M365 Changelog: (Updated) Microsoft Purview | Audit search: New filters will be available – Sep 5, 2024

Summary

Microsoft Purview's audit search is adding four new filters: Id, UserType, UserKey, and ClientIP. These will help organizations better investigate user activities. The update is part of Microsoft 365 Roadmap ID 384092, with a Public Preview in late May 2024 and full rollout by late June 2024. No admin action is required before the rollout.

MC789312 – Updated September 4, 2024: Microsoft has updated the rollout timeline below. Thank you for your patience.

In Microsoft Purview, audit search provides your organization with access to critical audit log event data, allowing you to gain insight and further investigate user activities. The Microsoft Purview Compliance portal’s audit search UI currently includes several search fields (i.e., date range, activities, workloads, users, etc.) to facilitate the retrieval of relevant logs. With a recent update, we have added four additional fields to the audit search UI.

These four fields are described below:

New filter fieldDescription
IdUnique identifier of an audit record.
UserTypeThe type of user that performed the operation. See the UserType table for details on the types of users.
UserKeyAzure Active Directory Object ID in GUID format.
ClientIPThe IP address of the device that was used when the activity was logged.

This message is associated with Microsoft 365 Roadmap ID 384092.

When this will happen:

Public Preview: Microsoft will begin rolling out early November 2024 (previously mid-August) and expects to complete by mid-November 2024 (previously mid-September).

General Availability (Worldwide): Microsoft will begin rolling out mid-November 2024 (previously mid-September) and expects to complete by late November 2024 (previously mid-October).

How this will affect your organization:

Security admins in your organization who use audit in the Microsoft Purview compliance portal will be able to use these four additional fields to retrieve relevant audit logs.

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation as appropriate.

Additional resources