Microsoft 365 administrators need visibility into which plugins Copilot can access and use. Without monitoring, users might connect unauthorized third-party services that expose tenant data. This article explains the built-in audit logs and admin center reports that track plugin access. You will learn how to generate access logs, review plugin activity, and set up alerts for suspicious plugin behavior.
Key Takeaways: Monitoring Copilot Plugin Access
- Microsoft 365 admin center > Audit > Search audit log: Use the Copilot activities filter to view plugin access events like PluginExecution and PluginInstallation.
- Microsoft 365 admin center > Copilot > Plugins: Review the list of approved plugins and their current status across the tenant.
- Microsoft Graph API > auditLog.query: Programmatically retrieve plugin access logs for custom reporting and alerting.
What Copilot Plugin Access Monitoring Covers
Copilot plugins extend its capabilities by connecting to external services like Salesforce, Jira, or custom APIs. Each plugin can read and write data on behalf of the signed-in user. Monitoring plugin access means tracking which plugins are installed, which users activate them, and what data exchanges occur.
Microsoft 365 records plugin-related events in the unified audit log. These events include PluginExecution, PluginInstallation, PluginUninstallation, and PluginPermissionChange. The audit log captures the user who performed the action, the plugin name, the timestamp, and the tenant ID. This data helps administrators answer questions like: Which plugin accessed SharePoint documents last Friday? Did a user install a new plugin outside the approved list?
Before you begin monitoring, verify that audit logging is enabled for your tenant. Go to Microsoft 365 admin center > Compliance > Audit. If the audit log is turned off, no plugin events will be recorded. Audit logging is enabled by default for most paid Microsoft 365 subscriptions, but you should confirm this setting first.
Steps to Monitor Copilot Plugin Access in the Admin Center
The primary method to monitor plugin access is through the Microsoft 365 admin center audit log. The steps below guide you through the process.
- Open the Microsoft 365 admin center
Sign in with an account that has Global Administrator or Audit Log Administrator role. Navigate to admin.microsoft.com. - Go to the Audit log
In the left navigation pane, select Compliance then Audit. The Audit page opens with a search interface. - Set the search parameters
Under Search, configure the following fields:
– Date range: Select the period you want to review, up to 90 days back.
– Activities: Click the dropdown and scroll to the Copilot activities section. Select one or more of these activities: PluginExecution, PluginInstallation, PluginUninstallation, PluginPermissionChange.
– Users: Leave blank to see all users, or enter a specific user name to filter. - Run the search
Click Search. The results appear below the search form. Each row shows the date, user, activity type, and item (plugin name). Click a row to view detailed properties including the plugin ID and the data accessed. - Export the results
Click Export to download the audit records as a CSV file. Use this file for offline analysis or integration with a security information and event management system.
For ongoing monitoring, you can create a saved search or schedule the export. In the audit log page, click Save to save your current search criteria. To schedule exports, use the Export option with a recurring schedule. This requires a Power Automate flow or a third-party tool that supports the Microsoft Graph audit log API.
Reviewing Plugin Status in the Copilot Plugins Page
The admin center also provides a centralized view of all Copilot plugins. Go to Settings > Copilot > Plugins. This page lists every plugin available in the tenant, including those installed by administrators and users. The status column shows whether a plugin is enabled, disabled, or pending approval. You can sort by status to quickly find plugins that need review. Click a plugin name to see its description, publisher, and permissions.
Using Microsoft Graph API for Custom Monitoring
Administrators who need automated monitoring can use the Microsoft Graph API. The auditLog.query endpoint returns plugin events in JSON format. Use this API to build custom dashboards or integrate with your existing logging system. The request below retrieves all PluginExecution events from the last 24 hours.
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDisplayName eq 'PluginExecution' and activityDateTime ge 2025-01-01T00:00:00Z
You need the AuditLog.Read.All permission to call this endpoint. Register an app in Azure AD, grant the permission, and authenticate with OAuth 2.0 client credentials flow. The response includes the same fields as the admin center audit log.
If the Audit Log Shows No Plugin Events
You might run the audit search and see zero results. This usually happens for one of three reasons.
Audit logging is disabled for the tenant
Check the audit log status in the Microsoft 365 admin center. Go to Compliance > Audit. If the search interface shows a message that audit logging is turned off, click Start recording user and admin activity. It can take up to 24 hours for events to appear after enabling.
No plugins have been used during the selected date range
If your organization has not deployed any Copilot plugins, no events will appear. Verify plugin availability by going to Settings > Copilot > Plugins. If the list is empty, no plugins are configured. Deploy a test plugin and run a conversation in Copilot to generate events.
The user account lacks sufficient permissions
Only users with the Audit Log Administrator, Global Administrator, or Compliance Administrator role can view audit logs. If you are using a custom role, ensure it includes the Audit Logs permission. You can check your role in the admin center under Roles > Role assignments.
Copilot Plugin Access Monitoring: Admin Center vs Graph API
| Item | Admin Center Audit Log | Microsoft Graph API |
|---|---|---|
| Access method | Web browser interface | REST API call |
| Data retention | 90 days | 90 days |
| Export format | CSV | JSON |
| Automation | Manual or Power Automate | Scriptable with any HTTP client |
| Permission required | Audit Log Administrator | AuditLog.Read.All |
| Real-time alerts | Not built-in | Possible with webhooks |
The admin center audit log is suitable for ad-hoc investigations. The Graph API is better for continuous monitoring and integration with security operations centers. Both methods provide the same event data.
You can now monitor Copilot plugin access using the audit log in the Microsoft 365 admin center or the Graph API. Start by confirming audit logging is enabled and run a search for PluginExecution events. For advanced monitoring, set up a scheduled Graph API query that exports to a log management tool like Azure Sentinel or Splunk. Remember that plugin activity data only persists for 90 days, so archive critical records if needed for long-term compliance.