MT.1172 - Unified audit log ingestion is enabled
Overviewβ
Ensure the Microsoft 365 unified audit log is enabled so tenant activity across Exchange, SharePoint, OneDrive, Teams, Entra ID, Microsoft 365 Copilot and other workloads is captured for Microsoft Purview.
The unified audit log is the foundation for Microsoft Purview Audit, eDiscovery, Insider Risk Management, Communication Compliance, and the DSPM for AI activity explorer. Copilot prompt/response activity is one of many signals that flow into it β along with mailbox access, file operations, admin actions, sign-ins and every other workload event.
When UnifiedAuditLogIngestionEnabled is False:
- Tenant activity is not captured anywhere in Purview.
- Purview audit search returns no results.
- eDiscovery cannot find user or workload activity.
- Insider Risk Management policies cannot generate alerts.
- Communication Compliance policies will not match content.
- DSPM for AI activity explorer will be empty and Copilot interactions cannot be reviewed.
The test passes if Get-AdminAuditLogConfig returns UnifiedAuditLogIngestionEnabled = True.
Remediation action:β
- Connect to Exchange Online PowerShell as a Compliance Administrator or higher:
Connect-ExchangeOnline. - Run:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true. - Allow up to 60 minutes for ingestion to begin and confirm by searching the Microsoft Purview audit search.
Related linksβ
- Microsoft Learn β Turn auditing on or off
- Microsoft Learn β Search the audit log
- Microsoft Learn β Audit logs for Microsoft 365 Copilot interactions
- Microsoft Learn β Data Security Posture Management for AI
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1172 |
| Severity | High |
| Suite | Maester |
| Category | Purview |
| PowerShell test | Test-MtPurviewAuditLogIngestion |
| Tags | Maester, MT.1172, Purview |
Sourceβ
- Pester test:
tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1 - PowerShell source:
powershell/public/maester/purview/Test-MtPurviewAuditLogIngestion.ps1