Skip to main content
Version: 2.1.1-preview

MT.1172 - Unified audit log ingestion is enabled

Overview​

Ensure the Microsoft 365 unified audit log is enabled so tenant activity across Exchange, SharePoint, OneDrive, Teams, Entra ID, Microsoft 365 Copilot and other workloads is captured for Microsoft Purview.

The unified audit log is the foundation for Microsoft Purview Audit, eDiscovery, Insider Risk Management, Communication Compliance, and the DSPM for AI activity explorer. Copilot prompt/response activity is one of many signals that flow into it β€” along with mailbox access, file operations, admin actions, sign-ins and every other workload event.

When UnifiedAuditLogIngestionEnabled is False:

  • Tenant activity is not captured anywhere in Purview.
  • Purview audit search returns no results.
  • eDiscovery cannot find user or workload activity.
  • Insider Risk Management policies cannot generate alerts.
  • Communication Compliance policies will not match content.
  • DSPM for AI activity explorer will be empty and Copilot interactions cannot be reviewed.

The test passes if Get-AdminAuditLogConfig returns UnifiedAuditLogIngestionEnabled = True.

Remediation action:​

  1. Connect to Exchange Online PowerShell as a Compliance Administrator or higher: Connect-ExchangeOnline.
  2. Run: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true.
  3. Allow up to 60 minutes for ingestion to begin and confirm by searching the Microsoft Purview audit search.

Test Metadata​

FieldValue
Test IDMT.1172
SeverityHigh
SuiteMaester
CategoryPurview
PowerShell testTest-MtPurviewAuditLogIngestion
TagsMaester, MT.1172, Purview

Source​

  • Pester test: tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1
  • PowerShell source: powershell/public/maester/purview/Test-MtPurviewAuditLogIngestion.ps1