Security and compliance teams need visibility into how Copilot is being used across their organization. The Activity Explorer in Microsoft Purview provides a centralized log of Copilot interactions, including prompts, responses, and data sources accessed. Without this tool, administrators cannot track usage patterns, identify risky behavior, or prove compliance with data governance policies. This article explains how to access the Activity Explorer, interpret the daily use patterns it reveals, and set up alerts for unusual activity.
Key Takeaways: Copilot Activity Explorer Daily Monitoring
- Microsoft Purview > Solutions > Audit > Activity Explorer: Shows every Copilot interaction with detailed metadata including timestamp, user, action, and data source.
- Custom date range filter: Lets you view usage patterns for any period from hours to 90 days for trend analysis.
- Alert policies in Purview > Solutions > Data Loss Prevention: Automatically notify you when Copilot accesses sensitive data or exceeds defined thresholds.
What the Activity Explorer Shows for Copilot
The Activity Explorer in Microsoft Purview is the primary interface for reviewing audit logs generated by Copilot interactions. Every time a user sends a prompt to Copilot in Microsoft 365 apps such as Word, Excel, PowerPoint, Teams, or Outlook, the system logs the following details:
- User identity – The account that initiated the Copilot session.
- Timestamp – Exact date and time of the interaction.
- Action – The Copilot operation performed, such as CopilotInteraction or CopilotResponse.
- Application – The Microsoft 365 app where the prompt was sent.
- Data sources accessed – Files, emails, calendar items, or Teams messages that Copilot used to generate the response.
- Prompt text – The exact text the user typed.
- Response summary – A non-sensitive summary of the response generated by Copilot.
The Activity Explorer does not store the full response content. This design protects sensitive information while still providing enough detail for compliance review. Data is retained based on your organization’s audit retention policy, which can be set from 90 days to 10 years for users with appropriate licenses.
How Activity Explorer Differs from Basic Audit Log Search
Basic audit log search in the Microsoft 365 admin center shows raw log entries without aggregation or filtering. The Activity Explorer adds a dashboard layer with charts, filters, and the ability to drill into specific records. You can view usage trends over time, identify the most active users, and see which data sources Copilot accesses most frequently. This makes it suitable for daily monitoring rather than one-off investigations.
Steps to Access and Use the Activity Explorer for Copilot
Before you can view Copilot activity, ensure your organization has the required license. You need Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit. Users must also have a Copilot for Microsoft 365 license assigned.
- Open the Microsoft Purview portal
Go to https://compliance.microsoft.com and sign in with an account that has the Compliance Administrator, Security Administrator, or Audit Logs role. - Navigate to the Activity Explorer
In the left navigation, select Solutions then Audit. On the Audit page, click the Activity Explorer tab. This opens the dashboard with a date range selector and activity chart. - Set the date range to view daily patterns
Click the date range picker and choose Last 24 hours or Custom range to specify a specific day. For daily patterns, selecting Last 7 days often provides better trend visibility. - Filter to Copilot activities only
Click the Activities filter. In the search box, type Copilot. Select the checkboxes for CopilotInteraction and CopilotResponse. Click Apply. - Review the activity chart
The bar chart shows the number of Copilot interactions per hour or per day. Hover over any bar to see the exact count. This reveals peak usage times and low-activity periods. - Drill into specific records
Below the chart, the list view displays individual log entries. Click any row to open the details pane. Here you can see the user, application, data sources, and prompt text. Use the Export button to download the visible records as a CSV file. - Create a saved search for daily monitoring
After setting your filters, click Save at the top of the Activity Explorer. Name the search Daily Copilot Usage. You can reload this saved search each day without reconfiguring filters.
Common Issues When Interpreting Daily Use Patterns
Activity Explorer Shows Zero Copilot Interactions
If the Activity Explorer displays no data even though users report using Copilot, check the following:
- Confirm that audit logging is enabled in the Microsoft 365 admin center. Go to Settings > Org Settings > Security & Privacy > Audit log and turn on Audit log recording for Microsoft 365.
- Verify that users have a Copilot for Microsoft 365 license assigned. Without the license, interactions are not logged in the Activity Explorer.
- Check the date range. If you set a range older than the audit retention period, no records appear.
Data Sources Column Is Empty for Some Records
When Copilot does not access any organizational data to generate a response, the data sources field remains blank. This happens for general knowledge questions or when Copilot uses only the public web model. It does not indicate a logging failure. If you suspect missing data sources for queries that should reference internal files, ask the user to verify that the file is stored in OneDrive or SharePoint and that the user has permission to access it.
Prompt Text Shows as Redacted
In some records, the prompt text field displays [Redacted] instead of the user’s original text. This occurs when the prompt contains sensitive information such as credit card numbers, social security numbers, or other data types covered by your organization’s data loss prevention policies. To see the full prompt, you must have the View Redacted Data permission, which is part of the Compliance Administrator role.
Copilot Activity Explorer vs Basic Audit Log Search: Key Differences
| Item | Activity Explorer | Basic Audit Log Search |
|---|---|---|
| Purpose | Daily monitoring and trend analysis | One-time investigation of specific events |
| Data visualization | Bar charts, line graphs, and aggregated counts | Flat list of log entries only |
| Filtering options | Activity, user, date, application, data source | Date range and user only |
| Saved searches | Yes, with custom names | No |
| Export format | CSV with current view | CSV with all results |
| Retention dependency | Respects audit retention policy | Respects audit retention policy |
For daily use pattern analysis, the Activity Explorer is the recommended tool. Basic audit log search remains useful for exporting large datasets for external analysis or for reviewing events older than 90 days if your retention policy supports it.
The Activity Explorer in Microsoft Purview gives you a practical way to monitor Copilot usage across your organization on a daily basis. By filtering to Copilot interactions, setting a saved search, and reviewing the chart for peak usage times, you can identify adoption trends and spot unusual behavior early. For deeper protection, combine the Activity Explorer with alert policies in Data Loss Prevention to receive notifications when Copilot accesses sensitive data. Start by loading your saved Daily Copilot Usage search each morning to build a routine review process.