├── .gitattributes ├── .github └── workflows │ └── auto-publish.yml ├── .gitignore ├── .openpublishing.publish.config.json ├── .openpublishing.redirection.json ├── .vscode └── settings.json ├── LICENSE ├── LICENSE-CODE ├── README.md ├── SECURITY.md ├── ThirdPartyNotices └── office-365-management-api ├── AipDiscover.md ├── AipFileDeleted.md ├── AipHeartBeat.md ├── AipProtectionAction.md ├── AipSensitivityLabelAction.md ├── OMEPortal.md ├── TOC.md ├── aip-unified-audit-logs-best-practices.md ├── breadcrumb └── toc.yml ├── copilot-schema.md ├── docfx.json ├── get-started-with-office-365-management-apis.md ├── images ├── AzureAppRegistration10.png ├── AzureAppRegistration11.png ├── AzureAppRegistration12.png ├── AzureAppRegistration2.png ├── AzureAppRegistration3.png ├── AzureAppRegistration4.png ├── AzureAppRegistration5.png ├── AzureAppRegistration6.png ├── AzureAppRegistration7.png ├── AzureAppRegistration8.png ├── AzureAppRegistration9.png ├── AzureAppRegistrationCertificatesSecrets.png ├── AzurePortal1.png ├── CFW.gif ├── Caution.gif ├── GitHub-Mark-64px.png ├── LastChild.gif ├── Octocat.png ├── add-an-application-dialog-OLD.png ├── add-an-application-dialog.png ├── adm.gif ├── adm_arch.gif ├── adm_dev.gif ├── adm_dev_arch.gif ├── aip-discover-search.png ├── aip-discover.png ├── aip-file-delete-search.png ├── aip-file-delete.png ├── aip-heartbeat-search.png ├── aip-heartbeat.png ├── aip-protection-action-search.png ├── aip-sensitivity-label-action-search.png ├── aip-sensitivity-label-action.png ├── alert_caution.gif ├── alert_note.gif ├── alert_security.gif ├── arch.gif ├── audit-new-search.png ├── audit-search-copilot-interaction.png ├── authorization-flow.png ├── azure-ad-app-added-page.png ├── azure-ad-apps-page.png ├── azure-ad-page.png ├── azure-portal-page.png ├── azure-subscription-page.png ├── big_adm.gif ├── big_arch.gif ├── big_dev.gif ├── big_kw.gif ├── box.gif ├── bullet.gif ├── collall.gif ├── collapse.gif ├── collapse_all.gif ├── command-line-certificate-display.png ├── copycode.gif ├── copycodeHighlight.gif ├── dev.gif ├── dev_arch.gif ├── dropdown.gif ├── dropdownHover.gif ├── drpdown.gif ├── drpdown_orange.gif ├── drpdown_orange_up.gif ├── drpup.gif ├── exp.gif ├── expall.gif ├── expand_all.gif ├── filter1a.gif ├── filter1c.gif ├── footer.gif ├── gradient.gif ├── greencheck.gif ├── greychck.gif ├── header_prev_next.jpg ├── header_sql_tutorial_blank.jpg ├── header_sql_tutorial_logo.GIF ├── kw.gif ├── kw_adm.gif ├── kw_adm_arch.gif ├── kw_adm_dev.gif ├── kw_adm_dev_arch.gif ├── kw_arch.gif ├── kw_dev.gif ├── kw_dev_arch.gif ├── load.gif ├── load_hover.gif ├── note.gif ├── o365-admin-page.png ├── o365-sign-up-page.png ├── pencil.GIF ├── privclass.gif ├── privdelegate.gif ├── privdelicate.gif ├── privenum.gif ├── privenumeration.gif ├── privevent.gif ├── privextension.gif ├── privfield.gif ├── privinterface.gif ├── privmethod.gif ├── privproperty.gif ├── privstructure.gif ├── protclass.gif ├── protdelegate.gif ├── protdeligate.gif ├── protenum.gif ├── protenumeration.gif ├── protevent.gif ├── protextension.gif ├── protfield.gif ├── protinterface.gif ├── protmethod.gif ├── protoperator.gif ├── protproperty.gif ├── protstructure.gif ├── pubclass.gif ├── pubdelegate.gif ├── pubenum.gif ├── pubenumeration.gif ├── pubevent.gif ├── pubextension.gif ├── pubfield.gif ├── pubinterface.gif ├── pubmethod.gif ├── puboperator.gif ├── pubproperty.gif ├── pubstructure.gif ├── requirements1a.gif ├── requirements1c.gif ├── save.gif ├── save_hover.gif ├── security.gif ├── seealso1a.gif ├── seealso1c.gif ├── static.gif └── xna.gif ├── index.md ├── office-365-management-activity-api-reference.md ├── office-365-management-activity-api-schema.md ├── office-365-management-apis-overview.md ├── office-365-service-communications-api-reference.md └── troubleshooting-the-office-365-management-activity-api.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Set the default behavior, in case people don't have core.autocrlf set. 2 | * text=auto 3 | 4 | # Explicitly declare text files you want to always be normalized and converted 5 | # to native line endings on checkout. 6 | *.c text 7 | *.h text 8 | 9 | # Declare files that will always have CRLF line endings on checkout. 10 | *.sln text eol=crlf 11 | 12 | # Denote all files that are truly binary and should not be modified. 13 | *.png binary 14 | *.jpg binary -------------------------------------------------------------------------------- /.github/workflows/auto-publish.yml: -------------------------------------------------------------------------------- 1 | name: auto-publish 2 | run-name: Automatically publish documentation 3 | on: 4 | schedule: 5 | - cron: '45 23 * * WED' 6 | jobs: 7 | auto-publish: 8 | runs-on: ubuntu-latest 9 | permissions: 10 | contents: write 11 | defaults: 12 | run: 13 | shell: bash 14 | working-directory: ./ 15 | steps: 16 | - name: Check out repository 17 | uses: actions/checkout@v4 18 | with: 19 | fetch-depth: 0 20 | - name: Check out main 21 | run: | 22 | echo "Checking out main branch" 23 | git config user.name github-actions 24 | git config user.email github-actions@github.com 25 | git checkout main 26 | - name: Check out live 27 | run: | 28 | echo "Checking out live branch" 29 | git checkout live 30 | - name: Merge from main into live 31 | run: | 32 | echo "Merging from main to live" 33 | git merge main 34 | - name: Push changes 35 | run: | 36 | echo "Pushing changes to live branch" 37 | git push origin live 38 | 39 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | log/ 2 | obj/ 3 | _site/ 4 | .optemp/ 5 | _themes*/ 6 | _repo.*/ 7 | 8 | .openpublishing.buildcore.ps1 -------------------------------------------------------------------------------- /.openpublishing.publish.config.json: -------------------------------------------------------------------------------- 1 | { 2 | "docsets_to_publish": [ 3 | { 4 | "docset_name": "office-365-management-api", 5 | "build_source_folder": "office-365-management-api", 6 | "build_output_subfolder": "office-365-management-api", 7 | "locale": "en-us", 8 | "monikers": [], 9 | "moniker_ranges": [], 10 | "open_to_public_contributors": true, 11 | "type_mapping": { 12 | "Conceptual": "Content", 13 | "ManagedReference": "Content", 14 | "RestApi": "Content" 15 | }, 16 | "build_entry_point": "docs", 17 | "template_folder": "_themes" 18 | } 19 | ], 20 | "notification_subscribers": [], 21 | "sync_notification_subscribers": [], 22 | "branches_to_filter": [], 23 | "skip_source_output_uploading": false, 24 | "need_preview_pull_request": true, 25 | "contribution_branch_mappings": {}, 26 | "dependent_repositories": [ 27 | { 28 | "path_to_root": "_themes", 29 | "url": "https://github.com/Microsoft/templates.docs.msft", 30 | "branch": "main", 31 | "branch_mapping": {} 32 | } 33 | ], 34 | "branch_target_mapping": {}, 35 | "need_generate_pdf_url_template": false, 36 | "docs_build_engine": { 37 | "name": "docfx_v3" 38 | } 39 | } -------------------------------------------------------------------------------- /.openpublishing.redirection.json: -------------------------------------------------------------------------------- 1 | { 2 | "redirections": [ 3 | { 4 | "source_path": "office-365-management-api/office-365-management-activity-api-faq.md", 5 | "redirect_url": "https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#frequently-asked-questions-about-the-office-365-management-api", 6 | "redirect_document_id": true 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "search.useIgnoreFiles": false, 3 | "markdownlint.config": { 4 | "MD028": false, 5 | "MD025": { 6 | "front_matter_title": "" 7 | } 8 | } 9 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More_considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. -------------------------------------------------------------------------------- /LICENSE-CODE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | Copyright (c) Microsoft Corporation 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 5 | associated documentation files (the "Software"), to deal in the Software without restriction, 6 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 7 | and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 8 | subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all copies or substantial 11 | portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT 14 | NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 15 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 16 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 17 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Office 365 Management APIs 2 | 3 | The Office 365 Management APIs provide a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing. All of the Office 365 Management APIs are consistent in design and implementation with the current suite of Office 365 REST APIs, using common industry-standard approaches, including OAuth v2, OData v4, and JSON. Like the other Office 365 APIs, applications are registered in Microsoft Entra ID, giving developers a consistent way to authenticate and authorize their apps. 4 | 5 | To get started, go to the [Office 365 Management APIs overview](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview). 6 | 7 | ## Microsoft Open Source Code of Conduct 8 | 9 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 10 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 11 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /ThirdPartyNotices: -------------------------------------------------------------------------------- 1 | ##Legal Notices 2 | Microsoft and any contributors grant you a license to the Microsoft documentation and other content 3 | in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode), 4 | see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the 5 | [LICENSE-CODE](LICENSE-CODE) file. 6 | 7 | Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation 8 | may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. 9 | The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. 10 | Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653. 11 | 12 | Privacy information can be found at https://privacy.microsoft.com/ 13 | 14 | Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, 15 | or trademarks, whether by implication, estoppel or otherwise. -------------------------------------------------------------------------------- /office-365-management-api/AipDiscover.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: AipDiscover 3 | title: AipDiscover 4 | description: AipDiscover 5 | ms.ContentId: 60e8e7cf-fcb5-4384-a384-accd01df37cd 6 | ms.topic: reference 7 | ms.date: 02/08/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # AipDiscover 12 | 13 | Azure Information Protection is a service that allows organizations to classify and label sensitive data, and apply policies to control how that data is accessed and shared. 14 | 15 | AipDiscover is a type of event that is recorded in the Office 365 Unified Audit Log. It represents an attempt to discover or access an Azure Information Protection (AIP) protected file. In the scenario in which an AIPDiscover event shows the operation as discover that means the file has been listed within an on-premise file share, SharePoint server, etc. that is being viewed by a user or information protection scanner and the state of the file is at rest. In the scenario that an AIPDiscover event shows the operations as access that means the file has been opened and is in use by the user when the event was recorded. 16 | 17 | The AIPDiscover event is useful because it shows the users, devices, and locations that are accessing Azure Information Protection labeled information within an organization. 18 | 19 | ## Access the Office 365 Unified Audit Log 20 | 21 | The audit logs can be accessed using the following methods: 22 | 23 | - The [Audit Log search tool](#audit-log-search-tool) in the Microsoft Purview compliance portal. 24 | - The [Search-UnifiedAuditLog](#search-unified-audit-log-in-powershell) cmdlet in Exchange Online PowerShell. 25 | - The [Office 365 Management Activity API](#office-365-management-activity-api). 26 | 27 | To view descriptions of the data fields within an audit event, see [Attributes of an AipDiscover event](#attributes-of-the-aipdiscover-event) 28 | 29 | ### Audit log search tool 30 | 31 | 1. Go to the [Microsoft Purview compliance portal](https://sip.compliance.microsoft.com/homepage) and sign in. 32 | 2. In the left pane of the compliance portal, select **Audit**. 33 | > [!Note] 34 | > If you don't see **Audit** in the left pane, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide&preserve-view=true) for information about permissions. 35 | 3. On the **New Search** tab, set Record type to **AipDiscover** and configure the other parameters. 36 | ![AipDiscover audit configurations](images/aip-discover-search.png) 37 | 4. Click **Search** to run the search using the criteria. In the results pane, select an event to view the results. Both discover and access operations can be viewed. 38 | ![AipDiscover audit results](images/aip-discover.png) 39 | 40 | For more information on viewing the audit logs in the Microsoft Purview compliance portal, see [Audit log activities](/microsoft-365/compliance/audit-log-activities). 41 | 42 | ## Search Unified Audit Log in PowerShell 43 | 44 | To access the Unified Audit Log using PowerShell, first connect to an Exchange Online PowerShell session by completing the following steps. 45 | 46 | ### Establish a remote PowerShell session 47 | 48 | This will establish a remote PowerShell session with Exchange Online. Once the connection is established, you can run Exchange Online cmdlets to manage your Exchange Online environment. 49 | 50 | Open a PowerShell window and run the Install-Module -Name ExchangeOnlineManagement command to install the Exchange Online Management module. This module provides cmdlets that can be used to manage Exchange Online. 51 | 52 | 1. Connect-IPPSSession is a PowerShell cmdlet used to create a remote connection to an Exchange Online PowerShell session. 53 | 2. Import-Module ExchangeOnlineManagement is a PowerShell cmdlet used to import the Exchange Online Management module into the current PowerShell session. 54 | 55 | ```powershell 56 | # Import the PSSSession and Exchange Online cmdlets 57 | Connect-IPPSSession 58 | Import-Module ExchangeOnlineManagement 59 | ``` 60 | 61 | #### Connect with a specific user 62 | 63 | Command to prompt for a specific user for your Exchange Online credentials. 64 | 65 | ```powershell 66 | $UserCredential = Get-Credential 67 | ``` 68 | 69 | Command to connect to Exchange Online using the provided credentials. 70 | 71 | ```powershell 72 | Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true 73 | ``` 74 | 75 | #### Connect with credentials in the current session 76 | 77 | Connect to Exchange Online using the credentials in the current session. 78 | 79 | ```powershell 80 | Connect-ExchangeOnline 81 | ``` 82 | 83 | ## Search-UnifiedAuditLog cmdlet 84 | 85 | The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see [Best Practices for using Search-UnifiedAuditLog](aip-unified-audit-logs-best-practices.md). 86 | 87 | To extract the AipDiscover events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "AipDiscover". The results will be exported to a CSV file at the specified path. 88 | 89 | ```powershell 90 | Search-UnifiedAuditLog -RecordType AipDiscover -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) | Export-Csv -Path 91 | ``` 92 | 93 | Use the following command to specifically search for discover events - the scenario in which the files are discovered by the user or information protection scanner through viewing on-premise files shares, SharePoint servers, etc. An example of the result of the PowerShell cmdlet is also shown below. 94 | 95 | ```powershell 96 | Search-UnifiedAuditLog -Operations Discover -RecordType AipDiscover -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 97 | ``` 98 | 99 | The following is an example of AipDiscover event from PowerShell, operation Discover. 100 | 101 | ```json 102 | RecordType : AipDiscover 103 | CreationDate : 12/6/2022 8:51:58 PM 104 | UserIds : ipadmin@champion365.onmicrosoft.com 105 | Operations : Discover 106 | AuditData : 107 | { 108 | "SensitivityLabelEventData":{}, 109 | "SensitiveInfoTypeData":[], 110 | "ProtectionEventData":{ 111 | "ProtectionType":"Custom", 112 | "IsProtected":true, 113 | "ProtectionOwner":"ipadmin@champion365.onmicrosoft.com" 114 | }, 115 | "Common":{ 116 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 117 | "ApplicationName":"Microsoft Azure Information Protection Explorer Extension", 118 | "ProcessName":"MSIP.App", 119 | "Platform":1, 120 | "DeviceName":"WinDev2210Eval", 121 | "Location":"On-premises file shares", 122 | "ProductVersion":"2.14.90.0" 123 | }, 124 | "DataState":"Rest", 125 | "ObjectId":"C:\\Users\\User\\OneDrive - champion365\\Cascade Car Schematics.docx", 126 | "UserId":"ipadmin@champion365.onmicrosoft.com", 127 | "ClientIP":"104.190.163.53", 128 | "Id":"e15273c7-f07e-41ec-bac1-5da8739623a5", 129 | "RecordType":93, 130 | "CreationTime":"2022-12-06T20:51:58", 131 | "Operation":"Discover", 132 | "OrganizationId":"c8085975-d882-42d2-9193-d82d752a5de9", 133 | "UserType":0, 134 | "UserKey":"981d11ea-df5c-4334-b656-bb9011bc435b", 135 | "Workload":"Aip", 136 | "Version":1, 137 | "Scope":1 138 | } 139 | ResultIndex : -1 140 | ResultCount : 0 141 | Identity : e15273c7-f07e-41ec-bac1-5da8739623a5 142 | IsValid : True 143 | ObjectState : Unchanged 144 | ``` 145 | 146 | Use the following command to specifically search for access events - the scenario in which the files were opened and in use by the user. An example of the result of the PowerShell cmdlet is also shown below. 147 | 148 | ```powershell 149 | Search-UnifiedAuditLog -Operations Access -RecordType AipDiscover -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 150 | ``` 151 | 152 | The following is an example of AipDiscover event from PowerShell, operation Access. 153 | 154 | ```json 155 | RecordType : AipDiscover 156 | CreationDate : 11/6/2022 10:56:26 PM 157 | UserIds : AdeleV@champion365.onmicrosoft.com 158 | Operations : Access 159 | AuditData : 160 | { 161 | "SensitivityLabelEventData":{ 162 | "SensitivityLabelId":"e14c1275-fa87-4421-8a59-5e3c3c214d61" 163 | }, 164 | "SensitiveInfoTypeData":[], 165 | "ProtectionEventData":{ 166 | "ProtectionType":"Template", 167 | "TemplateId":"2f0f4096-5629-405c-b2a1-8611053b0ed0", 168 | "IsProtected":true, 169 | "ProtectionOwner":"tony@smith.net" 170 | }, 171 | "Common":{ 172 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 173 | "ApplicationName":"Microsoft Azure Information Protection Word Add-In", 174 | "ProcessName":"WINWORD", 175 | "Platform":1, 176 | "DeviceName":"chmp365-avance", 177 | "Location":"On-premises file shares", 178 | "ProductVersion":"2.13.49.0" 179 | }, 180 | "Data State":"Use", 181 | "ObjectId":"C:\\Users\\AdeleVance\\Downloads\\dest.docx", 182 | "UserId":"AdeleV@champion365.onmicrosoft.com", 183 | "ClientIP":"76.135.237.70", 184 | "Id":"f8317892-3dc0-455d-9edd-8d6615addf41", 185 | "RecordType":93, 186 | "CreationTime":"2022-11-06T22:56:26", 187 | "Operation":"Access", 188 | "OrganizationId":"c8085975-d882-42d2-9193-d82d752a5de9", 189 | "UserType":0, 190 | "UserKey":"aec5d8fc-bbbd-4ab0-b607-5d9ea1f067f2", 191 | "Workload":"Aip", 192 | "Version":1, 193 | "Scope":1 194 | } 195 | ResultIndex : 18 196 | ResultCount : 18 197 | Identity : f8317892-3dc0-455d-9edd-8d6615addf41 198 | IsValid : True 199 | ObjectState : Unchanged 200 | ``` 201 | 202 | > [!NOTE] 203 | > This is just an example of how you can use the Search-UnifiedAuditLog cmdlet. You may need to adjust the command and specify additional parameters based on your specific requirements. For more information on using PowerShell for unified audit logs, see [search unified audit log](/powershell/module/exchange/search-unifiedauditlog). 204 | 205 | ## Office 365 Management Activity API 206 | 207 | In order to be able to query the Office 365 Management API endpoints, you'll need to configure your application with the right permissions. For a step-by-step guide, see [Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis). 208 | 209 | The following is an example of AipDiscover event from REST API. 210 | 211 | ``` 212 | TenantId : bd285ff7-1a38-4306-adaf-a367669731c3 213 | SourceSystem : RestAPI 214 | TimeGenerated [UTC] : 2022-12-21T17:18:20Z 215 | EventCreationTime [UTC] : 2022-12-21T17:18:20Z 216 | Id : b8ef4925-3bae-4982-8279-651d4e67b1ea 217 | Operation : Discover 218 | OrganizationId : ac1dff03-7e0e-4ac8-a4c9-9b38d24f062c 219 | RecordType : 93 220 | UserType : 0 221 | Version : 1 222 | Workload : Aip 223 | UserId : mipscanner@kazdemos.org 224 | UserKey : 2231a98d-8749-4808-b461-1acaa5b628ac 225 | Scope : 1 226 | ClientIP : 52.159.112.221 227 | Common_ApplicationId : c00e9d32-3c8d-4a7d-832b-029040e7db99 228 | Common_ApplicationName : Microsoft Azure Information Protection Explorer Extension 229 | Common_ProcessName : MSIP.App 230 | Common_Platform : 1 231 | Common_DeviceName : AIPSCANNER1.mscompliance.click 232 | Common_ProductVersion : 2.14.90.0 233 | ObjectId : C:\Users\svc.aipscanner\AppData\Local\Microsoft\MSIP\Scanner\Reports\Reports2022-12-12_23_13_06.zip 234 | SensitiveInfoTypeData : [] 235 | ProtectionEventData_IsProtected : false 236 | Common_Location : On-premises file shares 237 | DataState : Rest 238 | Type : AuditGeneral 239 | ``` 240 | 241 | ## Attributes of the AipDiscover event 242 | 243 | | Event | Type | Description | 244 | | ---|---|---| 245 | | ApplicationId | GUID | The ID of the application performing the operation.| 246 | | ApplicationName | String | Friendly name of the application performing the operation. (Outlook, OWA, Word, Excel, PowerPoint, etc.)| 247 | | ClientIP | IPv4/IPv6 | The IP address of the device that was used when the activity was logged. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.| 248 | | CreationTime | Date/time | The date and time in Coordinated Universal Time (UTC) when the user performed the activity.| 249 | | DataState | String | Rest = File was not open when event was logged
Use = File was in use when event was logged.| 250 | | DeviceName | String | The device on which the activity happened.| 251 | | Id | GUID | Unique identifier of an audit record.| 252 | | IsProtected | Boolean | States whether or not the data is protected with encryption.| 253 | | Location | String | The location of the document with respect to the user's device (on-premises file shares).| 254 | | ObjectId | String | File full path (URL) that is being accessed by the user.| 255 | | Operation | String | The operation type for the audit log.
Discover = File viewed at rest by user or information protection scanner
Access = File was opened and in use by user when event was recorded.| 256 | | OrganizationId | GUID | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.| 257 | | Platform | Double | The platform where the activity occurred from.
0 = Unknown
1 = Windows
2 = MacOS
3 = iOS
4 = Android
5 = Web Browser| 258 | | ProcessName | String | The relevant process name (Outlook, MSIP.App, WinWord, etc.)| 259 | | ProductVersion | String | Version of the AIP client.| 260 | | ProtectionOwner | String | Rights Management owner in UPN format.| 261 | | ProtectionType | String | The type of protection that was used for the data. Template means that protection was predefined by the admin. Custom means the user defined the protection.| 262 | | RecordType | Double | The type of operation indicated by the record. 93 represents an AipDiscover record.| 263 | | Scope | Double | 0 represents that the event was created by a hosted O365 service. 1 represents that the event was created by an on-premises server.| 264 | | SensitiveInfoTypeData | String | The sensitive information types that have been discovered within the data.| 265 | | SensitivityLabelId | GUID | The current MIP sensitivity label GUID. Use cmdlt Get-Label to get the full values of the GUID.| 266 | | TemplateId | GUID | The id for the template used for protection. If ProtectionType = Template, TemplateId will have GUID. If ProtectionType = Custom, TemplateId will be blank. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.| 267 | | UserId | String | The User Principal Name (UPN) of the user who performed the action that resulted in the record being logged.| 268 | | UserKey | GUID | An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.| 269 | | UserType | Double | The type of user that performed the operation.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy| 270 | -------------------------------------------------------------------------------- /office-365-management-api/AipFileDeleted.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: AipFileDeleted 3 | title: AipFileDeleted 4 | description: AipFileDeleted 5 | ms.ContentId: 2a82d8b6-b03b-468a-b8c8-7f80bfc76da4 6 | ms.topic: reference 7 | ms.date: 02/08/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # AipFileDeleted 12 | 13 | Azure Information Protection is a service that allows organizations to classify and label sensitive data, and apply policies to control how that data is accessed and shared. 14 | 15 | AipFileDeleted is a type of event that is recorded in the Office 365 Unified Audit Log. AipFileDeleted events represent an attempt to deleted an Azure Information Protection (AIP) labeled file. Within the event, ResultStatus shows whether or not the file deletion was successful. 16 | 17 | ## Access the Office 365 Unified Audit Log 18 | 19 | The audit logs can be accessed using the following methods: 20 | 21 | - The [audit log search tool](#audit-log-search-tool) in the Microsoft Purview compliance portal. 22 | - The [Search-UnifiedAuditLog](#search-unified-audit-log-in-powershell) cmdlet in Exchange Online PowerShell. 23 | - The [Office 365 Management Activity API](#office-365-management-activity-api). 24 | 25 | ### Audit log search tool 26 | 27 | 1. Go to the [Microsoft Purview compliance portal](https://sip.compliance.microsoft.com/homepage) and sign in. 28 | 2. In the left pane of the compliance portal, select **Audit**. 29 | > [!Note] 30 | > If you don't see **Audit** in the left pane, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide&preserve-view=true) for information about permissions. 31 | 3. On the **New Search** tab, set Record type to **AipDiscover** and configure the other parameters. 32 | ![AipDiscover audit configurations](images/aip-discover-search.png) 33 | 4. Click **Search** to run the search using the criteria. In the results pane, select an event to view the results. Both discover and access operations can be viewed. 34 | ![AipDiscover audit results](images/aip-discover.png) 35 | 36 | For more information on viewing the audit logs in the Microsoft Purview compliance portal, see [Audit log activities](/microsoft-365/compliance/audit-log-activities). 37 | 38 | ### Search Unified Audit Log in PowerShell 39 | 40 | To access the Unified Audit Log using PowerShell, first connect to an Exchange Online PowerShell session by completing the following steps. 41 | 42 | #### Establish remote PowerShell session 43 | 44 | Once the connection is established, you can run Exchange Online cmdlets to manage your Exchange Online environment. 45 | 46 | Open a PowerShell window and run the Install-Module -Name ExchangeOnlineManagement command to install the Exchange Online Management module. This module provides cmdlets that can be used to manage Exchange Online. 47 | 48 | 1. Connect-IPPSSession is a PowerShell cmdlet used to create a remote connection to an Exchange Online PowerShell session. 49 | 2. Import-Module ExchangeOnlineManagement is a PowerShell cmdlet used to import the Exchange Online Management module into the current PowerShell session. 50 | 51 | ```powershell 52 | # Import the PSSSession and Exchange Online cmdlets 53 | Connect-IPPSSession 54 | Import-Module ExchangeOnlineManagement 55 | ``` 56 | 57 | #### Connect with a specific user 58 | 59 | Command to prompt for a specific user for your Exchange Online credentials. 60 | 61 | ```powershell 62 | $UserCredential = Get-Credential 63 | ``` 64 | 65 | Command to connect to Exchange Online using the provided credentials. 66 | 67 | ```powershell 68 | Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true 69 | ``` 70 | 71 | #### Connect with credentials in the current session 72 | 73 | Connect to Exchange Online using the credentials in the current session 74 | 75 | ```powershell 76 | Connect-ExchangeOnline 77 | ``` 78 | 79 | ## Search-UnifiedAuditLog cmdlet 80 | 81 | The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see [Best Practices for using Search-UnifiedAuditLog](aip-unified-audit-logs-best-practices.md). 82 | 83 | To extract the AipFileDeleted events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "AipFileDeleted". The results will be exported to a CSV file at the specified path. 84 | 85 | ```powershell 86 | Search-UnifiedAuditLog -RecordType AipFileDeleted -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) | Export-Csv -Path 87 | ``` 88 | 89 | The following is an example of AipFileDeleted event from PowerShell. 90 | 91 | ``` 92 | RecordType : AipFileDeleted 93 | CreationDate : 12/22/2022 8:50:10 PM 94 | UserIds : ipadmin@champion365.onmicrosoft.com 95 | Operations : FileDeleted 96 | AuditData : 97 | { 98 | "SensitiveInfoTypeData":[], 99 | "Common":{ 100 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 101 | "ApplicationName":"Microsoft Azure Information Protection Scanners", 102 | "ProcessName":"MSIP.Scanner", 103 | "Platform":1, 104 | "DeviceName":"AIPSCANNER1.mscompliance.click", 105 | "Location":"On-premises file shares", 106 | "ProductVersion":"2.14.90.0" 107 | }, 108 | "DataState":"Rest", 109 | "ObjectId":"fileshare\capacity\Data8\docs - Copy - Copy (7) - Copy\_creds\Acme Request for Time Off.doc", 110 | "UserId":"AdeleV@champion365.onmicrosoft.com", 111 | "UserId":"mipscanner@kazdemos.org", 112 | "ClientIP":" 52.159.112.221", 113 | "Id":"8417bbf6-3469-57bf-d48e-ee80f34c3d71", 114 | "RecordType":96, 115 | "CreationTime":"2022-12-22T20:50:10", 116 | "Operation":"FileDeleted", 117 | "OrganizationId":"ac1dff03-7e0e-4ac8-a4c9-9b38d24f062c", 118 | "UserType":5, 119 | "UserKey":"cab9530a-5b06-4c61-b09b-590fda6a40f8", 120 | "ResultStatus":"Succeeded" 121 | } 122 | ResultIndex : 9 123 | ResultCount : 11 124 | Identity : 2e7b94ee-92f7-480f-8b14-89d4bc0c0e43 125 | IsValid : True 126 | ObjectState : Unchanged 127 | ``` 128 | 129 | > [!NOTE] 130 | > This is just an example of how you can use the Search-UnifiedAuditLog cmdlet. You may need to adjust the command and specify additional parameters based on your specific requirements. For more information on using PowerShell for unified audit logs, see [search unified audit log](/powershell/module/exchange/search-unifiedauditlog). 131 | 132 | ## Office 365 Management Activity API 133 | 134 | In order to be able to query the Office 365 Management API endpoints, you'll need to configure your application with the right permissions. For a step-by-step guide, see [Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis). 135 | 136 | The following is an example of AipFileDeleted event from REST API. 137 | 138 | ``` 139 | TenantId : bd285ff7-1a38-4306-adaf-a367669731c3 140 | SourceSystem : RestAPI 141 | TimeGenerated [UTC] : 2022-12-04T21:59:50.7763106Z 142 | EventCreationTime [UTC] : 2022-12-01T22:10:41Z 143 | Id : 8417bbf6-3469-57bf-d48e-ee80f34c3d71 144 | Operation : FileDeleted 145 | OrganizationId : ac1dff03-7e0e-4ac8-a4c9-9b38d24f062c 146 | RecordType : 96 147 | UserType : 5 148 | Version : 1 149 | Workload : Aip 150 | UserId : mipscanner@kazdemos.org 151 | UserKey : cab9530a-5b06-4c61-b09b-590fda6a40f8 152 | ResultStatus : Succeeded 153 | Scope : 1 154 | ClientIP : 52.159.112.221 155 | Common_ApplicationId : c00e9d32-3c8d-4a7d-832b-029040e7db99 156 | Common_ApplicationName : Microsoft Azure Information Protection Scanner 157 | Common_ProcessName : MSIP.Scanner 158 | Common_Platform : 1 159 | Common_DeviceName : AIPSCANNER1.mscompliance.click 160 | Common_ProductVersion : 2.14.90.0 161 | ObjectId : \\fileshare\capacity\Data8\docs - Copy - Copy (7) - Copy\_creds\Acme Request for Time Off.doc 162 | SensitiveInfoTypeData : [] 163 | Common_Location : On-premises file shares 164 | DataState : Rest 165 | Type : AuditGeneral_CL 166 | ``` 167 | 168 | ## Attributes of the AipFileDeleted event 169 | 170 | Event | Type | Description 171 | ---|---|--- 172 | ApplicationId | GUID | The ID of the application performing the operation. 173 | ApplicationName | String | Friendly name of the application performing the operation. (Outlook, OWA, Word, Excel, PowerPoint, etc.) 174 | ClientIP | IPv4/IPv6 | The IP address of the device that was used when the activity was logged. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. 175 | CreationTime | Date/time | The date and time in Coordinated Universal Time (UTC) when the user performed the activity. 176 | DataState | String | Rest = File was not open when event was logged
Use = File was in use when event was logged. 177 | DeviceName | String | The device on which the activity happened. 178 | Id | GUID | Unique identifier of an audit record. 179 | IsProtected | Boolean | States whether or not the data is protected with encryption. 180 | Location | String | The location of the document with respect to the user's device. 181 | ObjectId | String | File full path (URL) that is being accessed by the user. 182 | Operation | String | The operation type for the audit log. For AipFileDeleted, operation is FileDeleted. 183 | OrganizationId | GUID | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. 184 | Platform | Double | The platform where the activity occurred from.
0 = Unknown
1 = Windows
2 = MacOS
3 = iOS
4 = Android
5 = Web Browser 185 | ProcessName | String | The relevant process name (Outlook, MSIP.App, WinWord, etc.) 186 | ProductVersion | String | Version of the AIP client. 187 | RecordType | Double | The type of operation indicated by the record. 96 represents an AipFileDeleted record. 188 | ResultStatus | String | Indicates whether or not the file deletion succeeded. 189 | Scope | Double | 0 represents that the event was created by a hosted O365 service. 1 represents that the event was created by an on-premises server. 190 | SensitiveInfoTypeData | String | The sensitive information types that have been discovered within the data. 191 | SensitivityLabelId | GUID | The current MIP sensitivity label GUID. Use cmdlt Get-Label to get the full values of the GUID. 192 | UserId | String | The User Principal Name (UPN) of the user who performed the action that resulted in the record being logged. 193 | UserKey | GUID | An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. 194 | UserType | Double | The type of user that performed the operation.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy 195 | -------------------------------------------------------------------------------- /office-365-management-api/AipHeartBeat.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: AipHeartBeat 3 | title: AipHeartBeat 4 | description: AipHeartBeat 5 | ms.ContentId: fde24b79-4513-4a9e-b2c4-c0b07de0b688 6 | ms.topic: reference 7 | ms.date: 02/08/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # AipHeartBeat 12 | 13 | Azure Information Protection is a service that allows organizations to classify and label sensitive data, and apply policies to control how that data is accessed and shared. 14 | 15 | AipHeartBeat is a type of event that is recorded in the Office 365 Unified Audit Log. AipHeartBeat events are generated automatically and are useful for tracking the health and status of the AIP service. 16 | 17 | ## Access the Office 365 Unified Audit Log 18 | 19 | The audit logs can be accessed using the following methods: 20 | 21 | - The [audit log search tool](#audit-log-search-tool) in the Microsoft Purview compliance portal. 22 | - The [Search-UnifiedAuditLog](#search-unified-audit-log-in-powershell) cmdlet in Exchange Online PowerShell. 23 | - The [Office 365 Management Activity API](#office-365-management-activity-api). 24 | 25 | ### Audit log search tool 26 | 27 | 1. Go to the [Microsoft Purview compliance portal](https://sip.compliance.microsoft.com/homepage) and sign in. 28 | 2. In the left pane of the compliance portal, select **Audit**. 29 | > [!Note] 30 | > If you don't see **Audit** in the left pane, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide&preserve-view=true) for information about permissions. 31 | 3. On the **New Search** tab, set Record type to **AipDiscover** and configure the other parameters. 32 | ![AipDiscover audit configurations](images/aip-discover-search.png) 33 | 4. Click **Search** to run the search using the criteria. In the results pane, select an event to view the results. Both discover and access operations can be viewed. 34 | ![AipDiscover audit results](images/aip-discover.png) 35 | 36 | For more information on viewing the audit logs in the Microsoft Purview compliance portal, see [Audit log activities](/microsoft-365/compliance/audit-log-activities). 37 | 38 | ### Search Unified Audit Log in PowerShell 39 | 40 | To access the Unified Audit Log using PowerShell, first connect to an Exchange Online PowerShell session by completing the following steps. 41 | 42 | ### Establish a remote PowerShell session 43 | 44 | This will establish a remote PowerShell session with Exchange Online. Once the connection is established, you can run Exchange Online cmdlets to manage your Exchange Online environment. 45 | 46 | Open a PowerShell window and run the Install-Module -Name ExchangeOnlineManagement command to install the Exchange Online Management module. This module provides cmdlets that can be used to manage Exchange Online. 47 | 48 | 1. Connect-IPPSSession is a PowerShell cmdlet used to create a remote connection to an Exchange Online PowerShell session. 49 | 2. Import-Module ExchangeOnlineManagement is a PowerShell cmdlet used to import the Exchange Online Management module into the current PowerShell session. 50 | 51 | ```powershell 52 | # Import the PSSSession and Exchange Online cmdlets 53 | Connect-IPPSSession 54 | Import-Module ExchangeOnlineManagement 55 | ``` 56 | 57 | #### Connect with a specific user 58 | 59 | Command to prompt for a specific user for your Exchange Online credentials. 60 | 61 | ```powershell 62 | $UserCredential = Get-Credential 63 | ``` 64 | 65 | Command to connect to Exchange Online using the provided credentials. 66 | 67 | ```powershell 68 | Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true 69 | ``` 70 | 71 | #### Connect with credentials in the current session 72 | 73 | Connect to Exchange Online using the credentials in the current session 74 | 75 | ```powershell 76 | Connect-ExchangeOnline 77 | ``` 78 | 79 | ## Search-UnifiedAuditLog cmdlet 80 | 81 | The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see [Best Practices for using Search-UnifiedAuditLog](aip-unified-audit-logs-best-practices.md). 82 | 83 | To extract the AipHeartBeat events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "AipHeartBeat". The results will be exported to a CSV file at the specified path. 84 | 85 | ```powershell 86 | Search-UnifiedAuditLog -RecordType AipHeartBeat -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) | Export-Csv -Path 87 | ``` 88 | 89 | ### AipHeartBeat event from PowerShell 90 | 91 | The following is an example of a AipHeartBeat event from PowerShell. 92 | 93 | ```powershell 94 | RecordType : AipHeartBeat 95 | CreationDate : 12/22/2022 8:50:10 PM 96 | UserIds : ipadmin@champion365.onmicrosoft.com 97 | Operations : HeartBeat 98 | AuditData : 99 | { 100 | "Common":{ 101 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 102 | "ApplicationName":"Microsoft Azure Information Protection Explorer Extension", 103 | "ProcessName":"MSIP.App", 104 | "Platform":1, 105 | "DeviceName":"marketing-demo1", 106 | "ProductVersion":"2.14.90.0" 107 | }, 108 | "UserId":"ipadmin@champion365.onmicrosoft.com", 109 | "ClientIP":"20.163.159.46", 110 | "Id":"2e7b94ee-92f7-480f-8b14-89d4bc0c0e43", 111 | "RecordType":97, 112 | "CreationTime":"2022-12-22T20:50:10", 113 | "Operation":"HeartBeat", 114 | "OrganizationId":"c8085975-d882-42d2-9193-d82d752a5de9", 115 | "UserType":0, 116 | "UserKey":"981d11ea-df5c-4334-b656-bb9011bc435b", 117 | "Workload":"Aip", 118 | "Version":1, 119 | "Scope":1 120 | } 121 | ResultIndex : 9 122 | ResultCount : 11 123 | Identity : 2e7b94ee-92f7-480f-8b14-89d4bc0c0e43 124 | IsValid : True 125 | ObjectState : Unchanged 126 | ``` 127 | 128 | > [!NOTE] 129 | > This is just an example of how the Search-UnifiedAuditLog cmdlet can be used. You may need to adjust the command and specify additional parameters based on your specific requirements. For more information on using PowerShell for unified audit logs, see [search unified audit log](/powershell/module/exchange/search-unifiedauditlog). 130 | 131 | ## Office 365 Management Activity API 132 | 133 | In order to be able to query the Office 365 Management API endpoints, you'll need to configure your application with the right permissions. For a step-by-step guide, see [Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis). 134 | 135 | ### AipHeartBeat event from REST API 136 | 137 | The following is an example of a AipHeartBeat event from REST API. 138 | 139 | ``` 140 | TenantId : bd285ff7-1a38-4306-adaf-a367669731c3 141 | SourceSystem : RestAPI 142 | TimeGenerated [UTC] : 2022-12-21T17:18:20Z 143 | EventCreationTime [UTC] : 2022-12-21T17:18:20Z 144 | Id : a5ee064a-9508-4332-9853-db4bc8813f4c 145 | Operation : HeartBeat 146 | OrganizationId : ac1dff03-7e0e-4ac8-a4c9-9b38d24f062c 147 | RecordType : 97 148 | UserType : 0 149 | Version : 1 150 | Workload : Aip 151 | UserId : mipscanner@kazdemos.org 152 | UserKey : 2231a98d-8749-4808-b461-1acaa5b628ac 153 | Scope : 1 154 | ClientIP : 52.159.112.221 155 | Common_ApplicationId : c00e9d32-3c8d-4a7d-832b-029040e7db99 156 | Common_ApplicationName : Microsoft Azure Information Protection Explorer Extension 157 | Common_ProcessName : MSIP.App 158 | Common_Platform : 1 159 | Common_DeviceName : AIPSCANNER1.mscompliance.click 160 | Common_ProductVersion : 2.14.90.0 161 | Type : AuditGeneral 162 | ``` 163 | 164 | ## Attributes of the AipHeartBeat event 165 | 166 | Event | Type | Description 167 | ---|---|--- 168 | ApplicationId | GUID | The ID of the application performing the operation. 169 | ApplicationName | String | Friendly name of the application performing the operation. (Outlook, OWA, Word, Excel, PowerPoint, etc.) 170 | ClientIP | IPv4/IPv6 | The IP address of the device that was used when the activity was logged. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. 171 | CreationTime | Date/time | The date and time in Coordinated Universal Time (UTC) when the user performed the activity. 172 | DeviceName | String | The device on which the activity happened. 173 | Id | GUID | Unique identifier of an audit record. 174 | Operation | String | The operation type for the audit log. For AipHeartBeat, the operation is Heartbeat. 175 | OrganizationId | GUID | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. 176 | Platform | Double | The platform where the activity occurred from.
0 = Unknown
1 = Windows
2 = MacOS
3 = iOS
4 = Android
5 = Web Browser 177 | ProcessName | String | The relevant process name (Outlook, MSIP.App, WinWord, etc.) 178 | ProductVersion | String | Version of the AIP client. 179 | RecordType | Double | The type of operation indicated by the record. 97 represents an AipHeartBeat record. 180 | Scope | Double | 0 represents that the event was created by a hosted O365 service. 1 represents that the event was created by an on-premises server. 181 | UserId | String | The User Principal Name (UPN) of the user who performed the action that resulted in the record being logged. 182 | UserKey | GUID | An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. 183 | UserType | Double | The type of user that performed the operation.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy 184 | Version | Double | Version ID of the file in the operation. 185 | Workload | String | Stores the Office 365 service where the activity occurred (Exchange, SharePoint, OneDrive, etc). 186 | -------------------------------------------------------------------------------- /office-365-management-api/AipProtectionAction.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: AipProtectionAction 3 | title: AipProtectionAction 4 | description: AipProtectionAction 5 | ms.ContentId: ce562783-e925-4f86-8044-b9dd4e93e784 6 | ms.topic: reference 7 | ms.date: 02/08/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # AipProtectionAction 12 | 13 | Azure Information Protection is a service that allows organizations to classify and label sensitive data, and apply policies to control how that data is accessed and shared. 14 | 15 | AipProtectionAction is a type of event that is recorded in the Office 365 Unified Audit Log. It represents an attempt to apply protection to a file or email. The event is useful because it shows how data is protected within an organization. 16 | 17 | ## Access the Office 365 Unified Audit Log 18 | 19 | The audit logs can be accessed using the following methods: 20 | 21 | - The [audit log search tool](#audit-log-search-tool) in the Microsoft Purview compliance portal. 22 | - The [Search-UnifiedAuditLog](#search-unified-audit-log-in-powershell) cmdlet in Exchange Online PowerShell. 23 | - The [Office 365 Management Activity API](#office-365-management-activity-api). 24 | 25 | ### Audit log search tool 26 | 27 | 1. Go to the [Microsoft Purview compliance portal](https://sip.compliance.microsoft.com/homepage) and sign in. 28 | 2. In the left pane of the compliance portal, select **Audit**. 29 | > [!Note] 30 | > If you don't see **Audit** in the left pane, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide&preserve-view=true) for information about permissions. 31 | 3. On the **New Search** tab, set Record type to **AipDiscover** and configure the other parameters. 32 | ![AipDiscover audit configurations](images/aip-discover-search.png) 33 | 4. Click **Search** to run the search using the criteria. In the results pane, select an event to view the results. Both discover and access operations can be viewed. 34 | ![AipDiscover audit results](images/aip-discover.png) 35 | 36 | For more information on viewing the audit logs in the Microsoft Purview compliance portal, see [Audit log activities](/microsoft-365/compliance/audit-log-activities). 37 | 38 | ### Search Unified Audit Log in PowerShell 39 | 40 | To access the Unified Audit Log using PowerShell, first connect to an Exchange Online PowerShell session by completing the following steps. 41 | 42 | #### Establish remote PowerShell session 43 | 44 | This will establish a remote PowerShell session with Exchange Online. Once the connection is established, run Exchange Online cmdlets to manage your Exchange Online environment. 45 | 46 | Open a PowerShell window and run the Install-Module -Name ExchangeOnlineManagement command to install the Exchange Online Management module. This module provides cmdlets that can be used to manage Exchange Online. 47 | 48 | 1. Connect-IPPSSession is a PowerShell cmdlet used to create a remote connection to an Exchange Online PowerShell session. 49 | 2. Import-Module ExchangeOnlineManagement is a PowerShell cmdlet used to import the Exchange Online Management module into the current PowerShell session. 50 | 51 | ```powershell 52 | # Import the PSSSession and Exchange Online cmdlets 53 | Connect-IPPSSession 54 | Import-Module ExchangeOnlineManagement 55 | ``` 56 | 57 | #### Connect with a specific user 58 | 59 | Command to prompt for a specific user for your Exchange Online credentials. 60 | 61 | ```powershell 62 | $UserCredential = Get-Credential 63 | ``` 64 | 65 | Command to connect to Exchange Online using the provided credentials. 66 | 67 | ```powershell 68 | Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true 69 | ``` 70 | 71 | #### Connect with credentials in the current session 72 | 73 | Connect to Exchange Online using the credentials in the current session. 74 | 75 | ```powershell 76 | Connect-ExchangeOnline 77 | ``` 78 | 79 | ## Search-UnifiedAuditLog cmdlet 80 | 81 | The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see [Best Practices for using Search-UnifiedAuditLog](aip-unified-audit-logs-best-practices.md). 82 | 83 | To extract the AipProtectionAction events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "AipProtectionAction". The results will be exported to a CSV file at the specified path. 84 | 85 | ```powershell 86 | Search-UnifiedAuditLog -RecordType AipProtectionAction -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) | Export-Csv -Path 87 | ``` 88 | 89 | > [!NOTE] 90 | > This is just an example of how the Search-UnifiedAuditLog cmdlet can be used. You may need to adjust the command and specify additional parameters based on your specific requirements. For more information on using PowerShell for unified audit logs, see [search unified audit log](/powershell/module/exchange/search-unifiedauditlog). 91 | 92 | ## Office 365 Management Activity API 93 | 94 | In order to be able to query the Office 365 Management API endpoints, you'll need to configure your application with the right permissions. For a step-by-step guide, see [Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis). 95 | 96 | ### Attributes of the AipProtectionAction event 97 | 98 | Event | Type | Description 99 | ---|---|--- 100 | ApplicationId | GUID | The ID of the application performing the operation. 101 | ApplicationName | String | Friendly name of the application performing the operation. (Outlook, OWA, Word, Excel, PowerPoint, etc.) 102 | ClientIP | IPv4/IPv6 | The IP address of the device that was used when the activity was logged. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. 103 | CreationTime | Date/time | The date and time in Coordinated Universal Time (UTC) when the user performed the activity. 104 | DeviceName | String | The device on which the activity happened. 105 | Id | GUID | Unique identifier of an audit record. 106 | Operation | String | The operation type for the audit log. For AipProtectionAction, operations can include:
- SensitivityLabelApplied
- SensitivityLabelUpdated
- SensitivityLabelRemoved
- SensitivityLabelPolicyMatched
- SensitivityLabeledFileOpened 107 | OrganizationId | GUID | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. 108 | Platform | Double | The platform where the activity occurred from.
0 = Unknown
1 = Windows
2 = MacOS
3 = iOS
4 = Android
5 = Web Browser 109 | ProcessName | String | The relevant process name (Outlook, MSIP.App, WinWord, etc.) 110 | ProductVersion | String | Version of the AIP client. 111 | RecordType | Double | The type of operation indicated by the record. 112 | Scope | Double | 0 represents that the event was created by a hosted O365 service. 1 represents that the event was created by an on-premises server. 113 | UserId | String | The User Principal Name (UPN) of the user who performed the action that resulted in the record being logged. 114 | UserKey | GUID | An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. 115 | UserType | Double | The type of user that performed the operation.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy 116 | Version | Double | Version ID of the file in the operation. 117 | Workload | String | Stores the Office 365 service where the activity occurred (Exchange, SharePoint, OneDrive, etc). 118 | -------------------------------------------------------------------------------- /office-365-management-api/AipSensitivityLabelAction.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: AipSensitivityLabelAction 3 | title: AipSensitivityLabelAction 4 | description: AipSensitivityLabelAction 5 | ms.ContentId: 8712d0c3-90af-4aca-8264-4e5ee98c6d40 6 | ms.topic: reference 7 | ms.date: 01/24/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # AipSensitivityLabelAction 12 | 13 | Azure Information Protection is a service that allows organizations to classify and label sensitive data, and apply policies to control how that data is accessed and shared. 14 | 15 | AipSensitivityLabelAction is a type of event that is recorded in the Office 365 Unified Audit Log. It represents an attempt to apply or modify a sensitivity label. Some of the scenarios included within this audit log include applying a label, updating a label, removing a label, and opening a file with a label. The event is useful because it shows how labeled data is being changed within an organization. 16 | 17 | ## Access the Office 365 Unified Audit Log 18 | 19 | The audit logs can be accessed using the following methods. 20 | 21 | - The [audit log search tool](#audit-log-search-tool) in the Microsoft Purview compliance portal. 22 | - The [Search-UnifiedAuditLog](#search-unified-audit-log-in-powershell) cmdlet in Exchange Online PowerShell. 23 | - The [Office 365 Management Activity API](#office-365-management-activity-api). 24 | 25 | ### Audit log search tool 26 | 27 | 1. Go to the [Microsoft Purview compliance portal](https://sip.compliance.microsoft.com/homepage) and sign in. 28 | 2. In the left pane of the compliance portal, select **Audit**. 29 | > [!Note] 30 | > If you don't see **Audit** in the left pane, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide&preserve-view=true) for information about permissions. 31 | 3. On the **New Search** tab, set Record type to **AipDiscover** and configure the other parameters. 32 | ![AipDiscover audit configurations](images/aip-discover-search.png) 33 | 4. Click **Search** to run the search using the criteria. In the results pane, select an event to view the results. Both discover and access operations can be viewed. 34 | ![AipDiscover audit results](images/aip-discover.png) 35 | 36 | For more information on viewing the audit logs in the Microsoft Purview compliance portal, see [Audit log activities](/microsoft-365/compliance/audit-log-activities). 37 | 38 | ### Search Unified Audit Log in PowerShell 39 | 40 | To access the Unified Audit Log using PowerShell, first connect to an Exchange Online PowerShell session by completing the following steps. 41 | 42 | #### Establish remote PowerShell session 43 | 44 | This will establish a remote PowerShell session with Exchange Online. Once the connection is established, you can run Exchange Online cmdlets to manage your Exchange Online environment. 45 | 46 | Open a PowerShell window and run the Install-Module -Name ExchangeOnlineManagement command to install the Exchange Online Management module. This module provides cmdlets that can be used to manage Exchange Online. 47 | 48 | 1. Connect-IPPSSession is a PowerShell cmdlet used to create a remote connection to an Exchange Online PowerShell session. 49 | 2. Import-Module ExchangeOnlineManagement is a PowerShell cmdlet used to import the Exchange Online Management module into the current PowerShell session. 50 | 51 | ```powershell 52 | # Import the PSSSession and Exchange Online cmdlets 53 | Connect-IPPSSession 54 | Import-Module ExchangeOnlineManagement 55 | ``` 56 | 57 | #### Connect with a specific user 58 | 59 | Command to prompt for a specific user for your Exchange Online credentials. 60 | 61 | ```powershell 62 | $UserCredential = Get-Credential 63 | ``` 64 | 65 | Command to connect to Exchange Online using the provided credentials. 66 | 67 | ```powershell 68 | Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true 69 | ``` 70 | 71 | #### Connect with credentials in the current session 72 | 73 | Connect to Exchange Online using the credentials in the current session. 74 | 75 | ```powershell 76 | Connect-ExchangeOnline 77 | ``` 78 | 79 | ## Search-UnifiedAuditLog cmdlet 80 | 81 | The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see [Best Practices for using Search-UnifiedAuditLog](aip-unified-audit-logs-best-practices.md). 82 | 83 | To extract the AipSensitivityLabelAction events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "AipSensitivityLabelAction". The results will be exported to a CSV file at the specified path. 84 | 85 | ```powershell 86 | Search-UnifiedAuditLog -RecordType AipSensitivityLabelAction -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) | Export-Csv -Path 87 | ``` 88 | 89 | Use the following command to specifically search for the scenario in which the sensitivity label was applied. An example of the result of the PowerShell cmdlet is also shown below. 90 | 91 | ```powershell 92 | Search-UnifiedAuditLog -Operations SensitivityLabelApplied -RecordType AipSensitivityLabelAction -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 93 | ``` 94 | 95 | The following is an example of SensitivityLabelApplied event from PowerShell, with sensitivity label applied. 96 | 97 | ```json 98 | RecordType : AipSensitivityLabelAction 99 | CreationDate : 12/13/2022 10:45:39 PM 100 | UserIds : ipadmin@champion365.onmicrosoft.com 101 | Operations : SensitivityLabelApplied 102 | AuditData : 103 | { 104 | "SensitiveInfoTypeData":[], 105 | "ProtectionEventData":{ 106 | "ProtectionEventType":1, 107 | "ProtectionType":"Template", 108 | "TemplateId":"b00b3737-7542-4181-ab70-5dde2c266ccf", 109 | "IsProtected":true, 110 | "IsProtectedBefore":false, 111 | "ProtectionOwner":"ipadmin@champion365.onmicrosoft.com" 112 | }, 113 | "Common":{ 114 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 115 | "ApplicationName":"Microsoft Azure Information Protection Word Add-In", 116 | "ProcessName":"WINWORD", 117 | "Platform":1, 118 | "DeviceName":"marketing-demo1", 119 | "Location":"On-premises file shares", 120 | "ProductVersion":"2.14.90.0" 121 | }, 122 | "DataState":"Use", 123 | "SensitivityLabelEventData":{ 124 | "SensitivityLabelId":"4eff011f-95b3-4371-8836-39da6458f464", 125 | "LabelEventType":4, 126 | "ActionSource":1 127 | }, 128 | "ObjectId":"Document2", 129 | "UserId":"ipadmin@champion365.onmicrosoft.com", 130 | "ClientIP":"20.163.159.46", 131 | "Id":"77b9a81f-aa2a-4e4a-bdb7-d35b03277fec", 132 | "RecordType":94, 133 | "CreationTime":"2022-12-13T22:45:39", 134 | "Operation":"SensitivityLabelApplied", 135 | "OrganizationId":"c8085975-d882-42d2-9193-d82d752a5de9", 136 | "UserType":0, 137 | "UserKey":"981d11ea-df5c-4334-b656-bb9011bc435b", 138 | "Workload":"Aip", 139 | "Version":1, 140 | "Scope":1 141 | } 142 | ResultIndex : 1 143 | ResultCount : 13 144 | Identity : 77b9a81f-aa2a-4e4a-bdb7-d35b03277fec 145 | IsValid : True 146 | ObjectState : Unchanged 147 | ``` 148 | 149 | Use the following command to specifically search for the scenario in which the sensitivity label was updated. An example of the result of the PowerShell cmdlet is also shown below. 150 | 151 | ```powershell 152 | Search-UnifiedAuditLog -Operations SensitivityLabelUpdated -RecordType AipSensitivityLabelAction -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 153 | ``` 154 | 155 | The following is an example of AipSensitivityLabelAction event from PowerShell, with sensitivity label updated. 156 | 157 | ```json 158 | RecordType : AipSensitivityLabelAction 159 | CreationDate : 12/22/2022 9:01:35 PM 160 | UserIds : ipadmin@champion365.onmicrosoft.com 161 | Operations : SensitivityLabelUpdated 162 | AuditData : RecordType:AipSensitivityLabelAction 163 | CreationDate:12/22/2022 9:01:35 PM 164 | UserIds:ipadmin@champion365.onmicrosoft.com 165 | Operations:SensitivityLabelUpdated 166 | AuditData: 167 | { 168 | "SensitiveInfoTypeData":[], 169 | "ProtectionEventData":{ 170 | "ProtectionEventType":1, 171 | "ProtectionType":"DoNotForward", 172 | "IsProtected":true, 173 | "IsProtectedBefore":false, 174 | "ProtectionOwner":"ipadmin@champion365.onmicrosoft.com" 175 | }, 176 | "Common":{ 177 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 178 | "ApplicationName":"Microsoft Azure Information Protection Outlook Add-In", 179 | "ProcessName":"OUTLOOK", 180 | "Platform":1, 181 | "DeviceName":"forrester-demo1", 182 | "Location":"On-premises file shares", 183 | "ProductVersion":"2.14.90.0" 184 | }, 185 | "DataState":"Use", 186 | "SensitivityLabelEventData":{ 187 | "SensitivityLabelId":"6a10f3c2-a682-44ba-a911-52dcca64e78d", 188 | "OldSensitivityLabelId":"6282649d-9e2a-4063-8587-32eaaa9ad68e", 189 | "LabelEventType":1, 190 | "ActionSource":3 191 | }, 192 | "ObjectId":"test.msg", 193 | "UserId":"ipadmin@champion365.onmicrosoft.com", 194 | "ClientIP":"20.163.159.46", 195 | "Id":"ca08441d-7876-4320-9c75-c0a3d99bcc4a", 196 | "RecordType":94, 197 | "CreationTime":"2022-12-22T21:01:35", 198 | "Operation":"SensitivityLabelUpdated", 199 | "OrganizationId":"c8085975-d882-42d2-9193-d82d752a5de9", 200 | "UserType":0, 201 | "UserKey":"981d11ea-df5c-4334-b656-bb9011bc435b", 202 | "Workload":"Aip", 203 | "Version":1, 204 | "Scope":1 205 | } 206 | ResultIndex:1 207 | ResultCount:6 208 | Identity:ca08441d-7876-4320-9c75-c0a3d99bcc4a 209 | IsValid:True 210 | ObjectState:Unchanged 211 | ResultIndex : 1 212 | ResultCount : 6 213 | Identity : ca08441d-7876-4320-9c75-c0a3d99bcc4a 214 | IsValid : True 215 | ObjectState : Unchanged 216 | ``` 217 | 218 | The other operations that can be specifically searched for within AipSensitivityLabelAction include SensitivityLabelRemoved, SensitivityLabelPolicyMatched, and SensitivityLabeledFileOpened. 219 | 220 | > [!NOTE] 221 | > This is just an example of how the Search-UnifiedAuditLog cmdlet can be used. You may need to adjust the command and specify additional parameters based on your specific requirements. For more information on using PowerShell for unified audit logs, see [search unified audit log](/powershell/module/exchange/search-unifiedauditlog). 222 | 223 | ## Office 365 Management Activity API 224 | 225 | In order to be able to query the Office 365 Management API endpoints, you'll need to configure your application with the right permissions. For a step-by-step guide, see [Get started with Office 365 Management APIs](/office/office-365-management-api/get-started-with-office-365-management-apis). 226 | 227 | ### AipSensitivityLabelAction event from REST API 228 | 229 | The following is an example of AipSensitivityLabelAction event from REST API. 230 | 231 | ``` 232 | TenantId : bd285ff7-1a38-4306-adaf-a367669731c3 233 | SourceSystem : RestAPI 234 | TimeGenerated [UTC] : 2022-12-07T18:04:40Z 235 | EventCreationTime [UTC] : 2022-12-07T18:04:40Z 236 | ProtectionEventData_ProtectionEventType : 1 237 | Id : e22455c0-3f3e-4983-8067-adf7aebac2b7 238 | Operation : SensitivityLabelApplied 239 | OrganizationId : ac1dff03-7e0e-4ac8-a4c9-9b38d24f062c 240 | RecordType : 94 241 | UserType : 5 242 | Version : 1 243 | Workload : Aip 244 | UserId : mipscanner@kazdemos.org 245 | UserKey : 2231a98d-8749-4808-b461-1acaa5b628ac 246 | Scope : 1 247 | ClientIP : 168.245.201.7 248 | Common_ApplicationId : c00e9d32-3c8d-4a7d-832b-029040e7db99 249 | Common_ApplicationName : Microsoft Azure Information Protection Scanner 250 | Common_ProcessName : MSIP.Scanner 251 | Common_Platform : 1 252 | Common_DeviceName : AIPConnector.AIPTest.local 253 | Common_ProductVersion : 2.14.90.0 254 | ObjectId : c:\Data\Data03\Concert Schedule.docx 255 | SensitivityLabelEventData_ActionSource : 3 256 | SensitivityLabelEventData_LabelEventType : 4 257 | SensitivityLabelEventData_SensitivityLabelId : 14332bd2-1fed-4838-954b-646f71db45b1 258 | SensitiveInfoTypeData : [] 259 | ProtectionEventData_ProtectionType : Template 260 | ProtectionEventData_TemplateId : 7ef1852d-f4a9-460a-a59f-60ee8c3fe291 261 | ProtectionEventData_IsProtected : true 262 | ProtectionEventData_ProtectionOwner : mipscanner@kazdemos.org 263 | Common_Location : On-premises file shares 264 | DataState : Rest 265 | ProtectionEventData_IsProtectedBefore : false 266 | Type : AuditGeneral 267 | ``` 268 | 269 | ## Attributes of the AipSensitivityLabelAction event 270 | 271 | The following table contains information related to AIP sensitivity label events. 272 | 273 | Event | Type | Description 274 | ---|---|--- 275 | ActionSource | Double | Indicates whether the label was applied manually or automatically.
0 = None
1 = Default
2 = Auto
3 = Manual
4 = Recommended 276 | ApplicationId | GUID | The ID of the application performing the operation. 277 | ApplicationName | String | Friendly name of the application performing the operation. (Outlook, OWA, Word, Excel, PowerPoint, etc.) 278 | ClientIP | IPv4/IPv6 | The IP address of the device that was used when the activity was logged. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. 279 | CreationTime | Date/time | The date and time in Coordinated Universal Time (UTC) when the user performed the activity. 280 | DataState | String | Rest = File was not open when event was logged
Use = File was in use when event was logged. 281 | DeviceName | String | The device on which the activity happened. 282 | Id | GUID | Unique identifier of an audit record. 283 | IsProtected | Boolean | States whether or not the data is protected with encryption. 284 | LabelEventType | Double | Describes how the label was changed.
0 = None
1 = LabelUpgraded
2 = LabelDowngraded
3 = LabelRemoved
4 = LabelChangedSameOrder 285 | Location | String | The location of the document with respect to the user's device (on-premises file shares). 286 | ObjectId | String | File full path (URL) that is being accessed by the user. 287 | OldSensitivityLabelId | GUID | The previous sensitivity label GUID. 288 | Operation | String | The operation type for the audit log. For AipSensitivityLabelAction, operations can include:
- SensitivityLabelApplied
- SensitivityLabelUpdated
- SensitivityLabelRemoved
- SensitivityLabelPolicyMatched
- SensitivityLabeledFileOpened 289 | OrganizationId | GUID | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. 290 | Platform | Double | The platform where the activity occurred from.
0 = Unknown
1 = Windows
2 = MacOS
3 = iOS
4 = Android
5 = Web Browser 291 | ProcessName | String | The relevant process name (Outlook, MSIP.App, WinWord, etc.) 292 | ProductVersion | String | Version of the AIP client. 293 | ProtectionOwner | String | Rights Management owner in UPN format. 294 | ProtectionType | String | The type of protection that was used for the data. Template means that protection was predefined by the admin. Custom means the user defined the protection. 295 | RecordType | Double | The type of operation indicated by the record. 94 represents an AipSensitivityLabelAction record. 296 | Scope | Double | 0 represents that the event was created by a hosted O365 service. 1 represents that the event was created by an on-premises server. 297 | SensitiveInfoTypeData | String | The sensitive information types that have been discovered within the data. 298 | SensitivityLabelId | GUID | The current sensitivity label GUID. Use cmdlt Get-Label to get the full values of the GUID. 299 | TemplateId | GUID | The id for the template used for protection. If ProtectionType = Template, TemplateId will have GUID. If ProtectionType = Custom, TemplateId will be blank. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection. 300 | UserId | String | The User Principal Name (UPN) of the user who performed the action that resulted in the record being logged. 301 | UserKey | GUID | An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. 302 | UserType | Double | The type of user that performed the operation.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy 303 | Version | Double | Version ID of the file in the operation. 304 | Workload | String | Stores the Office 365 service where the activity occurred (Exchange, SharePoint, OneDrive, etc). 305 | -------------------------------------------------------------------------------- /office-365-management-api/OMEPortal.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: OMEPortal 3 | title: OMEPortal 4 | description: OMEPortal 5 | ms.ContentId: c6b4789e-d0e8-44d4-806c-0a63d1218463 6 | ms.topic: reference 7 | ms.date: 07/25/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # OMEPortal 12 | 13 | Microsoft Purview Message Encryption is a service that allows organizations to send encrypted mail to any recipients. 14 | 15 | OMEPortal is a type of event that is recorded in the Office 365 Unified Audit Log. It represents any activity to access an encrypted message by an external recipient using the encrypted message portal. This event is useful to determine when and who accessed the portal. 16 | 17 | - authenticate 18 | - open message 19 | - view attachment 20 | - download attachment 21 | - reply/forward message 22 | 23 | ## Access the Office 365 Unified Audit Log 24 | 25 | The audit logs can be accessed using the following methods. 26 | 27 | - The [audit log search tool](/office/office-365-management-api/aipsensitivitylabelaction#audit-log-search-tool) in the Microsoft Purview compliance portal. 28 | - The [Search-UnifiedAuditLog](/office/office-365-management-api/aipsensitivitylabelaction#search-unified-audit-log-in-powershell) cmdlet in Exchange Online PowerShell. 29 | - The [Office 365 Management Activity API](/office/office-365-management-api/aipsensitivitylabelaction#office-365-management-activity-api). 30 | 31 | ### Audit log search tool 32 | 33 | 1. Go to the [Microsoft Purview compliance portal](https://sip.compliance.microsoft.com/homepage) and sign in. 34 | 2. In the left pane of the compliance portal, select **Audit**. 35 | 36 | > [!NOTE] 37 | > If you don't see **Audit** in the left pane, see [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide&preserve-view=true) for information about permissions. 38 | 39 | 3. On the **New Search** tab, set Record type to **OMEPortal** and configure the other parameters. 40 | :::image type="content" source="images/audit-new-search.png" alt-text="Audit dialog showing new search options"::: 41 | 42 | For more information on viewing the audit logs in the Microsoft Purview compliance portal, see [Audit log activities](/microsoft-365/compliance/audit-log-activities?view=o365-worldwide). 43 | 44 | ### Search Unified Audit Log in PowerShell 45 | 46 | To access the Unified Audit Log using PowerShell, first open a PowerShell window and connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps). 47 | 48 | #### Search-UnifiedAuditLog cmdlet 49 | 50 | The Search-UnifiedAuditLog cmdlet is a PowerShell command that can be used to search the Office 365 Unified Audit Log. The Unified Audit Log is a record of user and administrator activity in Office 365 that can be used to track events. For best practices on using this cmdlet, see [Best Practices for using Search-UnifiedAuditLog](/office/office-365-management-api/aip-unified-audit-logs-best-practices). 51 | 52 | To extract the OMEPortal events from the Unified Audit Log using PowerShell, you can use the following command. This will search the Unified Audit Log for the specified date range and return any events with the record type "OMEPortal". The results will be exported to a CSV file at the specified path. 53 | 54 | ```powershell 55 | Search-UnifiedAuditLog -RecordType OMEPortal -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) | Export-Csv -Path 56 | ``` 57 | 58 | The following is an example of OMEPortal event from PowerShell, with opening message in the encrypted message portal activity. 59 | 60 | ```json 61 | 62 | RecordType : OMEPortal 63 | 64 | CreationDate : 3/22/2023 7:00:59 PM 65 | 66 | UserIds : admin@M365x965352.onmicrosoft.com 67 | 68 | Operations : MessageAccess 69 | 70 | AuditData : {"CreationTime":"2023-03-22T19:00:59","Id":"a3500d45-6ab3-4971-a762-a01a846015d0","Operation":"MessageAccess","OrganizationId":"84b06764-3e5e-4f51-9a78-046a7f38b59b","RecordType":154,"ResultStatus":"Success","UserKey":"admin@M365x965352.onmicrosoft.com","UserType":0,"Version":1,"Workload":"Exchange","UserId":"admin@M365x965352.onmicrosoft.com","AuthenticationMethod":"Google","AuthenticationStatus":0,"MessageId":"","OperationProperties":[{"Name":"MailSubject","Value":"Support case 1234567"}],"OperationStatus":0,"Recipient":"samschan.msft@gmail.com","Sender":"admin@M365x965352.onmicrosoft.com"} 71 | 72 | ResultIndex : 6 73 | 74 | ResultCount : 7 75 | 76 | Identity : a3500d45-6ab3-4971-a762-a01a846015d0 77 | 78 | IsValid : True 79 | 80 | ObjectState : Unchanged 81 | 82 | ``` 83 | 84 | Use the following command to specifically search for the scenario in which user views an attachment. An example of the result of the PowerShell cmdlet is also shown below. 85 | 86 | ```PowerShell 87 | Search-UnifiedAuditLog -Operations AttachmentReview -RecordType OMEPortal -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 88 | ``` 89 | 90 | The following is an example of AipSensitivityLabelAction event from PowerShell, with sensitivity label updated. 91 | 92 | ```json 93 | 94 | RecordType : OMEPortal 95 | 96 | CreationDate : 3/22/2023 7:04:09 PM 97 | 98 | UserIds : admin@M365x965352.onmicrosoft.com 99 | 100 | Operations : AttachmentReview 101 | 102 | AuditData : {"CreationTime":"2023-03-22T19:04:09","Id":"ef29c387-c81b-4812-9020-90b378d92cde","Operation":"AttachmentReview","OrganizationId":"84b06764-3e5e-4f51-9a78-046a7f38b59b","RecordType":154,"ResultStatus":"Failure","UserKey":"admin@M365x965352.onmicrosoft.com","UserType":0,"Version":1,"Workload":"Exchange","UserId":"admin@M365x965352.onmicrosoft.com","AttachmentName":"Form.docx","AuthenticationMethod":"OTP","AuthenticationStatus":0,"MessageId":"","OperationProperties":[{"Name":"MailSubject","Value":"Support case 987654"}],"OperationStatus":1,"Recipient":"samschan.msft@gmail.com","Sender":"admin@M365x965352.onmicrosoft.com"} 103 | 104 | ResultIndex : 4 105 | 106 | ResultCount : 7 107 | 108 | Identity : ef29c387-c81b-4812-9020-90b378d92cde 109 | 110 | IsValid : True 111 | 112 | ObjectState : Unchanged 113 | ``` 114 | 115 | The other operations that can be specifically searched for within OMEPortal include AttachmentDownload, AuthenticationRequest, MessageAccess, and MessageForward. 116 | 117 | ## Attributes of the OMEPortal event 118 | 119 | The following table contains information related to OMEPortal events. 120 | 121 | |Event |Type |Description | 122 | |-----------|------------|-------------| 123 | |Activity | String | The activity type for the audit log. For OMEPortal, operations can include:
- AttachmentDownload
- AttachmentReview
- AuthenticateRequest
- MessageAccess
- MessageForward | 124 | |AttachmentName |String |Part of AuditData.
The name of the attachment in the message.| 125 | |AuditData | String |The log details on the OMEPortal activity.
| 126 | |AuthenticationMethod |String |Part of AuditData.
The type of authentication used to login to portal. Values are:
- OTP
- Google
- Yahoo
- Microsoft | 127 | |AuthenticationStatus |Double |The status of the authentication.
0 = success
1= failure | 128 | |CreationTime |Date/time |The date and time in Coordinated Universal Time (UTC) when the user performed the activity. | 129 | |Id |GUID |Unique identifier of an audit record. | 130 | |MessageId |String |The message ID. | 131 | |Operation |String |Same value as activity. | 132 | |OperationProperties |String |Part of AuditData.
Contains the email subject. | 133 | |Recipient |String |Part of AuditData.
The email address of user accessing the message in the encrypted message portal. | 134 | |RecordType |Double |The type of operation indicated by the record. 154 represents an OMEPortal record. | 135 | |ResultsStatus |String |Operation was either successful or a failure. | 136 | |Sender |String |Part of AuditData.
The email address of user that sent the encrypted message. | 137 | |Workload |String |Exchange to indicate email in the encrypted message portal. | 138 | |UserId |String |The User Principal Name (UPN) of the user in your organization who sent the encrypted mail the action that resulted in the record being logged. | 139 | -------------------------------------------------------------------------------- /office-365-management-api/TOC.md: -------------------------------------------------------------------------------- 1 | # [Office 365 Management APIs](index.md) 2 | ## [Management APIs overview](office-365-management-apis-overview.md) 3 | ## [Get started with Management APIs](get-started-with-office-365-management-apis.md) 4 | ## [Service Communications API](office-365-service-communications-api-reference.md) 5 | ## [Management Activity API reference](office-365-management-activity-api-reference.md) 6 | ## [Management Activity API schema](office-365-management-activity-api-schema.md) 7 | ## [Management Activity API FAQs and troubleshooting](troubleshooting-the-office-365-management-activity-api.md) 8 | -------------------------------------------------------------------------------- /office-365-management-api/aip-unified-audit-logs-best-practices.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: Search-UnifiedAuditLog Best Practices 3 | title: AIP Unified Audit Log Best Practices 4 | description: Understand the AIP Unified Audit Log Search-UnifiedAuditLog cmdlet tool 5 | ms.ContentId: c2cdd604-fa79-424c-b8e1-9474f248279e 6 | ms.topic: reference 7 | ms.date: 01/24/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # Best Practices using the Search-UnifiedAuditLog cmdlet tool 12 | 13 | The audit log is a tool that records events from a range of workloads. The Search-UnifiedAuditLog cmdlet can be used to search and retrieve data from the audit log. It's important to understand how to use this cmdlet effectively, particularly when it comes to interpreting the information in the AuditData property, as different workloads insert different types of information into this property. 14 | 15 | By default, the Search-UnifiedAuditLog cmdlet returns 100 audit records for any search request, unless you specify a different number of records to retrieve using the ResultSize parameter (up to a maximum of **5,000 records**). 16 | 17 | A single search can process a maximum of **50,000 audit records** using page retrieval. Because the audit log can contain a large amount of data, it's important to be as specific as possible when using search parameters to avoid returning too many records. 18 | 19 | To use the Search-UnifiedAuditLog cmdlet, your account must have the Exchange View-Only Audit Logs or Audit Logs role. These roles are part of the **Compliance Management and Organization Management role groups**, and can be assigned to other role groups as needed. 20 | 21 | ## RecordTypes 22 | 23 | A RecordType is the workload that generated the record. Examples of different types of events found using the Search-UnifiedAuditLog cmdlet include: 24 | 25 | 1. Add a member to a group in Microsoft Entra ID (**AzureActiveDIrectory**) 26 | 2. Update mailbox properties in Exchange (**ExchangeAdmin**) 27 | 3. Delete a file in SharePoint (**SharePointFileOperation**) 28 | 4. Log a user into Microsoft Teams (**MicrosoftTeams**) 29 | 5. AIP Heartbeat (**AipHeartbeat**) 30 | 31 | These events can be searched for and tracked using the Search-UnifiedAuditLog cmdlet, which allows you to filter and view the details of the events that are recorded in the unified audit log. 32 | 33 | ## Audit Data structure 34 | 35 | ```powershell 36 | Search-UnifiedAuditLog -RecordType AipDiscover -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 37 | ``` 38 | 39 | Audit records consist of two parts: 40 | General properties 41 | AuditData property 42 | 43 | ### General properties 44 | 45 | General properties that are populated in the same way by all workloads, and the AuditData property that contains workload-specific information. The general properties include the record type, creation date, operation, and user identifier. 46 | 47 | ``` 48 | RunspaceId : 136b901e-a6bc-4f24-bb58-5c435090df91 49 | RecordType : AipDiscover 50 | CreationDate : 2022-09-15 5:49:22 PM 51 | UserIds : AdeleV@M365x23987777.OnMicrosoft.com 52 | Operations : Access 53 | ResultIndex : 8 54 | ResultCount : 8 55 | Identity : 20728aaf-1964-1a4a-bd72-784fa3c12132 56 | IsValid : True 57 | ObjectState : Unchanged 58 | ``` 59 | 60 | ### AuditData property 61 | 62 | Find the most important information about an event using AuditData property. Workloads use schemas to describe the properties they insert into audit records, and these schemas are used to help interpret the payload in audit events. It may require some trial and error to fully understand the information in an audit record. A guide to the detailed properties in audit log records can be helpful in this process. The details about the action taken by a user are stored in JavaScript Object Notation (JSON) format, so further processing is necessary to format the data to extract the information. 63 | 64 | ```json 65 | AuditData: 66 | { 67 | "SensitivityLabelEventData":{ 68 | "SensitivityLabelId":"8581574a-c314-42e3-bfdc-a63cf96ed86e" 69 | }, 70 | "SensitiveInfoTypeData":[ 71 | 72 | ], 73 | "ProtectionEventData":{ 74 | "IsProtected":false 75 | }, 76 | "Common":{ 77 | "ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99", 78 | "ApplicationName":"Microsoft Azure Information Protection Word Add-In", 79 | "ProcessName":"WINWORD", 80 | "Platform":1, 81 | "DeviceName":"AdeleVanceWindo", 82 | "Location":"On-premises file shares", 83 | "ProductVersion":"2.13.49.0" 84 | }, 85 | "DataState":"Use", 86 | "ObjectId":"C:\\452Documentcreated.docx", 87 | "UserId":"AdeleV@M365x23987777.OnMicrosoft.com", 88 | "ClientIP":"20.237.230.167", 89 | "Id":"20728aaf-1964-1a4a-bd72-784fa3c12132", 90 | "RecordType":93, 91 | "CreationTime":"2022-09-15T17:49:22", 92 | "Operation":"Access", 93 | "OrganizationId":"4b080626-0acc-4940-8af8-bfc836ff1a59", 94 | "UserType":0, 95 | "UserKey":"AdeleV@M365x23987777.OnMicrosoft.com", 96 | "Workload":"Aip", 97 | "Version":1, 98 | "Scope":1 99 | } 100 | ``` 101 | 102 | The following table lists the AuditData property details. 103 | 104 | |Parameter |Description| 105 | |----------|-----------| 106 | | RecordType| The type of workload that generated the record, such as Microsoft Entra ID, Microsoft Teams, Exchange Admin, or SharePoint File Operation.| 107 | | CreationTime| The date and time in UTC format when the activity was performed.| 108 | | Operation| The operation logged when someone accesses an item, such as FileViewed in the case of SharePoint Online.| 109 | | OrganizationId| The unique tenant identifier in the form of a GUID.| 110 | | UserKey| The identity used to gain access to the item, typically achieved through membership in a group.| 111 | | Workload| The name of the application that logged the event, such as SharePoint Online, Exchange Online, OneDrive for Business, or Microsoft Entra ID.| 112 | | ClientIP| The IP address of the client workstation where the action originated.| 113 | | ObjectID| The full path to the object that was accessed.| 114 | | UserID| The Microsoft Entra account identifier for the account that caused the action to occur.| 115 | | UserAgent| The client used to invoke the action.| 116 | | SourceFileName| The name of the file involved in the action.| 117 | | UserType| The type of user that performed the action, with values of "0" (regular user), "1" (administrator), or "2" (Microsoft data center administrator or system account).| 118 | | EventSource| Only used by SharePoint Online, indicating whether the source was SharePoint or ObjectMode.| 119 | | ResultIndex and ResultCount|The ResultIndex and ResultCount properties can be useful when working with large record sets. ResultIndex indicates the record number within the returned set, while ResultCount shows the total number of records returned. For example, if ResultIndex is 1 and ResultCount is 125, it means that the record shown is the first of 125 returned in the set.
If the search encounters an internal timeout, ResultIndex will be set to -1. As administrators gain experience with the audit log and the PowerShell cmdlets, they will discover that the audit log is a valuable source of information for understanding who interacted with a document or created new documents during a certain time period. It may take some trial and error to fully utilize the information provided in audit records.| 120 | 121 | ## Find the correct set events 122 | 123 | To find the right events when searching the audit log, it's important to know what you're looking for and use the appropriate filters and parameters. This can be challenging because the audit log can contain a large number of events, and searching for specific actions can be like searching for a small object in a large and disordered list of data. 124 | 125 | One way to approach this problem is to take steps to generate an audit event for the action you're interested in, wait for 60 minutes or so to allow the event to be ingested into the audit log, and then search for events within that time period. 126 | 127 | This will give you a smaller set of events to work with, which you can then analyze and use to perform further searches. It's also a good idea to use the **Operations** / **RecordTypes** values logged for the events to help you refine your searches and find the specific events you're looking for. 128 | 129 | Following is an example of filtering data by looking for very specific operations and in a given date range. View [Record Types](/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype) to see the record types that can be looked for. 130 | 131 | The following script looks for a specific operation. 132 | 133 | ```powershell 134 | $Operations = ("SensitivityLabelUpdated", "SensitivityLabelApplied", "FileSensitivityLabelApplied") 135 | $StartDate = (Get-Date).AddDays(-90) 136 | $EndDate = (Get-Date).AddDays(1) 137 | [Array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000 -Operations $Operations 138 | ``` 139 | 140 | The following script searches for a specific Record Type. This example uses for AipDiscover. 141 | 142 | ```powershell 143 | Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) -RecordType AipDiscover -Operations Access -ResultSize 5 -Formatted | Format-Table UserIds, CreationDate, Operations 144 | ``` 145 | 146 | The following script stores the result in an array and searches for a specific value. This examples uses CreationDate. 147 | 148 | ```powershell 149 | [array]$Records = Search-UnifiedAuditLog -RecordType AipDiscover -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date) 150 | $Records | Where-Object {$_.CreationDate -eq "2022-09-15 5:49:22 PM"} 151 | ``` 152 | 153 | ## Manage large amounts of audit data 154 | 155 | If you need to retrieve a large number of audit records from a large tenant, or if you need to search for multiple operations over an extended period, it's likely that a single search will return more than 5,000 records. 156 | 157 | To manage large volumes of data from the Search-UnifiedAuditLog cmdlet, you can use the ReturnLargeSet and ReturnNextPreviewPage parameters. These parameters allow you to perform searches that return large sets of results, and then retrieve the next page of results in subsequent searches. 158 | 159 | 1. Use the SessionId parameter to identify a search session and specify the number of pages you want to retrieve. This will allow the cmdlet to fetch multiple pages of data and return them to you. 160 | 2. The SessionId parameter is also used when you want to search for a large amount of audit data using the Search-UnifiedAuditLog cmdlet. The cmdlet will return a maximum of 5000 records per page, so if you want to search for more than that, you'll need to use the SessionId parameter to identify a search session and specify the number of pages you want to retrieve. The cmdlet will then use the session identifier to fetch the additional pages of data and return them to you. 161 | 3. If you need to search for more than 50,000 records, split the work across multiple searches and use different criteria for each search. 162 | 4. Store the results of the searches in an external repository, such as Azure log analytics, Azure Data Explorer, for easy access and analysis. 163 | 5. Regularly review and update your search criteria and audit data management processes to ensure that you are capturing the right data and efficiently managing it. This will help you stay on top of any potential security issues and improve the overall security of your organization. 164 | 165 | ### Steps to retrieve large amounts of data 166 | 167 | To fetch a large amount of audit data, follow these steps: 168 | 169 | 1. Generate a session identifier. 170 | 2. Use a loop to retrieve data in multiple pages. 171 | 3. Repeatedly run the Search-UnifiedAuditLog command to fetch all the available data. 172 | 4. Save the data from each run of Search-UnifiedAuditLog. 173 | 5. After all the pages have been fetched, sort the data by date and export it to a CSV file. 174 | 175 | ### Examples 176 | 177 | Search-UnifiedAuditLog has two parameters to support the retrieval of large data sets, SessionID and SessionCommand. Both SessionID and SessionCommand can be combined to process large datasets. 178 | The **SessionId** parameter holds a string value to identify a search session. You can use any value you like from a simple number to a GUID generated with the New-Guid cmdlet. The presence of a session identifier tells Search-UnifiedAuditLog that it might need to fetch several pages of data. 179 | 180 | ```powershell 181 | eg. 182 | $SessionId = "5b5a5a5a-5b5b-5c5c-5d5d-5e5e5e5e5e5e" 183 | $SessionId = "UnifiedAuditLogSearch 01/02/17" 184 | ``` 185 | 186 | The **SessionCommand** tells Search-UnifiedAuditLog how to handle large amounts of audit data. The returned data might contain duplicate records. This parameter can be set to: 187 | 188 | * **ReturnLargeSet**: The audit records returned are unsorted. You can fetch up to 50,000 audit records using this method but must remember to sort the data once it is all fetched. 189 | * **ReturnNextPreviewPage**: Search-UnifiedAuditLog returns audit records sorted by date. However, you can fetch only a maximum of 5,000 records using this method. The maximum number of records returned through use of either paging or the ResultSize parameter is 5,000 records. 190 | 191 | > [!NOTE] 192 | > Always use the same SessionCommand value for a given SessionId value. Don't switch between ReturnLargeSet and ReturnNextPreviewPage for the same session ID. Otherwise, the output is limited to 10,000 results. 193 | 194 | #### SessionId sample script 195 | 196 | In the following example, the script first imports the Exchange Online Management module and creates a remote connection to Exchange Online. It then sets the start and end dates for the search, and uses the Search-UnifiedAuditLog cmdlet to search the Unified Audit Log for entries within the specified date range. 197 | 198 | The script then uses a foreach loop to scan through the array of records returned by the cmdlet, and processes each record as needed. In this case, it prints the operation name and user identity for each record. 199 | 200 | ```powershell 201 | # Import the Exchange Online Management module 202 | Import-Module ExchangeOnlineManagement 203 | # Create a remote connection to Exchange Online 204 | $UserCredential = Get-Credential 205 | Connect-IPPSSession 206 | # Search the Unified Audit Log for entries with the specified SessionID 207 | $SessionId = "5b5a5a5a-5b5b-5c5c-5d5d-5e5e5e5e5e5e" 208 | $StartDate = (Get-Date).AddDays(-90) 209 | $EndDate = (Get-Date).AddDays(1) 210 | [Array]$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId $SessionId 211 | 212 | # Scan through the array of records 213 | foreach ($Record in $Records) 214 | { 215 | # Process each record as needed 216 | # For example, you could print the operation name and user identity 217 | Write-Host "Operation: $($Record.RecordType)" 218 | Write-Host "User Identity: $($Record.Operations)" 219 | Write-Host "User Identity: $($Record.AuditData)" 220 | } 221 | ``` 222 | 223 | #### ReturnLargeSet sample script 224 | 225 | In the following example, the Search-UnifiedAuditLog cmdlet is used to search the audit log for entries between the specified start and end times. The ReturnLargeSet parameter is set by specifying the SessionId and SessionCommand parameters in the $parameters object. The results of the search are then looped through and each entry is output to the console. 226 | 227 | **ReturnLargeSet**: Returns unsorted data. By using paging, you can access a maximum of 50,000 results. This is the recommended value if an ordered result is not required and has been optimized for search latency. 228 | 229 | ```powershell 230 | # Set the start and end time for the audit log search 231 | $startTime = "01/01/2022 00:00:00" 232 | $endTime = "12/31/2022 23:59:59" 233 | 234 | # Set the parameters for the search 235 | $parameters = @{ 236 | StartDate = $startTime 237 | EndDate = $endTime 238 | SessionId = "UnifiedAuditLogSearch 01/02/17" 239 | SessionCommand = "ReturnLargeSet" 240 | } 241 | 242 | # Perform the search and store the results in a variable 243 | $results = Search-UnifiedAuditLog @parameters 244 | 245 | # Loop through the results and output each entry 246 | for ($i = 0; $i -lt $results.Count; $i++) { 247 | $entry = $results[$i] 248 | Write-Output $entry 249 | } 250 | ``` 251 | 252 | #### ReturnNextPreviewPage sample script 253 | 254 | The following script performs a search using the Search-UnifiedAuditLog cmdlet and the ReturnNextPreviewPage parameter. The search is performed using the specified start and end times. The results of the search are then output to the console. 255 | 256 | ```powershell 257 | # Set the start and end time for the audit log search 258 | $startTime = "01/01/2022 00:00:00" 259 | $endTime = "12/31/2022 23:59:59" 260 | 261 | 262 | # Set the parameters for search 263 | $parameters = @{ 264 | SessionId = "UnifiedAuditLogSearch 01/02/17" 265 | SessionCommand = "ReturnNextPreviewPage" 266 | StartDate = $startTime 267 | EndDate = $endTime 268 | } 269 | 270 | # Retrieve results 271 | $resultpage = Search-UnifiedAuditLog @parameters 272 | ``` 273 | -------------------------------------------------------------------------------- /office-365-management-api/breadcrumb/toc.yml: -------------------------------------------------------------------------------- 1 | - name: Docs 2 | tocHref: / 3 | topicHref: / -------------------------------------------------------------------------------- /office-365-management-api/copilot-schema.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: CopilotInteraction 3 | title: CopilotInteraction 4 | description: Copilot interaction events 5 | ms.ContentId: 5fc9eee3-9f95-4c8f-915a-672ae5e1c9a8 6 | ms.topic: reference 7 | ms.date: 11/09/2023 8 | ms.localizationpriority: high 9 | --- 10 | 11 | 12 | # Copilot interaction events overview 13 | 14 | For [auditing](/purview/audit-solutions-overview), details are [captured](/purview/audit-log-activities#copilot-activities) when users interact with Copilot. Events include how and when users interact with Copilot, in which Microsoft 365 service the activity took place, and references to the files stored in Microsoft 365 that were accessed during the interaction. If these files have a sensitivity label applied, that's also captured. 15 | 16 | Copilot events can be accessed in the **Audit** solution from the Microsoft Purview compliance portal. To search for copilot events, select **Copilot activities** and **Interacted with Copilot**. You can also select **Copilot** as a workload. More information on searching the audit log can be found in [Audit New Search](/purview/audit-new-search). 17 | 18 | ![audit search copilot interaction dialog box](images/audit-search-copilot-interaction.png) 19 | 20 | ## Schema example 21 | 22 | ```xml 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | ``` 93 | 94 | ## Audit log examples of CopilotInteraction 95 | 96 | Copilot Interaction logs provide information regarding the RecordID, CreationDate, RecordType, Operation, UserID, and the Audit Data field. The Audit Data field will include any additional information based on the context of user interaction with Copilot, which can include the AppHost, Contexts, ThreadID, MessageIDs, and AccessedResources. More information regarding each of these copilot schema properties can be found in the Audit copilot schema definition section. 97 | 98 | Example 1: Copilot Interaction Experience within M365 Apps (e.g. Word) 99 | 100 | - RecordID: 99b0a960-13a0-461f-8c5c-cb2316ea273d 101 | - CreationDate: 12/13/2023 17:12 102 | - RecordType: 261 103 | - Operation: CopilotInteraction 104 | - UserID: admin@MODERNCOMMS975184.onmicrosoft.com 105 | - AuditData: {"CreationTime":"2023-12-13T17:12:36","Id":"99b0a960-13a0-461f-8c5c-cb2316ea273d","Operation":"CopilotInteraction","OrganizationId":"408e31c8-8f05-410a-9221-84335f0ce512","RecordType":261,"UserKey":"12d24f71-64c7-49b3-821f-f8884f3f373e","UserType":0,"Version":1,"Workload":"Copilot","ClientIP":"ffff:10.11.0.229","ClientRegion":"US","UserId":"admin@MODERNCOMMS975184.onmicrosoft.com","CopilotEventData":{"AISystemPlugin":[],"AccessedResources":[],"AppHost":"Word","Contexts":[{"Id":"https:\/\/moderncomms975184-my.sharepoint.com\/personal\/admin_moderncomms975184_onmicrosoft_com\/_layouts\/15\/Doc.aspx?sourcedoc=%7B9FDE1491-B079-4180-9B1E-B87F4ACA19F7%7D&file=AboutElephants.docx&action=default&mobileredirect=true","Type":"docx"}],"MessageIds":[],"Messages":[{"Id":"1715187560311","isPrompt":true},{"Id":"1715187561014","isPrompt":false}],"ModelTransparencyDetails":[],"ThreadId":"19:lgojcxwbvhJnfU3IhUJW5M-nSX2U7tjccgSrtYAoG341@thread.v2"}} 106 | 107 | Example 2: Copilot Interaction within M365 Chat Experience on Bing 108 | 109 | - RecordID: 537312b6-dce7-4d9b-8b12-58283204b720 110 | - CreationDate: 12/14/2023 2:11 111 | - RecordType: 261 112 | - Operation: CopilotInteraction 113 | - UserID: admin@MODERNCOMMS975184.onmicrosoft.com 114 | - AuditData: {"CreationTime":"2023-12-14T02:11:55","Id":"537312b6-dce7-4d9b-8b12-58283204b720","Operation":"CopilotInteraction","OrganizationId":"408e31c8-8f05-410a-9221-84335f0ce512","RecordType":261,"UserKey":"12d24f71-64c7-49b3-821f-f8884f3f373e","UserType":0,"Version":1,"Workload":"Copilot","ClientIP":"2401:4900:60d2:179b:c004:b6f:b678:b148","ClientRegion":"IN","UserId":"admin@MODERNCOMMS975184.onmicrosoft.com","CopilotEventData":{"AISystemPlugin":[{"Id":"BingWebSearch","Name":"BuiltIn"}],"AccessedResources":[{"Action":"Read","Id":"AAAAAEYE2GAACp1FlnN_CHXStUkHAGWJYgtgcv1eOxe2v4H4jOsAAAQsLLeAAGWJYgtgcv1EoXe2v4H4josAABwvq8gAAA2","Name":"Document1.docx","SensitivityLabelId":"f41ab342-8706-4188-bd11-ebb85995028c","SiteUrl":"https:\/\/microsoft.sharepoint.com\/teams\/OfficeSerbia\/Shared%20Documents\/SPOPPE\/Document%20transformation%20services\/Crawled%20Word%20documents\/IW\/Document1.docx?web=1","Type":"docx","listItemUniqueId":"AAAAAEYE2GAACp1FlnN_CHXStUkHAGWJYgtgcv1eOxe2v4H4jOsAAAQsLLeAAGWJYgtgcv1EoXe2v4H4josAABwvq8gAAA2"}],"AppHost":"Bing","Contexts":[],"MessageIds":[],"Messages":[{"Id":"1715186983849","isPrompt":true},{"Id":"1715186984291","isPrompt":false}],"ModelTransparencyDetails":[{"ModelName":"DEEP_LEO"}],"ThreadId":"19:Xn3uQZYgZ7f2ue0vp5w9MglEVjFyp5pza1efaC6g2U41@thread.v2"}} 115 | 116 | ## Audit copilot schema definitions 117 | 118 | |Attribute |Definition | 119 | |----------|------------| 120 | |*ClientRegion* |The user’s region when they performed the operation. | 121 | |*AISystemPlugin* |Details of plugins or extensions enabled for the Coplot interaction. | 122 | |*AppHost* |The type of Copilot used during the interaction.
The current list of values include Bing, Teams, Outlook, Office, DevUI, BashTool, Word, Excel, PowerPoint, OneNote, SharePoint, Loop, Whiteboard, M365App, M365AdminCenter, Planner, VivaEngage, VivaCopilot, Stream, Assist365, VivaGoals. | 123 | |*Contexts* |Context contains a collection of attributes within AppChat around the user interaction to help describe where the user was during the copilot interaction. ID is identifier of the resource that was being used during the copilot interaction. Type is the name of the app or service within context.
Example: Some examples of supported apps and services include M365 Office (docx, pptx, xlsx), TeamsMeeting, TeamsChannel, and TeamsChat. If Copilot is used in Excel, then context will be the identifier of the Excel Spreadsheet and the file type. | 124 | |*ThreadId* |The ID of the copilot and user interaction thread. | 125 | |*MessageIds* |This is currently reserved with Microsoft Internal. | 126 | |*Messages* |The ID of the prompt and response messages in the Copilot interaction. | 127 | |*ModelTransparencyDetails* |Details of the AI/GAI model provider. | 128 | |*AccessedResources* |References to all the files and documents Copilot used in M365 services like OneDrive and SharePoint Online to respond to the user’s request. | 129 | -------------------------------------------------------------------------------- /office-365-management-api/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "build": { 4 | "content": [ 5 | { 6 | "files": [ 7 | "**/*.md", 8 | "**/*.yml", 9 | "toc.md" 10 | ], 11 | "exclude": [ 12 | "**/obj/**", 13 | "**/includes/**", 14 | "_themes/**", 15 | "_themes.pdf/**", 16 | "README.md", 17 | "LICENSE", 18 | "LICENSE-CODE", 19 | "ThirdPartyNotices" 20 | ] 21 | } 22 | ], 23 | "resource": [ 24 | { 25 | "files": [ 26 | "**/*.png", 27 | "**/*.jpg", 28 | "**/*.gif", 29 | "**/*.bmp", 30 | "**/*.jpeg" 31 | ], 32 | "exclude": [ 33 | "**/obj/**", 34 | "**/includes/**", 35 | "_themes/**", 36 | "_themes.pdf/**" 37 | ] 38 | } 39 | ], 40 | "overwrite": [ 41 | 42 | ], 43 | "externalReference": [ 44 | 45 | ], 46 | "globalMetadata": { 47 | "ms.service": "office-365", 48 | "breadcrumb_path": "/office/office-365-management-api/breadcrumb/toc.json", 49 | "extendBreadcrumb": true, 50 | "feedback_system": "None", 51 | "ROBOTS": "INDEX,FOLLOW", 52 | "is_archived": false, 53 | "uhfHeaderId": "MSDocsHeader-Dev_Office", 54 | "author": "o365devx", 55 | "ms.suite": "office", 56 | "ms.author": "o365devx", 57 | "ms.topic": "conceptual", 58 | "contributors_to_exclude": ["nivnar"] 59 | }, 60 | "fileMetadata": { 61 | 62 | }, 63 | "template": [ 64 | 65 | ], 66 | "dest": "office-365-management-api", 67 | "markdownEngineName": "markdig" 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration10.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration11.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration12.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration2.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration3.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration4.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration5.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration6.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration7.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration8.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistration9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistration9.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzureAppRegistrationCertificatesSecrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzureAppRegistrationCertificatesSecrets.png -------------------------------------------------------------------------------- /office-365-management-api/images/AzurePortal1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/AzurePortal1.png -------------------------------------------------------------------------------- /office-365-management-api/images/CFW.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/CFW.gif -------------------------------------------------------------------------------- /office-365-management-api/images/Caution.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/Caution.gif -------------------------------------------------------------------------------- /office-365-management-api/images/GitHub-Mark-64px.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/GitHub-Mark-64px.png -------------------------------------------------------------------------------- /office-365-management-api/images/LastChild.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/LastChild.gif -------------------------------------------------------------------------------- /office-365-management-api/images/Octocat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/Octocat.png -------------------------------------------------------------------------------- /office-365-management-api/images/add-an-application-dialog-OLD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/add-an-application-dialog-OLD.png -------------------------------------------------------------------------------- /office-365-management-api/images/add-an-application-dialog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/add-an-application-dialog.png -------------------------------------------------------------------------------- /office-365-management-api/images/adm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/adm.gif -------------------------------------------------------------------------------- /office-365-management-api/images/adm_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/adm_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/adm_dev.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/adm_dev.gif -------------------------------------------------------------------------------- /office-365-management-api/images/adm_dev_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/adm_dev_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/aip-discover-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-discover-search.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-discover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-discover.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-file-delete-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-file-delete-search.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-file-delete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-file-delete.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-heartbeat-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-heartbeat-search.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-heartbeat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-heartbeat.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-protection-action-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-protection-action-search.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-sensitivity-label-action-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-sensitivity-label-action-search.png -------------------------------------------------------------------------------- /office-365-management-api/images/aip-sensitivity-label-action.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/aip-sensitivity-label-action.png -------------------------------------------------------------------------------- /office-365-management-api/images/alert_caution.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/alert_caution.gif -------------------------------------------------------------------------------- /office-365-management-api/images/alert_note.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/alert_note.gif -------------------------------------------------------------------------------- /office-365-management-api/images/alert_security.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/alert_security.gif -------------------------------------------------------------------------------- /office-365-management-api/images/arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/audit-new-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/audit-new-search.png -------------------------------------------------------------------------------- /office-365-management-api/images/audit-search-copilot-interaction.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/audit-search-copilot-interaction.png -------------------------------------------------------------------------------- /office-365-management-api/images/authorization-flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/authorization-flow.png -------------------------------------------------------------------------------- /office-365-management-api/images/azure-ad-app-added-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/azure-ad-app-added-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/azure-ad-apps-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/azure-ad-apps-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/azure-ad-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/azure-ad-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/azure-portal-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/azure-portal-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/azure-subscription-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/azure-subscription-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/big_adm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/big_adm.gif -------------------------------------------------------------------------------- /office-365-management-api/images/big_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/big_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/big_dev.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/big_dev.gif -------------------------------------------------------------------------------- /office-365-management-api/images/big_kw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/big_kw.gif -------------------------------------------------------------------------------- /office-365-management-api/images/box.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/box.gif -------------------------------------------------------------------------------- /office-365-management-api/images/bullet.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/bullet.gif -------------------------------------------------------------------------------- /office-365-management-api/images/collall.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/collall.gif -------------------------------------------------------------------------------- /office-365-management-api/images/collapse.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/collapse.gif -------------------------------------------------------------------------------- /office-365-management-api/images/collapse_all.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/collapse_all.gif -------------------------------------------------------------------------------- /office-365-management-api/images/command-line-certificate-display.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/command-line-certificate-display.png -------------------------------------------------------------------------------- /office-365-management-api/images/copycode.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/copycode.gif -------------------------------------------------------------------------------- /office-365-management-api/images/copycodeHighlight.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/copycodeHighlight.gif -------------------------------------------------------------------------------- /office-365-management-api/images/dev.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/dev.gif -------------------------------------------------------------------------------- /office-365-management-api/images/dev_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/dev_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/dropdown.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/dropdown.gif -------------------------------------------------------------------------------- /office-365-management-api/images/dropdownHover.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/dropdownHover.gif -------------------------------------------------------------------------------- /office-365-management-api/images/drpdown.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/drpdown.gif -------------------------------------------------------------------------------- /office-365-management-api/images/drpdown_orange.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/drpdown_orange.gif -------------------------------------------------------------------------------- /office-365-management-api/images/drpdown_orange_up.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/drpdown_orange_up.gif -------------------------------------------------------------------------------- /office-365-management-api/images/drpup.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/drpup.gif -------------------------------------------------------------------------------- /office-365-management-api/images/exp.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/exp.gif -------------------------------------------------------------------------------- /office-365-management-api/images/expall.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/expall.gif -------------------------------------------------------------------------------- /office-365-management-api/images/expand_all.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/expand_all.gif -------------------------------------------------------------------------------- /office-365-management-api/images/filter1a.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/filter1a.gif -------------------------------------------------------------------------------- /office-365-management-api/images/filter1c.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/filter1c.gif -------------------------------------------------------------------------------- /office-365-management-api/images/footer.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/footer.gif -------------------------------------------------------------------------------- /office-365-management-api/images/gradient.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/gradient.gif -------------------------------------------------------------------------------- /office-365-management-api/images/greencheck.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/greencheck.gif -------------------------------------------------------------------------------- /office-365-management-api/images/greychck.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/greychck.gif -------------------------------------------------------------------------------- /office-365-management-api/images/header_prev_next.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/header_prev_next.jpg -------------------------------------------------------------------------------- /office-365-management-api/images/header_sql_tutorial_blank.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/header_sql_tutorial_blank.jpg -------------------------------------------------------------------------------- /office-365-management-api/images/header_sql_tutorial_logo.GIF: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/header_sql_tutorial_logo.GIF -------------------------------------------------------------------------------- /office-365-management-api/images/kw.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_adm.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_adm.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_adm_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_adm_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_adm_dev.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_adm_dev.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_adm_dev_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_adm_dev_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_dev.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_dev.gif -------------------------------------------------------------------------------- /office-365-management-api/images/kw_dev_arch.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/kw_dev_arch.gif -------------------------------------------------------------------------------- /office-365-management-api/images/load.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/load.gif -------------------------------------------------------------------------------- /office-365-management-api/images/load_hover.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/load_hover.gif -------------------------------------------------------------------------------- /office-365-management-api/images/note.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/note.gif -------------------------------------------------------------------------------- /office-365-management-api/images/o365-admin-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/o365-admin-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/o365-sign-up-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/o365-sign-up-page.png -------------------------------------------------------------------------------- /office-365-management-api/images/pencil.GIF: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pencil.GIF -------------------------------------------------------------------------------- /office-365-management-api/images/privclass.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privclass.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privdelegate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privdelegate.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privdelicate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privdelicate.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privenum.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privenum.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privenumeration.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privenumeration.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privevent.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privevent.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privextension.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privextension.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privfield.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privfield.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privinterface.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privinterface.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privmethod.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privmethod.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privproperty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privproperty.gif -------------------------------------------------------------------------------- /office-365-management-api/images/privstructure.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/privstructure.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protclass.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protclass.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protdelegate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protdelegate.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protdeligate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protdeligate.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protenum.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protenum.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protenumeration.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protenumeration.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protevent.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protevent.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protextension.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protextension.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protfield.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protfield.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protinterface.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protinterface.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protmethod.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protmethod.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protoperator.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protoperator.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protproperty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protproperty.gif -------------------------------------------------------------------------------- /office-365-management-api/images/protstructure.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/protstructure.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubclass.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubclass.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubdelegate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubdelegate.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubenum.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubenum.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubenumeration.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubenumeration.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubevent.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubevent.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubextension.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubextension.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubfield.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubfield.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubinterface.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubinterface.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubmethod.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubmethod.gif -------------------------------------------------------------------------------- /office-365-management-api/images/puboperator.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/puboperator.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubproperty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubproperty.gif -------------------------------------------------------------------------------- /office-365-management-api/images/pubstructure.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/pubstructure.gif -------------------------------------------------------------------------------- /office-365-management-api/images/requirements1a.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/requirements1a.gif -------------------------------------------------------------------------------- /office-365-management-api/images/requirements1c.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/requirements1c.gif -------------------------------------------------------------------------------- /office-365-management-api/images/save.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/save.gif -------------------------------------------------------------------------------- /office-365-management-api/images/save_hover.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/save_hover.gif -------------------------------------------------------------------------------- /office-365-management-api/images/security.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/security.gif -------------------------------------------------------------------------------- /office-365-management-api/images/seealso1a.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/seealso1a.gif -------------------------------------------------------------------------------- /office-365-management-api/images/seealso1c.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/seealso1c.gif -------------------------------------------------------------------------------- /office-365-management-api/images/static.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/static.gif -------------------------------------------------------------------------------- /office-365-management-api/images/xna.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/office-365-management-api/2fd912b5dc7019232ce77d0e14403c914d34d890/office-365-management-api/images/xna.gif -------------------------------------------------------------------------------- /office-365-management-api/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: Office 365 Management APIs 3 | title: Welcome to Office 365 Management APIs 4 | description: The Office 365 Management APIs provide a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing. 5 | ms.ContentId: a11a6d30-f6b7-3629-28b6-cbab527d8a5e 6 | ms.topic: reference 7 | ms.date: 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # Welcome to Office 365 Management APIs 12 | 13 | The Office 365 Management APIs provide a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing. 14 | 15 | ## In this section 16 | 17 | - [Office 365 Management APIs overview](office-365-management-apis-overview.md) 18 | - [Get started with Office 365 Management APIs](get-started-with-office-365-management-apis.md) 19 | - [Office 365 Service Communications API reference (preview)](office-365-service-communications-api-reference.md) 20 | - [Office 365 Management Activity API reference](office-365-management-activity-api-reference.md) 21 | - [Office 365 Management Activity API schema](office-365-management-activity-api-schema.md) 22 | - [Troubleshooting the Office 365 Management Activity API](troubleshooting-the-office-365-management-activity-api.md) 23 | 24 | ## See also 25 | 26 | - [Office 365 REST APIs](/previous-versions/office/office-365-api/how-to/platform-development-overview) 27 | -------------------------------------------------------------------------------- /office-365-management-api/office-365-management-apis-overview.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: Office 365 Management APIs overview 3 | title: Office 365 Management APIs overview 4 | description: Provides a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing. 5 | ms.ContentId: 4fca85f9-efa6-3b4b-b10d-a07cb31f803f 6 | ms.topic: reference 7 | ms.date: 09/28/2016 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # Office 365 Management APIs overview 12 | 13 | The Office 365 Management APIs provide a single extensibility platform for all Office 365 customers' and partners' management tasks, including service communications, security, compliance, reporting, and auditing. All of the Office 365 Management APIs are consistent in design and implementation with the current suite of Office 365 REST APIs, using common industry-standard approaches, including OAuth v2, OData v4, and JSON. Like the other Office 365 APIs, applications are registered in Microsoft Entra ID, giving developers a consistent way to authenticate and authorize their apps. 14 | 15 | If you have questions about the Office 365 Management APIs, post your question on [Stack Overflow](http://stackoverflow.com/tags/office365), using the [office365] tag. 16 | 17 | ## Office 365 Service Communications API (preview) 18 | 19 | The Office 365 Service Communications API has been released in preview mode. It replaces the Office 365 Service Communications API to provide service health information to tenant administrators and partners. Unlike the previous version, the new Service Communications API delivers a cohesive platform experience, with REST APIs built in a consistent fashion including URL naming, data format, and authentication. 20 | 21 | New features are only added to the new version of the API, encouraging early adoption by legacy customers. When the General Announcement of Office 365 Service Communications API was made, the older version of the Service Communications API began a period of deprecation. 22 | 23 | For the operations reference, see [Office 365 Service Communications API reference (preview)](office-365-service-communications-api-reference.md). 24 | 25 | ## Office 365 Management Activity API 26 | 27 | The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs. Customers and partners can use this information to create new or enhance existing operations, security, and compliance-monitoring solutions for the enterprise. 28 | 29 | For the operations reference, see [Office 365 Management Activity API reference](office-365-management-activity-api-reference.md). 30 | 31 | ## See also 32 | 33 | - [Get started with Office 365 Management APIs](get-started-with-office-365-management-apis.md) 34 | - [Office 365 Management Activity API schema](office-365-management-activity-api-schema.md) 35 | - [Troubleshooting the Office 365 Management Activity API](troubleshooting-the-office-365-management-activity-api.md) 36 | - [Office 365 REST APIs](/previous-versions/office/office-365-api/how-to/platform-development-overview) 37 | -------------------------------------------------------------------------------- /office-365-management-api/office-365-service-communications-api-reference.md: -------------------------------------------------------------------------------- 1 | --- 2 | ms.TocTitle: Office 365 Service Communications API reference 3 | title: Office 365 Service Communications API reference 4 | description: Use this API to access the following data - Get Services, Get Current Status, Get Historical Status, and Get Messages. 5 | ms.ContentId: d0b9341a-b205-5442-1c20-8fb56407351d 6 | ms.topic: reference 7 | ms.date: 12/03/2024 8 | ms.localizationpriority: high 9 | --- 10 | 11 | # Office 365 Service Communications API reference 12 | 13 | > [!IMPORTANT] 14 | > The legacy version of the Service Communications API that's documented in this article is retired. The service health and communications API in Microsoft Graph is now available, and replaces the Service Communications API. For more information about the new Microsoft Graph API, see [Overview for accessing service health and communications through Microsoft Graph](/graph/service-communications-concept-overview). 15 | 16 | You can use the Office 365 Service Communications API V2 to access the following data: 17 | 18 | - **Get Services**: Get the list of subscribed services. 19 | 20 | - **Get Current Status**: Get a real-time view of current and ongoing service incidents. 21 | 22 | - **Get Historical Status**: Get a historical view of service incidents. 23 | 24 | - **Get Messages**: Find Incident and Message Center communications. 25 | 26 | Currently, the Office 365 Service Communications API contains data for Office 365, Yammer, Dynamics CRM and Microsoft Intune cloud services. 27 | 28 | ## The fundamentals 29 | 30 | The root URL of the API includes a tenant identifier that scopes the operations to a single tenant: 31 | 32 | ```http 33 | https://manage.office.com/api/v1.0/{tenant_identifier}/ServiceComms/{operation} 34 | ``` 35 | 36 | The **Office 365 Service Communications API** is a REST service that allows you to develop solutions using any web language and hosting environment that supports HTTPS and X.509 certificates. The API relies on **Microsoft Entra ID** and the **OAuth2** protocol for authentication and authorization. To access the API from your application, you'll need to first register it in Microsoft Entra ID and configure it with permissions at the appropriate scope. This will enable your application to request OAuth2 access tokens necessary for calling the API. For more information about registering and configuring an application in Microsoft Entra ID, see [Office 365 Management APIs getting started](get-started-with-office-365-management-apis.md). 37 | 38 | All API requests require an Authorization HTTP header that has a valid OAuth2 JWT access token obtained from Microsoft Entra ID that contains the **ServiceHealth.Read** claim; and the tenant identifier must match the tenant identifier in the root URL. 39 | 40 | ```json 41 | Authorization: Bearer {OAuth2 token} 42 | ``` 43 | 44 | ### Request headers 45 | 46 | These are the supported request headers for all Office 365 Service Communications API operations. 47 | 48 | |Header|Description| 49 | |:-----|:-----| 50 | |**Accept (Optional)**|The following are acceptable representations for the response:
**application/json;odata.metadata=full**
**application/json;odata.metadata=minimal**
[The default if header not specified] **application/json;odata.metadata=none**| 51 | |**Authorization (Required)**|Authorization token (Bearer JWT Microsoft Entra Token) for the request.| 52 | 53 | ### Response headers 54 | 55 | These are the response headers returned for all Office 365 Service Communications API operations: 56 | 57 | |Header|Description| 58 | |:-----|:-----| 59 | |**Content-Length**|The length of the response body.| 60 | |**Content-Type**|Representation of the response:
**application/json**
**application/json;odata.metadata=full**
**application/json;odata.metadata=minimal**
**application/json;odata.metadata=none**
**odata.streaming=true**| 61 | |**Cache-Control**|Used to specify directives that all caching mechanisms along the request/response chain must obey.| 62 | |**Pragma**|Implementation-specific behaviors.| 63 | |**Expires**|When the client should make the resource expire.| 64 | |**X-Activity-Id**|The server-generated activity Id.| 65 | |**OData-Version**|The supported OData Version (4.0).| 66 | |**Date**|The date in UTC when the response was sent from the server.| 67 | |**X-Time-Taken**|The time it took to generate the response (ms).| 68 | |**X-Instance-Name**|The identifier of the Azure instance used to generate the response (for debugging purposes).| 69 | |**Server**|The server used to generate the response (for debugging purposes).| 70 | |**X-ASPNET-Version**|The version of ASP.Net used by the server that generated the response (for debugging purposes).| 71 | |**X-Powered-By**|The technologies used in the server that generated the response (for debugging purposes).| 72 | 73 | Following are the Office 365 Service Communications API operations. 74 | 75 | ## Get Services 76 | 77 | Returns the list of subscribed services. 78 | 79 | |Information|Service|Description| 80 | |:-----|:-----|:-----| 81 | |**Path**| `/Services`|| 82 | |**Query-option**|$select|Pick a subset of properties.| 83 | |**Response**|List of "Service" entities|"Service" entity contains "Id" (String), "DisplayName" (String), and "FeatureNames" (list of Strings).| 84 | 85 | ### Sample request 86 | 87 | ```json 88 | GET https://manage.office.com/api/v1.0/contoso.com/ServiceComms/Services 89 | Authorization: Bearer {AAD_Bearer_JWT_Token} 90 | 91 | ``` 92 | 93 | ### Sample response 94 | 95 | ```json 96 | { 97 | "value": [ 98 | { 99 | "Id": "Exchange", 100 | "DisplayName": "Exchange Online", 101 | "FeatureNames": [ 102 | "Sign-in", 103 | "E-Mail and calendar access", 104 | "E-Mail timely delivery", 105 | "Management and Provisioning", 106 | "Voice mail" 107 | ] 108 | }, 109 | { 110 | "Id": "Lync", 111 | "DisplayName": "Lync Online", 112 | "FeatureNames": [ 113 | "Audio and Video", 114 | "Federation", 115 | "Management and Provisioning", 116 | "Sign-In", 117 | "All Features", 118 | "Dial-In Conferencing", 119 | "Online Meetings", 120 | "Instant Messaging", 121 | "Presence", 122 | "Mobility" 123 | ] 124 | } 125 | ] 126 | } 127 | ``` 128 | 129 | ## Get Current Status 130 | 131 | Returns the status of the service from the previous 24 hours. 132 | 133 | > [!NOTE] 134 | > The service response will contain the status and any incidents within the previous 24 hours. The StatusDate or StatusTime value returned will be exactly 24 hours in the past. 135 | > To get the last update for a particular incident, use the Get Messages functionality and read the LastUpdatedTime value from the response record that matches your incident ID. 136 | 137 | |Information|Service|Description| 138 | |:-----|:-----|:-----| 139 | |**Path**| `/CurrentStatus`|| 140 | |**Filter**|Workload|Filter by workload (String, default: all).| 141 | |**Query-option**|$select|Pick a subset of properties.| 142 | |**Response**|List of "WorkloadStatus" entities.|"WorkloadStatus" entity contains "Id" (String), "Workload" (String), "StatusTime"(DateTimeOffset), "WorkloadDisplayName" (String), "Status" (String), "IncidentIds" (list of Strings), and FeatureGroupStatusCollection (list of "FeatureStatus").

"FeatureStatus" entity contains "Feature" (String), "FeatureGroupDisplayName" (String), and "FeatureStatus" (String).| 143 | 144 | ### Sample request 145 | 146 | ```json 147 | GET https://manage.office.com/api/v1.0/contoso.com/ServiceComms/CurrentStatus 148 | Authorization: Bearer {AAD_Bearer_JWT_Token} 149 | ``` 150 | 151 | ### Sample response 152 | 153 | ```json 154 | { 155 | "value": [ 156 | { 157 | "Id": "Exchange", 158 | "Workload": "Exchange", 159 | "StatusDate": "2015-04-11T00:00:00Z", 160 | "WorkloadDisplayName": "Exchange Online", 161 | "Status": "ServiceOperational", 162 | "IncidentIds": [], 163 | "FeatureGroupStatusCollection": [ 164 | { 165 | "Feature": "Signin", 166 | "FeatureGroupDisplayName": "Sign-in", 167 | "FeatureStatus": "ServiceOperational" 168 | }, 169 | { 170 | "Feature": "Access", 171 | "FeatureGroupDisplayName": "E-Mail and calendar access", 172 | "FeatureStatus": "ServiceOperational" 173 | }, 174 | { 175 | "Feature": "Delivery", 176 | "FeatureGroupDisplayName": "E-Mail timely delivery", 177 | "FeatureStatus": "ServiceOperational" 178 | }, 179 | { 180 | "Feature": "Provisioning", 181 | "FeatureGroupDisplayName": "Management and Provisioning", 182 | "FeatureStatus": "ServiceOperational" 183 | }, 184 | { 185 | "Feature": "UnifiedMessaging", 186 | "FeatureGroupDisplayName": "Voice mail", 187 | "FeatureStatus": "ServiceOperational" 188 | } 189 | ] 190 | }, 191 | { 192 | "Id": "Lync", 193 | "Workload": "Lync", 194 | "StatusDate": "2015-04-11T00:00:00Z", 195 | "WorkloadDisplayName": "Lync Online", 196 | "Status": "ServiceOperational", 197 | "IncidentIds": [], 198 | "FeatureGroupStatusCollection": [ 199 | { 200 | "Feature": "AudioVideo", 201 | "FeatureGroupDisplayName": "Audio and Video", 202 | "FeatureStatus": "ServiceOperational" 203 | }, 204 | { 205 | "Feature": "Federation", 206 | "FeatureGroupDisplayName": "Federation", 207 | "FeatureStatus": "ServiceOperational" 208 | }, 209 | { 210 | "Feature": "ManagementandProvisioning", 211 | "FeatureGroupDisplayName": "Management and Provisioning", 212 | "FeatureStatus": "ServiceOperational" 213 | }, 214 | { 215 | "Feature": "Sign-In", 216 | "FeatureGroupDisplayName": "Sign-In", 217 | "FeatureStatus": "ServiceOperational" 218 | }, 219 | { 220 | "Feature": "All", 221 | "FeatureGroupDisplayName": "All Features", 222 | "FeatureStatus": "ServiceOperational" 223 | }, 224 | { 225 | "Feature": "DialInConferencing", 226 | "FeatureGroupDisplayName": "Dial-In Conferencing", 227 | "FeatureStatus": "ServiceOperational" 228 | }, 229 | { 230 | "Feature": "OnlineMeetings", 231 | "FeatureGroupDisplayName": "Online Meetings", 232 | "FeatureStatus": "ServiceOperational" 233 | }, 234 | { 235 | "Feature": "InstantMessaging", 236 | "FeatureGroupDisplayName": "Instant Messaging", 237 | "FeatureStatus": "ServiceOperational" 238 | }, 239 | { 240 | "Feature": "Presence", 241 | "FeatureGroupDisplayName": "Presence", 242 | "FeatureStatus": "ServiceOperational" 243 | }, 244 | { 245 | "Feature": "Mobility", 246 | "FeatureGroupDisplayName": "Mobility", 247 | "FeatureStatus": "ServiceOperational" 248 | } 249 | ] 250 | } 251 | ] 252 | } 253 | ``` 254 | 255 | ### Status definitions 256 | 257 | The status definitions include the following values: 258 | 259 | - Investigating 260 | - ServiceDegradation 261 | - ServiceInterruption 262 | - RestoringService 263 | - ExtendedRecovery 264 | - InvestigationSuspended 265 | - ServiceRestored 266 | - FalsePositive 267 | - PostIncidentReportPublished 268 | - ServiceOperational 269 | 270 | For a description of these status definitions, see [How to check Microsoft 365 service health](/microsoft-365/enterprise/view-service-health). 271 | 272 | ## Get Historical Status 273 | 274 | Returns the historical status of the service, by day, over a certain time range. 275 | 276 | |Information|Service|Description| 277 | |:-----|:-----|:-----| 278 | |**Path**| `/HistoricalStatus`|| 279 | |**Filters**|Workload|Filter by workload (String, default: all).| 280 | ||StatusTime|Filter by days greater than StatusTime (DateTimeOffset, default: ge CurrentTime - 7 days).| 281 | |**Query-option**|$select|Pick a subset of properties.| 282 | |**Response**|List of "WorkloadStatus" entities.|"WorkloadStatus" entity contains "Id" (String), "Workload" (String), "StatusTime"(DateTimeOffset), "WorkloadDisplayName" (String), "Status" (String), "IncidentIds" (list of Strings), and FeatureGroupStatusCollection (list of "FeatureStatus").

"FeatureStatus" entity contains "Feature" (String), "FeatureGroupDisplayName" (String), and "FeatureStatus" (String).| 283 | 284 | ### Sample request 285 | 286 | ```json 287 | GET https://manage.office.com/api/v1.0/contoso.com/ServiceComms/HistoricalStatus 288 | Authorization: Bearer {AAD_Bearer_JWT_Token} 289 | ``` 290 | 291 | ### Sample response 292 | 293 | ```json 294 | { 295 | "value": [ 296 | { 297 | "Id": "Exchange", 298 | "Workload": "Exchange", 299 | "StatusDate": "2015-04-11T00:00:00Z", 300 | "WorkloadDisplayName": "Exchange Online", 301 | "Status": "ServiceOperational", 302 | "IncidentIds": [], 303 | "FeatureGroupStatusCollection": [ 304 | { 305 | "Feature": "Signin", 306 | "FeatureGroupDisplayName": "Sign-in", 307 | "FeatureStatus": "ServiceOperational" 308 | }, 309 | { 310 | "Feature": "Access", 311 | "FeatureGroupDisplayName": "E-Mail and calendar access", 312 | "FeatureStatus": "ServiceOperational" 313 | }, 314 | { 315 | "Feature": "Delivery", 316 | "FeatureGroupDisplayName": "E-Mail timely delivery", 317 | "FeatureStatus": "ServiceOperational" 318 | }, 319 | { 320 | "Feature": "Provisioning", 321 | "FeatureGroupDisplayName": "Management and Provisioning", 322 | "FeatureStatus": "ServiceOperational" 323 | }, 324 | { 325 | "Feature": "UnifiedMessaging", 326 | "FeatureGroupDisplayName": "Voice mail", 327 | "FeatureStatus": "ServiceOperational" 328 | } 329 | ] 330 | }, 331 | { 332 | "Id": "Exchange", 333 | "Workload": "Exchange", 334 | "StatusDate": "2015-04-10T00:00:00Z", 335 | "WorkloadDisplayName": "Exchange Online", 336 | "Status": "InformationAvailable", 337 | "IncidentIds": [ 338 | "EX20870" 339 | ], 340 | "FeatureGroupStatusCollection": [ 341 | { 342 | "Feature": "Signin", 343 | "FeatureGroupDisplayName": "Sign-in", 344 | "FeatureStatus": "ServiceOperational" 345 | }, 346 | { 347 | "Feature": "Access", 348 | "FeatureGroupDisplayName": "E-Mail and calendar access", 349 | "FeatureStatus": "ServiceOperational" 350 | }, 351 | { 352 | "Feature": "Delivery", 353 | "FeatureGroupDisplayName": "E-Mail timely delivery", 354 | "FeatureStatus": "ServiceOperational" 355 | }, 356 | { 357 | "Feature": "Provisioning", 358 | "FeatureGroupDisplayName": "Management and Provisioning", 359 | "FeatureStatus": "ServiceOperational" 360 | }, 361 | { 362 | "Feature": "UnifiedMessaging", 363 | "FeatureGroupDisplayName": "Voice mail", 364 | "FeatureStatus": "InformationAvailable" 365 | } 366 | ] 367 | } 368 | ] 369 | } 370 | ``` 371 | 372 | ## Get Messages 373 | 374 | Returns the messages about the service over a certain time range. Use the type filter to filter for "Service Incident", "Planned Maintenance", or "Message Center" messages. 375 | 376 | |Information|Service|Description| 377 | |:-----|:-----|:-----| 378 | |**Path**| `/Messages`|| 379 | |**Filters**|Workload|Filter by workload (String, default: all).| 380 | ||StartTime|Filter by Start Time (DateTimeOffset, default: ge CurrentTime - 7 days).| 381 | ||EndTime|Filter by End Time (DateTimeOffset, default: le CurrentTime).| 382 | ||MessageType|Filter by MessageType (String, default: all).| 383 | ||Id|Filter by Id (String, default: all).| 384 | |**Query-option**|$select|Pick a subset of properties.| 385 | ||$top|Pick the top number of results (default and max $top=100).| 386 | ||$skip|Skip number of results (default: $skip=0).| 387 | |**Response**|List of "Message" entities.|"Message" entity contains "Id" (String), "StartTime" (DateTimeOffset), "EndTime" (DateTimeOffset), "Status" (String), "Messages" (list of "MessageHistory" entity), "LastUpdatedTime" (DateTimeOffset), "Workload" (String), "WorkloadDisplayName" (String), "Feature" (String), "FeatureDisplayName" (String), "MessageType" (Enum, default: all).

"MessageHistory" entity contains "PublishedTime" (DateTimeOffset), "MessageText" (String).| 388 | 389 | ### Sample request 390 | 391 | ```json 392 | GET https://manage.office.com/api/v1.0/contoso.com/ServiceComms/Messages 393 | Authorization: Bearer {AAD_Bearer_JWT_Token} 394 | ``` 395 | 396 | ### Sample response 397 | 398 | ```json 399 | { 400 | "value": [ 401 | { 402 | "Id": "EX20119", 403 | "Name": "EX20119", 404 | "Title": null, 405 | "StartTime": "2015-04-01T22:25:00Z", 406 | "EndTime": "2015-04-07T21:48:00Z", 407 | "Status": "Service restored", 408 | "Messages": [ 409 | { 410 | "PublishedTime": "2015-04-01T22:34:28.76Z", 411 | "MessageText": "Current Status: Engineers are investigating an issue in which some customers may be experiencing problems accessing or using Exchange Online services or features. This event is actively being investigated. More information will be provided shortly." 412 | }, 413 | { 414 | "PublishedTime": "2015-04-03T18:45:32.56Z", 415 | "MessageText": "Current Status: Engineers are implementing a fix within the affected infrastructure to remediate Exchange Online archive access issues. \n\nUser Experience: Affected users are unable to access online archives when using Outlook Web App (OWA). As a workaround, users may be able to access online archives via the Outlook client.\n\nCustomer Impact: Customer impact appears to be limited at this time. This issue only affects hybrid customers.\n\nPreliminary Root Cause: As part of our ongoing work, an updated certificate was deployed to the infrastructure; however, a caching issue has caused the infrastructure to use an expired certificate which is causing archive access issues. \n\nNext Update by: Monday, April 6, 2015, at 9:00 PM UTC\n" 416 | }, 417 | { 418 | "PublishedTime": "2015-04-06T21:17:34.007Z", 419 | "MessageText": "Current Status: Deployment of the fix is almost complete. Engineers are monitoring service health to ensure the issue has been remediated. \n\nUser Experience: Affected users are unable to access online archives when using Outlook Web App (OWA). As a workaround, users may be able to access online archives via the Outlook client. \n\nCustomer Impact: Customer impact appears to be limited at this time. This issue only affects hybrid customers.\n\nPreliminary Root Cause: As part of our ongoing work, an updated certificate was deployed to the infrastructure; however, a caching issue has caused the infrastructure to use an expired certificate which is causing archive access issues. \n\nNext Update by: Tuesday, April 7, 2015, at 10:00 PM UTC " 420 | }, 421 | { 422 | "PublishedTime": "2015-04-08T21:54:49.06Z", 423 | "MessageText": "Final Status: Engineers have implemented a fix which remediated end-user impact. \r\n\r\nUser Experience: Affected users were unable to access online archives when using Outlook Web App (OWA).\r\n\r\nCustomer Impact: Customer impact appears to have been limited. This issue only affected hybrid customers.\r\n\r\nIncident Start Time: Monday, March 30, 2015, at 9:28 AM UTC\r\n\r\nIncident End Time: Tuesday, April 7, 2015, at 8:00 PM UTC\r\n\r\nPreliminary Root Cause: As part of our ongoing work, an updated certificate was deployed to the infrastructure; however, a caching issue has caused the infrastructure to use an expired certificate which is causing archive access issues. \r\n\r\nNext Steps: The following is a list of known action item(s) associated with this incident. As part of the Office 365 problem management process, additional engineering actions may be identified to improve the overall service.\r\n- Action: Review the monitoring infrastructure for improvements as this event was reported by customers before an alert prompted a high priority investigation. \r\n\r\nA post-incident report will be available on the Service Health Dashboard within five business days." 424 | } 425 | ], 426 | "LastUpdatedTime": "2015-04-08T21:54:49.55Z", 427 | "Workload": "Exchange Online", 428 | "WorkloadDisplayName": "Exchange", 429 | "Feature": "Access", 430 | "FeatureDisplayName": "E-Mail and calendar access" 431 | }, 432 | { 433 | "Id": "EX20789", 434 | "Name": "EX20789", 435 | "Title": null, 436 | "StartTime": "2015-04-06T20:00:00Z", 437 | "EndTime": "2015-04-07T23:00:00Z", 438 | "Status": "Service restored", 439 | "Messages": [ 440 | { 441 | "PublishedTime": "2015-04-07T23:26:44.643Z", 442 | "MessageText": "Final Status: Engineers have validated that the deployed fix has resolved the issue and that service is restored.\r\n\r\nUser Experience: Affected users were unable to send or receive email while using Exchange Web Services (EWS) on their mobile devices.\r\n\r\nCustomer Impact: Customer impact appeared to be limited during this event. This issue was only affecting customers that use third-party Mobile Device Management software from Good Technology. As a workaround to provide immediate relief from impact, engineers implemented a configuration change for customers who reported this issue to Microsoft Support.\r\n\r\nIncident Start Time: Wednesday, April 1, 2015, at 2:00 PM UTC\r\n\r\nIncident End Time: Tuesday, April 7, 2015, at 10:00 PM UTC\r\n\r\nPreliminary Root Cause: As part of our ongoing efforts to improve service resiliency, an update was deployed to the infrastructure that facilitates connections from multiple Exchange Online protocols to mailbox databases. The update, however, contained a code issue that caused connectivity issues in some scenarios. \r\n\r\nNext Steps: The following is a list of known action item(s) associated with this incident. As part of the Office 365 problem management process, additional engineering actions may be identified to improve the overall service.\r\n- Action: Review the infrastructure update process to prevent reoccurrences of this scenario.\r\n\r\nPlease consider this service notification the final update on the event." 443 | } 444 | ], 445 | "LastUpdatedTime": "2015-04-07T23:26:45.08Z", 446 | "Workload": "Exchange Online", 447 | "WorkloadDisplayName": "Exchange", 448 | "Feature": "Access", 449 | "FeatureDisplayName": "E-Mail and calendar access" 450 | } 451 | ] 452 | } 453 | ``` 454 | 455 | ## Errors 456 | 457 | When the service encounters an error, it reports the error response code to the caller, using standard HTTP error-code syntax. As per [OData V4 specification](http://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html), additional information is included in the body of the failed call as a single JSON object. The following is an example of a full JSON error body: 458 | 459 | ```json 460 | { 461 | "error":{ 462 | "code":"AF5000. An internal server error occurred.", 463 | "message": "Retry the request." 464 | } 465 | } 466 | ``` 467 | --------------------------------------------------------------------------------