by the record. For more information, see thefull list of record types.
RunspaceIdThe Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
SensitiveInfoTypeDataStores the datatype of the Sensitive Info Type Data
TemplateIdTemplateID parameter to get a specific template. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.
UserIdThe User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service.

AipProtectionAction

EventDescription
PSComputerNameComputer name
RunspaceIdThe Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
PSShowComputerNameThe value is false for a documented edited in Office 365.
RecordTypeShows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types. For more information, see the full list of record types.
CreationTimeThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
UserIdThe User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged. For example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.

OperationThe operation type for the audit log. The name of the user or admin activity. For a description of the most common operations/activities.
SensitivityLabelApplied
SensitivityLabelUpdated
SensitivityLabelRemoved
SensitivityLabelPolicyMatched
SensitivityLabeledFileOpened.
IdentityThe identity of the user or service to be authenticated.
ObjectStateState of the Object after the current event.
ApplicationIdThe application where the activity happened and displayed in GUID.
ApplicationNameApplication friendly name of the application performing the operation.Outlook (for email), OWA (for email), Word (for file), Excel (for file), PowerPoint (for file).
ProcessNameProcess name of the Office application.
PlatformThe platform on which the activity happened. For example, Windows.
DeviceNameDevice the event was recorded on.
ProductVersionVersion of the Azure Information Protection client that performed the audit action.
UserIdThe UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.

ClientIPThe IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. The IP address is displayed in either an IPv4 or IPv6 address format.
IdGUID of the current record.
RecordTypeShows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types.
CreationTimeThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
OperationThe name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center.
OrganizationIdThe GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserTypeThe type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
UserKeyAn alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
WorkloadStores the Office 365 service where the activity occurred.
VersionVersion of the Azure Information Protection client that performed the audit action
ScopeSpecifies scope.

AipFileDeleted

EventDescription
PSComputerNameComputer name
RunspaceIdThe Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
PSShowComputerNameThe value is false for a documented edited in Office 365.
RecordTypeShows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types. For more information, see the full list of record types.
CreationTimeThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
UserIdThe User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged. For example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.

OperationThe operation type for the audit log. The name of the user or admin activity. For a description of the most common operations/activities.
SensitivityLabelApplied
SensitivityLabelUpdated
SensitivityLabelRemoved
SensitivityLabelPolicyMatched
SensitivityLabeledFileOpened.
IdentityThe identity of the user or service to be authenticated.
ObjectStateState of the Object after the current event.
ApplicationIdThe application where the activity happened and displayed in GUID.
ApplicationNameApplication friendly name of the application performing the operation.Outlook (for email), OWA (for email), Word (for file), Excel (for file), PowerPoint (for file).
ProcessNameProcess name of the Office application.
PlatformThe platform on which the activity happened. For example, Windows.
DeviceNameDevice the event was recorded on.
ProductVersionVersion of the Azure Information Protection client that performed the audit action.
UserIdThe UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.

ClientIPThe IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. The IP address is displayed in either an IPv4 or IPv6 address format.
IdGUID of the current record.
RecordTypeShows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types.
CreationTimeThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
OperationThe name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center.
OrganizationIdThe GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserTypeThe type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
UserKeyAn alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
WorkloadStores the Office 365 service where the activity occurred.
VersionVersion of the Azure Information Protection client that performed the audit action
ScopeSpecifies scope.

AipHeartBeat

The following table contain information related to AIP heartbeat events.

EventDescription
ApplicationIdCorresponds to the Microsoft Entra Application ID.
ApplicationNameApplication friendly name of the application performing the operation.
CreationDateThe date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
DataStateSpecifies the state of the data.
DeviceNameThe name of the user's device.
IdentityThe identity of the user or service to be authenticated.
IsProtectedWhether protected: True/False
IsProtectedBeforeWhether the content was protected before change: True/False
IsValidBoolean
LocationThe location of the document with respect to the user's device. The possible values are unknown, localMedia, removableMedia, fileshare, and cloud.
ObjectStateSpecifies the state of the object.
OperationThe operation type for the audit log.The name of the user or admin activity. For a description of the most common operations/activities:
PSComputerNameComputer Name
PSShowComputerNameThe value is False for documented edited in Office 365.
PlatformDevice platform (Win, OSX, Android, iOS). 
ProcessNameProcess that hosts MIP SDK.
ProductVersionVersion of the Azure Information Protection client that performed the audit action.
ProtectionTypeProtection type can be template or ad-hoc.
RecordTypeShows the value of Label Action. The operation type indicated by the record. For more information, see thefull list of record types.
RunspaceIdThe Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
SensitiveInfoTypeDataStores the datatype of the Sensitive Info Type Data
TemplateIdTemplateID parameter to get a specific template. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.
UserIdThe UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
UserTypeThe type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
UserKeyAn alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.

MicrosoftGraphDataConnectConsent complex type

ParametersTypeMandatory?Description
ApplicationIdEdm.GuidYesThe application identification.
ApplicationVersionEdm.StringYesThe application version.
AppRegistrationTenantIdEdm.GuidYesThe application registration tenant id.
ApproverEdm.StringYesThe approver's user principal name.
ApprovalUpdatedDateInUTCEdm.DateYesThe update date time in UTC.
ApprovalExpiryDateInUTCEdm.DateYesThe expiry date time in UTC.
ApprovalValidDaysEdm.Int32YesThe number of days from update for which the approval will be valid.
DestinationSinksEdm.StringYesThe destination sinks.
DestinationTenantIdEdm.GuidYesThe destination tenant id.
ReasonEdm.StringNoThe reason provided by the admin who performed the operation.
StateEdm.StringYesThe consent state.
DatasetsCollectionSelf.MGDCDatasetYesDetails on the datasets which were consented to as part of this operation.

Complex Type MGDCDataset

ParametersTypeMandatory?Description
DatasetNameEdm.StringYesThe name of the dataset in the consent operation.
DatasetColumnsEdm.StringYesThe list of columns for the dataset in the consent operation.
DenyGroupsEdm.StringNoThe deny groups list for the dataset in the consent operation.
ScopeEdm.StringYesThe scope types for the dataset in the consent operation. Possible values are All, List and FilterUri.
ScopeFiltersUrisEdm.StringNoThe scope filter URI for the dataset in the consent operation.
ScopeListEdm.StringNoThe scope group list for the dataset in the consent operation.
PrivacyPolicyTypeEdm.StringYesThe privacy policy types for the dataset in the consent operation. Possible values are None and DenyList.

Viva Goals schema

The audit records for events related to Viva Goals use this schema (in addition to the Common schema). For details how you can search for the audit logs from the compliance portal, see . For details about capturing events and activities related to Viva Goals, see Audit log activities.

ParametersTypeMandatory?Description
DetailEdm.String No A description of the event or the activity that occurred in Viva Goals.
Username Edm.String
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No The name of the user who trigged the event.
UserRole Edm.StringNo The role of the user who trigged this event in Viva Goals. This will mention if the user is an organization admin or an owner.
OrganizationNameEdm.String
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No The name of the organization in Viva Goals where the event was triggered.
OrganizationOwner Edm.String 
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No The owner of the organization in Viva Goals where the event occurred.
OrganizationAdmins Collection(Edm.String) 
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No The admin(s) of the organization in Viva Goals where the event occurred. There can be one or more admins in the organization.
UserAgent Edm.String 
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No The user agent (browser details) of the user who trigged the event. UserAgent might not be present in case of a system generated event.
ModifiedFields Collection(Common.NameValuePair)No A list of attributes that were modified along with its new and old values output as a JSON.
ItemDetailsCollection(Common.NameValuePair)No Additional properties about the object that was modified.

Microsoft Planner schema

Microsoft Planner overwrites the definition of ObjectId and ResultStatus in the Common schema. Microsoft Planner's ObjectId definition is bound to each Microsoft Planner's record type and will be illustrated individually.

Microsoft Planner's ResultStatus is defined as the following.

Enum: ResultStatus - Type: Edm.Int32

ResultStatus

ValueMember nameDescription
1SuccessThe user request succeeded.
2FailureThe user request failed due to reasons other than authorization.
3AuthorizationFailureThe user requested failed due to failed authorization.

Microsoft Planner extends the Common schema with the following record types.

PlannerPlan record type

PropertiesTypeDescription
ObjectIdEdm.StringId of the plan requested.
ContainerTypeSelf.ContainerTypeType of the container associated with the plan.
ContainerIdEdm.StringId of the container associated with the plan.
SharedWithContainerIdEdm.StringId of the container with shared access to the plan.
SharedWithContainerTypeSelf.ContainerTypeType of the container with shared access to the plan.
SharedWithContainerAccessLevelSelf.PlanAccessLevelLevel of access given to container with shared access to the plan.

Enum: ContainerType - Type Edm.Int32

ContainerType

ValueMember nameDescription
0InvalidUsed when the requested plan is not found.
2GroupThe plan is associated with a M365 Group.
3TeamsConversationThe plan is associated with a Teams conversation.
4OfficeDocumentThe plan is associated with a Office document.
5RosterThe plan is associated with a roster group.
6ProjectThe plan originates from Microsoft Project.

Enum: PlanAccessLevel - Type Edm.Int32

PlanAccessLevel

ValueMember nameDescription
1ReadAccessAccess to read Plan
2ReadWriteAccessAccess to read and write to Plan
3FullAccessAccess to read, write and configure Plan

PlannerCopyPlan record type

PropertiesTypeDescription
ObjectIdEdm.StringId of the plan being copied.
OriginalPlanIdEdm.StringId of the plan being copied. Same as ObjectId.
OriginalContainerTypeSelf.ContainerTypeType of the container associated with the original plan.
OriginalContainerIdEdm.StringId of the container associated with the original plan.
NewPlanIdEdm.StringId of the new plan. Null when the operation failed.
NewContainerTypeSelf.ContainerTypeType of the container associated with the new plan.
NewContainerIdEdm.StringId of the container associated with the new plan.

PlannerTask record type

PropertiesTypeDescription
ObjectIdEdm.StringId of the task requested.
PlanIdEdm.StringId of the plan containing the task.

PlannerRoster record type

PropertiesTypeDescription
ObjectIdEdm.StringId of the roster requested.
MemberIdsEdm.StringA comma-separated string of member ids changed to the roster.

PlannerPlanList record type

PropertiesTypeDescription
ObjectIdEdm.StringA representation of the view query for a list of plans.
PlanListEdm.StringA comma-separated string of plan ids queried.

PlannerTaskList record type

PropertiesTypeDescription
ObjectIdEdm.StringA representation of the view query for a list of tasks.
PlanListEdm.StringA comma-separated string of task ids queried.

PlannerTenantSettings record type

PropertiesTypeDescription
ObjectIdEdm.StringOriginal tenant settings in JSON.
TenantSettingsEdm.StringNew tenant settings in JSON.

PlannerRosterSensitivityLabel record type

PropertiesTypeDescription
ObjectIdEdm.StringId of the sensitivity label. Null when the sensitivity label is removed.
RosterEdm.StringId of the roster to which the sensitivity label is changed.
AssignmentMethodSelf.SensitivityLabelAssignmentMethodThe assignment method of the sensitivity label.

Enum: SensitivityLabelAssignmentMethod - Type Edm.Int32

SensitivityLabelAssignmentMethod

ValueMember nameDescription
0StandardThe sensitivity label is automatically applied but not allowed to override a privileged label assignment.
1PrivilegedThe sensitivity label is applied manually by a user or by an admin.
2AutoThe sensitivity label is automatically applied and is allowed to override a privileged label assignment.

Microsoft Project for the web schema

Microsoft Project For The web extends the Common schema with the following record types.

ProjectForThewebProject record type

PropertiesTypeMandatory?Description
ProjectIdEdm.GuidNoId of the Project being audited.
AdditionalInfoCollectionSelf.AdditionalInfoNoAdditional information.

ProjectForThewebTask record type

PropertiesTypeMandatory?Description
ProjectIdEdm.GuidYesId of the Project being audited.
TaskIdEdm.GuidYesId of the Task being audited.
AdditionalInfoCollectionSelf.AdditionalInfoNoAdditional information.

ProjectForThewebRoadmap record type

PropertiesTypeMandatory?Description
RoadmapIdEdm.GuidYesId of the Roadmap being audited.
AdditionalInfoCollectionSelf.AdditionalInfoNoAdditional information.

ProjectForThewebRoadmapItem record type

PropertiesTypeMandatory?Description
RoadmapItemIdEdm.GuidYesId of the Roadmap Item being audited.
AdditionalInfoCollectionSelf.AdditionalInfoNoAdditional information.

Complex Type AdditionalInfo

ParametersTypeMandatory?Description
EnvironmentNameEdm.StringNoId of the environment where action was performed.

ProjectForThewebProjectSetting record type

PropertiesTypeMandatory?Description
ProjectEnabledEdm.BooleanYesThe value that was set for Project for the web (1= enabled, 0 disabled).

ProjectForThewebRoadampSetting record type

PropertiesTypeMandatory?Description
RoadmapEnabledEdm.BooleanYesThe value that was set for Roadmap (1= enabled, 0 disabled).

ProjectForThewebAssignedToMeSetting record type

PropertiesTypeMandatory?Description
AssignedToMeEnabledEdm.BooleanYesThe value that was set for AssignedToMe (1= enabled, 0 disabled).

Office 365 Management Activity API schema (2024)

FAQs

What is API Office 365 management activity? ›

The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs.

Is Microsoft 365 an API? ›

The Office 365 Management APIs use Microsoft Entra ID to provide secure authentication to Office 365 tenant data. To access the Office 365 Management APIs, you need to register your app in Microsoft Entra ID, and as part of the configuration, you'll specify the permission levels your app needs to access the APIs.

What is a Dcadmin user type? ›

The DCADMIN user holds definition and access privileges on /DC system resources. CREATE, ALTER, DROP, and DISPLAY privileges on a system allow the user to maintain the system configuration using CA IDMS system generation. The holder of DCADMIN privilege can grant all system privileges to one or more users.

What is UserType 0 in O365? ›

Audit records for activities performed by administrators will indicate that a regular user (for example, UserType: 0) performed the activity. The UserID property will identify the person (regular user or administrator) who performed the activity.

What is an API activity? ›

The Activity API exposes a super-fast, highly available API. The purpose of this API is to manage 3 things: Determine in super real-time whether your user has agreed to the latest version of a contract. Retrieving the versions and revisions of a Contract your Signers have agreed to.

How does API Management work? ›

API management is the process of developing, designing, monitoring, testing, securing, and analyzing APIs for organizations. API management platforms provide a robust set of software and processes with this functionality, hosted on premises, in the cloud, or a hybrid environment.

What is considered a user? ›

: a person who uses a product or service. smartphone users. library users. The site has millions of users. users of the city's transit system.

What are the different types of user accounts in Windows Server? ›

Standard User accounts are for everyday computing. Administrator accounts provide the most control over a computer, and should only be used when necessary. Guest accounts are intended primarily for people who need temporary use of a computer.

What are the two basic user types in Azure Active Directory? ›

Azure User Types Last Updated July 19, 2024
  • Member: A member user is an employee of the host organization. ...
  • Guest: A guest is an external user of an organization, such as an external collaborator, partner, or customer.

What is the user unique identifier in Office 365? ›

Your user ID is the unique email address that was created for you to use when you sign in to Microsoft 365. A user ID may look similar to the following: ellen@contoso.partner.onmschina.cn.

What is the difference between mailuser and remotemailbox? ›

The major difference is that a remote user mailbox is indeed a mailbox, which is hosted in the Exchange Online environment, but a mail user is not a real mailbox, it's just a local AD account with a valid SMTP address.

What is API in d365? ›

An API is a kind of portal for developer teams. The Microsoft Dynamics 365 CRM REST APIs help in managing all the corporate processes and operations along with customer-related functionalities. The REST APIs simplify the task of developers in acquiring and altering data from the CRM software.

What is management API in Azure? ›

Azure API Management is a hybrid, multicloud management platform for APIs across all environments. As a platform-as-a-service, API Management supports the complete API lifecycle. Tip. If you're already familiar with API Management and ready to start, see these resources: Features and service tiers.

What is API version management? ›

API versioning is the process of managing and maintaining different versions of an API. It allows developers to make changes to an API without breaking existing functionality for users who rely on the older version.

Can Office 365 track your activity? ›

Within the Microsoft 365 administrator dashboard, businesses can track user activity across multiple 365 products, including Teams. These reports can be viewed directly on the 365 dashboard or exported into a CSV format.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Aron Pacocha

Last Updated:

Views: 5920

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.