Audit Logging and Copilot Activity
A step-by-step guide to enabling and using audit logs for Microsoft 365 Copilot activity. You'll learn where Copilot events show up in Microsoft Purview Audit, how to search and export results, and how to align audit retention with government compliance expectations.
Overview
In government environments, trust isn’t just about technical controls. It’s about accountability. And accountability means having an auditable record of who did what, when, and why.
For Microsoft 365 Copilot, that accountability layer lives in Microsoft Purview Audit. This is where Copilot events are captured alongside the broader Microsoft 365 workload activity. Whether you’re preparing for an investigation, responding to a FOIA request, or building evidence for your ATO, you need to know exactly where these logs live, how to search them, and how long to keep them.
This video walks through the end-to-end audit workflow for Copilot: where events are recorded, what roles and permissions you need, how to run searches and export results, and how to align retention policies with agency compliance requirements in GCC, GCC High, and DoD environments.
What You’ll Learn
- Where Copilot Audit Events Live: Understanding Microsoft Purview Audit as your primary audit surface
- Prerequisites and Roles: Confirming audit enablement, investigator permissions, and least privilege access
- Running Copilot Searches: Filtering by activity, validating with test cases, and exporting results
- Retention Planning: Aligning audit retention with agency schedules, security needs, and compliance requirements
Script
Hook: auditing is your accountability layer
In government, “trust” comes with audit trails. Copilot is no different.
Whether you’re investigating an insider threat case, responding to a FOIA request, or documenting security controls for your authorizing official, you need an auditable record of Copilot activity.
The good news is that Microsoft 365 already has a unified audit infrastructure. Copilot events plug right into it. The challenge is knowing where to look, what to search for, and how long to retain the evidence.
Let’s walk through exactly where Copilot events live, how to search them, and what to retain.
Where Copilot audit events are recorded
Microsoft Purview Audit is your primary audit surface. This is the unified audit log for Microsoft 365. It’s where Copilot activity gets recorded alongside all the other workload activity happening in your tenant.
When a user interacts with Copilot in Teams, Outlook, Word, or any other Microsoft 365 app, those interactions generate audit events. These events capture things like when Copilot was invoked, what prompts were submitted, and what data sources were accessed during the interaction.
But here’s the important part. Copilot audit events don’t exist in isolation. They’re complemented by the workload logs that reflect the underlying content access and actions. If Copilot accesses a file in SharePoint, there’s a SharePoint audit event. If it reads an email in Exchange, there’s an Exchange audit event. If it pulls data from Teams, there’s a Teams audit event.
In investigations, you typically correlate Copilot activity with SharePoint, OneDrive, Exchange, and Teams audit signals. That’s how you reconstruct the full timeline of what happened.
Prerequisites: roles, licensing, and enablement
Before you can search Copilot audit logs, you need to confirm a few things.
First, confirm that auditing is enabled. In most Microsoft 365 environments, unified audit logging is on by default. But if you’re in GCC High or DoD, verify this in the Microsoft Purview compliance portal under Audit settings.
Second, confirm investigator roles and least privilege. Not everyone should search audit logs. Assign the View-Only Audit Logs or Audit Logs role to security analysts, compliance officers, or investigators only.
Third, here’s the government callout: decide retention requirements up front so you don’t lose evidence you later need for FOIA, IG investigations, or legal hold.
Default retention is ninety days. E5 licenses extend this. But “default” isn’t a policy. In government, you need a documented decision that aligns with your agency’s records schedule.
Run a Copilot audit search
Now let’s walk through the actual search process.
Start by going to the Microsoft Purview compliance portal and navigating to Audit. You’ll see the unified audit log search interface.
First, choose your time range. You can search for the last twenty-four hours, the last seven days, or a custom range. For investigations, you’ll often start broad and then narrow down based on what you find.
Second, target your users. If you’re investigating a specific incident, you’ll enter the user principal name or display name of the person you’re investigating. If you’re doing a broader Copilot usage analysis, you might leave this blank and filter by activity instead.
Third, filter by Copilot-related activities. Depending on your environment and what Microsoft has surfaced in the activity picker, you may see specific Copilot activity types you can select. If not, you’ll search more broadly and then filter the results by workload or keyword.
Now here’s the best practice for validation: don’t just assume the logs are working. Run a known test. Have a pilot user perform a specific Copilot action that you’ve documented in advance. Then search for that event. Confirm it appears in the audit log with the expected timestamp, user, and activity details.
This is how you validate that your audit configuration is actually capturing what you think it’s capturing. Don’t skip this step.
Once you’ve confirmed the events are there, you can export the results. Purview lets you export audit search results to a CSV file. This is useful for external analysis, correlation with other data sources, or long-term archival outside of the live audit log.
If you’re in an environment where chain-of-custody practices are required, document your export process. Record who performed the search, what date range was queried, and where the exported file is stored. This becomes part of your evidence handling workflow.
Retention: how long should you keep Copilot audit data?
You’ve confirmed auditing works. You’ve run searches. You’ve exported results. Now: how long do you keep this data?
Don’t use the default. Align retention with three things.
First, your agency’s retention schedules. Many agencies have records schedules for audit and system logs, driven by NARA guidance or agency policy. Find yours and implement it.
Second, security investigation needs. Insider threat detection, threat hunting, and forensics may require data going back months or years. Work with your security team on requirements.
Third, compliance requirements. Regulatory frameworks or authorization conditions may dictate minimums. Some agencies require one year, others three years or longer.
Configure retention using audit log retention policies in Purview. Use policy-driven retention and document the decision in writing. This gets reviewed during audits, ATOs, and IG investigations. Do it right the first time.
Close: your pilot acceptance criteria
Before you move Copilot from pilot to production, confirm five things.
One: Copilot events are captured in the unified audit log. You’ve tested with a known scenario and validated results.
Two: Searches are repeatable. Analysts can run searches, apply filters, and find events without roadblocks.
Three: Exports work. You can export to CSV, preserve chain of custody if required, and integrate with SIEM platforms.
Four: Retention is configured. You’ve implemented a documented policy aligned with agency requirements, not Microsoft’s defaults.
Five: Analysts can reconstruct timelines. Given a user and date range, investigators can piece together what happened by correlating Copilot events with workload activity.
If those five things are true, your audit posture is solid. You’ve got accountability, defensibility, and evidence when questions come up.
That’s the standard. Meet it.
Sources & References
- Audit Copilot Activity in Microsoft Purview — Primary documentation for Copilot audit coverage
- Search the Unified Audit Log — How to search the unified audit log in Microsoft Purview
- Manage Audit Log Retention Policies — Audit log retention policy configuration guidance
- Audit Log Activities Reference — Activity reference list for cross-workload correlation