{"id":11537,"date":"2025-05-13T02:00:57","date_gmt":"2025-05-12T17:00:57","guid":{"rendered":"https:\/\/m365jp.net\/?p=11537"},"modified":"2025-05-13T02:03:41","modified_gmt":"2025-05-12T17:03:41","slug":"mc1066337-updated-microsoft-exchange-online-introducing-actorinfostring-in-exchange-online-audit-logs","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2025-05-13-mc1066337-updated-microsoft-exchange-online-introducing-actorinfostring-in-exchange-online-audit-logs","title":{"rendered":"MC1066337 | (Updated) Microsoft Exchange Online: Introducing ActorInfoString in Exchange Online audit logs"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1066337 | (Updated) Microsoft Exchange Online: Introducing ActorInfoString in Exchange Online audit logs<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>stayInformed<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>05\/12\/2025 16:43:41<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>05\/01\/2025 22:29:42<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>08\/29\/2025 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p>Updated May 12, 2025: We have updated the content. Thank you for your patience.<\/p>\n<p>Coming soon: <code>ActorInfoString<\/code>, a new audit log field in Microsoft Exchange Online (EXO) designed to improve the accuracy, clarity, and depth of your audit logs.  <code>ActorInfoString<\/code> records the true user agent responsible for each audited event, giving security and compliance teams increased visibility into actions performed in your Exchange Online environment. This update builds on the existing audit schema   by capturing more granular information about clients, devices, and applications involved in audited operations.<\/p>\n<p>[When this will happen:]  <\/p>\n<p>General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late May 2025 and expect to complete by late May 2025.<\/p>\n<p>[How this will affect your organization:]<\/p>\n<p>Once enabled, <code>ActorInfoString<\/code> will appear as a new field in your Exchange Online audit logs, alongside existing fields such as  <code>ClientInfoString<\/code>. This addition provides an unambiguous record of which client, device, or application performed a given operation, supporting better investigation of incidents, improved detection of suspicious activity, and strengthened compliance   reporting. Existing audit schema fields, records, and integrations will remain unchanged, ensuring a seamless transition without service impact or data loss.<\/p>\n<p>After this rollout, change administrators will see these key improvements:<\/p>\n<p>  <\/p>\n<ul>\n<li>Clarity: Easily reveal the true user agent behind every action in your logs.  <\/li>\n<li>Better security: Accelerate investigation and threat detection by tracing the actual source of actions.  <\/li>\n<li>Compliance: Enhance your audit trails to more effectively meet regulatory standards.  <\/li>\n<li>Future-readiness: Prepare your monitoring and log analysis for evolving audit needs.<\/li>\n<\/ul>\n<p>Use the following to find the new field:<\/p>\n<p>1. Access the Audit Logs:  <\/p>\n<ul>\n<li>Go to the Microsoft Purview compliance portal: <a href=\"https:\/\/compliance.microsoft.com\">compliance.microsoft.com<\/a>  <\/li>\n<li>Navigate to Audit &gt; Audit Search  <\/li>\n<\/ul>\n<p>2. Search for Exchange Online Activities:  <\/p>\n<ul>\n<li>Use filters to narrow down to Exchange Online activities.  <\/li>\n<li>You can specify date ranges, users, or specific operations.<\/li>\n<\/ul>\n<p><img decoding=\"async\" style=\"width: 700px;\" src=\"https:\/\/cxcs.microsoft.net\/static\/public\/messagecenter\/neutral\/0e085366-1f93-4148-90c1-cbefbdc1161f\/126d1a97bf544f2c013e56443b04c487905f71db.png\">  <\/p>\n<p>Example of how <code>ActorInfoString<\/code> should appear for admins:<\/p>\n<p><code>ee33-4930-9efd-2b7f2c8183b7\",\"RecordType\" : 50, \u201cResultstatus\" : \"Succeeded\",\"UserKey\":\"1c6b6 ActorInfoString\" : \u201cClient-REST ;Client-RESTSystem;UserAgent-[NoUserAgent] [Appld-1c6b689d-1<\/code><\/p>\n<p>[What you need to do to prepare:]<\/p>\n<p>No action is required before rollout. However, we recommend reviewing your log collection and analysis tools to ensure they are ready to consume the new  <code>ActorInfoString<\/code> field. This update is non-disruptive and will not alter your existing audit data or integrations. We will update this message with official documentation and release notes that will provide additional details and best practices   for leveraging the new field.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1066337 | (Updated) Microsoft Exchange Online: Introducing ActorInfoString in Exchange Online audit logs Cla [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11537","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/11537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=11537"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/11537\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=11537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=11537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=11537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}