Microsoft 365 administrators need to track which files Copilot accesses in their tenant to ensure data compliance and security. Copilot can read files from SharePoint, OneDrive, and Microsoft Graph when generating responses in Word, Excel, PowerPoint, and Teams. This article explains how to use the Microsoft 365 audit log to view a complete record of every file Copilot has read. You will learn to configure audit logging, run targeted searches, and interpret the results.
Key Takeaways: Auditing Copilot File Access
- Microsoft 365 Purview compliance portal > Audit > Search: Central location to query all Copilot file-read events.
- Workload filter set to “Copilot”: Isolates audit records generated by Copilot interactions only.
- Operation “FileAccessed”: The specific event name logged when Copilot reads a file from SharePoint or OneDrive.
How Copilot File Access Is Logged
When a user interacts with Copilot in a Microsoft 365 app, the service may read files from the user’s Microsoft Graph data. This includes documents stored in SharePoint Online, OneDrive for Business, and Microsoft Teams files. Every file read by Copilot generates an audit record in the Microsoft 365 audit log. The audit record captures the user who triggered the action, the exact file path, the timestamp, and the Copilot session ID.
By default, audit logging is enabled for all Microsoft 365 tenants with E5 or G5 subscriptions. Tenants with E3, Business Standard, or Business Premium can enable audit logging through the Purview compliance portal. Without audit logging enabled, no file-access records are created, and administrators cannot retroactively view Copilot activity.
What Triggers a File-Read Event
Copilot reads a file when a user asks a question that requires data from a specific document. For example, asking Copilot in Word to summarize a SharePoint document triggers a read event. Copilot in Teams reading a meeting transcript also generates a file-read audit record. The audit log does not record files that Copilot attempts to read but fails due to permissions or licensing restrictions.
Steps to Search the Audit Log for Copilot File Reads
Follow these steps to extract a list of every file Copilot has read in your tenant. You must have the Audit Log or View-Only Audit Log role assigned in the Purview compliance portal.
- Open the Microsoft 365 Purview compliance portal
Navigate to https://compliance.microsoft.com and sign in with an account that has the Audit Log role. In the left navigation, select Audit under the Solutions section. - Configure the search parameters
Set the Date range to the period you want to audit. For the first search, set Start to 90 days ago and End to today. Under Activities, select File and page activities then check File accessed. Do not select other activities like File downloaded or File modified. - Add a workload filter for Copilot
Click Add filter and choose Workload. In the dropdown, select Copilot. This filter ensures the results show only events generated by Copilot and not by a user manually opening a file. - Run the search
Click Search at the bottom of the pane. The portal displays a list of audit records. Each record shows the date, user, IP address, and activity. Click any record to open the details pane. - Review the file path in the details pane
In the details pane, scroll to Affected items. The file path appears as a SharePoint or OneDrive URL. Copy the URL to confirm the exact file location. The details pane also shows the Copilot session ID, which you can use to correlate multiple file reads within one conversation. - Export the results for analysis
Click Export at the top of the search results page. Choose CSV format. The exported file contains all columns including the file path, user, and timestamp. Open the CSV in Excel to filter, sort, and create reports.
If the Audit Log Returns No Copilot Events
A search that returns zero records does not necessarily mean Copilot has not read files. Three common reasons explain empty results.
Audit Logging Is Disabled
Tenants without E5 or G5 subscriptions may have audit logging turned off. In the Purview compliance portal, go to Audit > Audit retention. If it shows “Audit log search is turned off,” click Start recording user and admin activity. It can take up to 24 hours for audit records to begin appearing.
Incorrect Activity Selection
Selecting “File accessed” under the wrong category can exclude Copilot events. Ensure you select File and page activities > File accessed. Do not select the generic “Accessed file” under SharePoint activities, as that filter may not capture Copilot-specific records.
Users Lack a Copilot License
If no users in the tenant have a Copilot for Microsoft 365 license, Copilot cannot read any files. Verify licenses in the Microsoft 365 admin center under Billing > Licenses. Only users assigned a Copilot license generate file-read audit events.
Copilot File Access vs Manual File Access: Audit Differences
| Item | Copilot File Access | Manual File Access |
|---|---|---|
| Audit operation name | FileAccessed | FileAccessed |
| Workload filter | Copilot | SharePoint or OneDrive |
| User field | The person who asked Copilot the question | The person who opened the file |
| Session identifier | CopilotSessionId included in audit record | No session ID |
| Access reason | Copilot generating a response | User viewing or editing the file |
Limitations of the Copilot Audit Log
The audit log does not capture every file Copilot reads during a single interaction. If Copilot reads multiple files to answer one question, each file generates a separate audit record. However, the log does not show which parts of the file Copilot used or whether the response included direct quotes from the file.
Audit records are retained based on your tenant’s audit retention policy. The default retention is 90 days for E5 tenants and 180 days for E5 with add-on licenses. For longer retention, assign an Audit (Premium) license to the users being audited. Without Premium, records older than 90 days are not available for search.
The audit log does not record file access for Copilot in Microsoft Edge or the Copilot mobile app. Those environments use a different data access model that does not generate audit events in the Purview portal. To audit Copilot activity in Edge, you must rely on browser history and network logs, which are not covered in this article.
You can now run targeted audit searches to see exactly which files Copilot has read in your tenant. Start by verifying that audit logging is enabled, then use the workload filter set to Copilot to isolate file-read events. For ongoing monitoring, schedule a weekly CSV export and store it in a secure SharePoint library to maintain a historical record beyond the default retention period. If you need to track Copilot activity in real time, consider enabling Audit (Premium) alerts for the FileAccessed operation on sensitive document libraries.