Control 3.1: Copilot Interaction Audit Logging — Portal Walkthrough
Step-by-step portal configuration for enabling comprehensive audit logging of all Microsoft 365 Copilot interactions to support compliance with FSI regulatory requirements.
Prerequisites
- Role: Global Administrator or Compliance Administrator
- License: Microsoft 365 E5 or E5 Compliance add-on (or PAYG Audit billing configured)
- Access: Microsoft Purview portal
Steps
Step 1: Verify Unified Audit Log Is Enabled
Portal: Microsoft Purview portal Path: purview.microsoft.com > Audit
- Navigate to the Audit solution in the Purview portal.
- Confirm the banner reads "Audit is turned on" — if not, click Start recording user and admin activity.
- Note that changes may take up to 60 minutes to propagate across the tenant.
Step 2: Configure Copilot-Specific Audit Activities
Portal: Microsoft Purview portal Path: purview.microsoft.com > Audit > Search
- In the Activities - friendly names filter, expand Copilot activities to view all Copilot-specific events.
- Confirm that the following activities are available for search:
CopilotInteraction,CopilotFeedback,CopilotPluginRun. - Create a saved search for "All Copilot Activity" selecting all Copilot-related event types.
- To search for agent-specific events, use the Record type filter and select
AgentAdminActivityorAgentSettingsAdminActivity.
Step 3: Search for New Audit Schema Fields
Portal: Microsoft Purview portal Path: purview.microsoft.com > Audit > Search > Export results
To surface the expanded audit schema fields (AgentId, AgentName, XPIA, JailbreakDetected, SensitivityLabelId):
- Run a
CopilotInteractionsearch for your desired date range and export results to CSV. - Open the exported CSV and review the AuditData column (JSON format) for the new fields.
- When reviewing agent-assisted interactions, the
AgentIdandAgentNamefields identify which Copilot agent was invoked — use these to map agent usage to FINRA Rule 3110 supervisory records. - Filter the exported data for rows where
JailbreakDetectedistrue— these events require security escalation per FFIEC incident response standards. - Use
SensitivityLabelIdvalues to cross-reference against your label inventory and verify that Copilot respected label-based access boundaries.
Step 4: Enable Audit (Premium) for Extended Retention
Portal: Microsoft Purview portal Path: purview.microsoft.com > Audit > Audit retention policies
- Click New audit retention policy.
- Set Record type to
CopilotInteraction. - Set Duration to 10 years (FSI regulated recommendation; minimum 6 years per SEC Rule 17a-4(a)).
- Set Priority to a value higher than the default retention policy.
- Click Save to apply.
- Create a second policy for agent record types:
- Record types: Select
AgentAdminActivityandAgentSettingsAdminActivity - Duration: 6 years (SOX 404 IT general controls require multi-year change management records)
- Priority: Same as the Copilot interaction policy
Step 5: Configure Agent-Specific Record Type Navigation
Portal: Microsoft Purview portal Path: purview.microsoft.com > Audit > Search
To search for agent administrative events in the portal:
- In the Audit search interface, set the date range.
- In the Record type filter (advanced search options), select
AgentAdminActivityto find agent configuration changes. - Select
AgentSettingsAdminActivityto find agent settings modifications. - Combine with the User filter to scope searches to specific administrators who manage Copilot agents.
- Export results and use the
AgentIdfield to trace which agents were created, modified, or deleted.
Step 6: Configure Audit Log Alert Policies
Portal: Microsoft Purview portal Path: purview.microsoft.com > Policies > Alert policies
- Create a new alert policy for unusual Copilot interaction volume.
- Set the activity to
CopilotInteractionwith threshold of more than 500 events per hour per user. - Create a second alert for
JailbreakDetectedevents — set threshold to 1 (any jailbreak attempt triggers an alert). - Assign alert recipients to the compliance monitoring team distribution group.
FSI Recommendations
| Setting | Baseline | Recommended | Regulated |
|---|---|---|---|
| Audit log status | Enabled | Enabled | Enabled |
| CopilotInteraction retention | 180 days | 1 year | 6-10 years |
| AgentAdminActivity retention | Not required | 1 year | 6 years |
| Copilot activity alerts | Optional | Recommended | Required |
| JailbreakDetected alert | Optional | Recommended | Required |
| Audit Premium or PAYG | Optional | Recommended | Required |
| Agent record type searches | Optional | Recommended | Required |
Regulatory Alignment
- SEC Rule 17a-4(a) — Six-year retention requirement drives the regulated-tier audit retention configuration
- FINRA Rule 4511 — Books-and-records obligations for AI-assisted communications and agent-configured workflows
- FINRA Rule 3110 — Supervisory mapping of agent activities; AgentId/AgentName fields are the primary evidence
- SOX Section 404 — IT general controls audit trail; AgentAdminActivity captures configuration change history
- FFIEC — Incident response requirements; JailbreakDetected events require documented escalation procedures
Next Steps
- Proceed to PowerShell Setup for automation of audit log configuration
- See Verification & Testing to validate audit logging is operational