You need to know which users in your organization are running Copilot prompts, what data they access, and how often they use the tool. Microsoft 365 does not show this information in the default admin dashboards. The audit logs in the Microsoft Purview compliance portal record every Copilot interaction as an event. This article explains how to search, filter, and export Copilot usage data from the audit log.
Key Takeaways: Audit Copilot Usage via Purview Audit Log
- Microsoft Purview compliance portal > Audit > Search: Filter by workload “Copilot” to see all Copilot interactions across Microsoft 365 apps.
- Audit log record properties “CopilotResponse” and “CopilotInteractionType”: Reveal the exact prompt sent, the response generated, and the app where Copilot was used.
- Export to CSV: Use the “Export” button in the audit search results to download a CSV file for offline analysis in Excel or Power BI.
How Copilot Usage Appears in Microsoft 365 Audit Logs
Every time a user sends a prompt to Copilot in a Microsoft 365 app such as Word, Excel, PowerPoint, Outlook, Teams, or the Copilot pane, the Microsoft 365 service logs an audit event. The event is stored in the unified audit log in the Microsoft Purview compliance portal. The log records the user who initiated the prompt, the timestamp, the app where Copilot was used, the content of the prompt, and the response generated by Copilot. The data is retained according to your organization’s audit log retention policy. By default, audit records are kept for 90 days for tenants with an Office 365 E3 license. Tenants with an E5 license or a Microsoft 365 E5 Compliance add-on retain records for one year. You can extend retention to 10 years with an appropriate license or add-on.
To access the audit log, you must have the Audit Logs role in the Microsoft Purview compliance portal. This role is included in the Compliance Administrator role group by default. If you do not have this role, contact your Microsoft 365 global administrator.
Steps to Search and Filter Copilot Audit Events
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with an account that has the Audit Logs role or the Compliance Administrator role. - Navigate to the Audit search page
In the left navigation menu, select Audit under the Solutions section. The Audit search page opens with a search bar and filter options. - Set the date range
In the Date fields, choose a start and end date. To see all Copilot usage for the past 30 days, set the start date to 30 days ago and the end date to today. - Filter by workload Copilot
Click the Activities dropdown, then scroll down and select Copilot interactions. This filter limits the search to events where Copilot was triggered. Alternatively, you can type “Copilot” in the search box above the activity list. - Run the search
Click the Search button. The results page displays all Copilot audit events within the selected date range. Each row shows the date, user, activity type, and item name. - Inspect individual audit records
Click any row to open the details pane. In the details pane, scroll to the AuditData section. This JSON block contains the full event data. Look for these properties:
– CopilotInteractionType: Values include “Word”, “Excel”, “PowerPoint”, “Outlook”, “Teams”, “CopilotPane”.
– CopilotResponse: Contains the response text that Copilot generated.
– UserAgent: Shows the app version and platform.
– ClientIP: The IP address of the user’s device. - Export results to CSV
In the search results page, click the Export button and select Export all results. A CSV file downloads to your computer. Open the CSV in Excel to filter, sort, and analyze the data.
If the Audit Log Shows No Copilot Events
Copilot license not assigned to users
Copilot usage is only logged when the user has an active Copilot for Microsoft 365 license assigned. To verify, go to the Microsoft 365 admin center, select Users > Active users, click a user, and check the Licenses and apps tab. If the Copilot license is not listed, assign it from the admin center or via group-based licensing in Azure AD.
Audit logging is disabled for the tenant
In some tenants, the unified audit log is turned off by default. To enable it, go to the Microsoft Purview compliance portal, select Audit, and click Start recording user and admin activity. After you enable it, it can take up to 24 hours before new events appear.
Search filters are too restrictive
If you applied additional filters such as specific users or IP addresses, clear those filters and run a broad search with only the Copilot interactions activity filter and a wide date range. This ensures you are not missing events because of overly narrow criteria.
Copilot Audit Logs vs Copilot Dashboard: What Each Shows
| Item | Audit Log in Purview | Copilot Dashboard in Admin Center |
|---|---|---|
| Data source | Unified audit log from Microsoft 365 services | Telemetry stream from Copilot itself |
| Prompt content | Yes, in the AuditData JSON | No, only aggregated counts |
| Response content | Yes, in the CopilotResponse property | No |
| Per-user breakdown | Yes, each event shows the user UPN | Yes, by user in the Usage tab |
| Retention period | 90 days to 10 years based on license | 28 days |
| Export format | CSV or JSON | CSV only |
Use the audit log when you need detailed forensic data such as the exact prompt text or the Copilot response. Use the Copilot dashboard in the Microsoft 365 admin center under Reports > Usage > Copilot when you only need aggregate usage counts and adoption trends without the content of interactions.
Conclusion
You can now audit Copilot usage across your Microsoft 365 tenant by searching the unified audit log in the Microsoft Purview compliance portal. Filter by the Copilot interactions activity to isolate all Copilot events, then inspect the AuditData JSON for the prompt and response content. Export the results to CSV for offline analysis. For a broader view of adoption without content details, use the Copilot dashboard in the admin center. As a next step, set up a scheduled export of audit logs to Azure Log Analytics for long-term retention and custom alerting on Copilot activity.