Microsoft Purview Audit logs record every action that Copilot takes in Microsoft 365 services. Without these logs, administrators cannot verify how Copilot accesses data or which files it processes. This article explains how to search and interpret Copilot activity events in Purview Audit. You will learn the exact search queries, the required permissions, and how to filter results to find specific user actions.
Key Takeaways: Searching Copilot Audit Logs in Purview
- Microsoft Purview compliance portal > Audit > New Search: The starting point to query Copilot events across Exchange, SharePoint, Teams, and Word.
- Workload filter set to “Copilot”: Narrows results to only Copilot-generated audit records and excludes all other Microsoft 365 operations.
- Operation “CopilotInteraction”: The specific activity name that captures each Copilot query, response, and data source used.
What the Copilot Audit Log Captures
Every time a user sends a prompt to Copilot in a Microsoft 365 app, the system writes an audit record to the Microsoft 365 unified audit log. This record contains the user who initiated the action, the timestamp, the app where Copilot was used, and a list of data sources Copilot accessed to generate the response. The data sources include specific documents, emails, calendar items, and chat messages from Microsoft Graph.
The audit log does not store the prompt text or the response content. It records metadata only: which files were read, which mailboxes were queried, and which Teams channels contributed to the answer. This design protects user privacy while still allowing administrators to verify data access patterns.
Required Permissions
To view Copilot audit records, you need one of the following roles assigned in the Microsoft 365 admin center or the Purview compliance portal:
- Audit Logs role (View-Only Audit Logs or Audit Logs)
- Compliance Administrator
- Global Administrator
These roles allow you to run searches in the Audit section of the Purview compliance portal and export results to CSV.
Steps to Search Copilot Activity in Purview Audit
- Open the Microsoft Purview compliance portal
Sign in to compliance.microsoft.com with your administrator account. In the left navigation, select Audit under the Solutions section. - Start a new audit search
On the Audit page, click New Search. A search pane opens on the right side of the screen. - Set the date range
In the Start date and End date fields, choose the period you want to review. The default range is the last 7 days. You can go back up to 90 days or 180 days depending on your licensing. - Filter by workload: Copilot
Click the Workload dropdown and select Copilot. This filter ensures only Copilot-related events appear in the results. - Filter by operation: CopilotInteraction
Click the Operation dropdown and select CopilotInteraction. This is the specific activity name for all Copilot queries and responses. - Add user filter if needed
To see activity for a specific person, enter their email address in the User field. Leave this blank to see all users. - Run the search
Click Search at the bottom of the pane. The results appear in a table below. Each row shows the date, user, operation, and workload. - View details of a single event
Click any row in the results table. A details pane opens with the full audit record, including the AuditData field in JSON format. This JSON contains the list of data sources Copilot accessed. - Export results to CSV
In the search results toolbar, click Export and choose Export all results. The file downloads as a CSV that you can open in Excel for further analysis.
Common Issues When Searching Copilot Audit Logs
No CopilotInteraction Events Appear in Search Results
If your search returns zero results, confirm that audit logging is enabled in your tenant. Go to Audit > Audit log search and check the banner at the top. If it says “Audit log search is turned on,” logging is active. If not, click Turn on auditing. Also verify that users have a Copilot license assigned. Without a license, Copilot does not generate audit events.
The AuditData JSON Shows Only Empty Arrays in the DataSources Field
This happens when Copilot responds using general knowledge rather than your tenant data. For example, if a user asks Copilot a question about public web content, Copilot may not access any Microsoft Graph data sources. Only prompts that trigger grounded responses — those that read files, emails, or calendar items — populate the DataSources array with specific document IDs and mailbox identifiers.
Export Fails or CSV File Is Empty
The export function in Purview Audit has a limit of 50,000 records per search. If your search returns more than 50,000 events, narrow the date range or add user filters to reduce the result set. After exporting, open the CSV in a text editor first to confirm the file has headers and data rows. Excel may truncate long JSON strings in the AuditData column — use Power Query or a JSON viewer instead.
Copilot Audit Log vs Standard Microsoft 365 Audit Log: Key Differences
| Item | Copilot Audit Log | Standard Microsoft 365 Audit Log |
|---|---|---|
| Workload name | Copilot | Exchange, SharePoint, Teams, OneDrive, etc |
| Operation name | CopilotInteraction | FileAccessed, MessageSent, MailboxLogin, etc |
| Prompt content stored | No | N/A |
| Response content stored | No | N/A |
| Data sources recorded | Yes — document IDs, mailbox IDs, site URLs | Only the target object (file, message) |
| Retention period | 90 days (E3), 180 days (E5), 1 year (add-on) | 90 days (E3), 1 year (E5) |
The Copilot audit log provides a unique view into which tenant data Copilot used to answer a prompt. Standard audit logs tell you that a file was opened but not why. The Copilot log connects the prompt to the specific documents and mailboxes that influenced the response.
You can now search Copilot activity in Microsoft Purview Audit using the Copilot workload filter and the CopilotInteraction operation. To investigate a specific user, add their email to the search and export the results to CSV. For deeper analysis, open the AuditData JSON to see the exact data sources Copilot accessed. Consider setting up a saved search in Purview to run this query weekly as a compliance check.