Audit Vault for M365

Long-term Microsoft 365 Audit Log Retention

A powerful and cost-effective solution to retain and surface your Microsoft 365 audit log records.

Audit Vault Highlights

Watch Video »


Retain your Micorosoft Teams Audit Log Records


Why Use Audit Vault for M365?

Understanding how Teams is used across the organization can help in optimizing performance and ensuring that resources are being used effectively.

Audit Vault for M365 will retain all audit log records from Microsoft Teams so that you can gain insights into team productivity and collaboration patterns, helping in making informed decisions to enhance workplace efficiency. Track Team Creation and Deletion events. See who are the attendees for certain meetings. Review changes to Channel settings.

Maintaining these Microsoft Teams Audit Logs ensures that an organization can meet its legal obligations, protect its assets, and improve its operational efficiency.

Audit Teams Creation/Deletion Events.
View Attendees of Microsoft Team Meetings.
Oversee all changes to Channel settings.
What type of audit information is retained from Microsoft Teams?

Below is a listing of all the audit properties that Audit Vault for M365 preserves from Microsoft Teams. Run reports to track and review all Teams activity that has happened in your Microsoft 365 environment.

Audit Properties Retained from Microsoft Teams
Property Description
Creation Time: The date and time when the audit event or operation occurred in Microsoft Teams. Stored in UTC Time.
Microsoft Id: Unique Id of the audit log from Microsoft.
Operation: The name of activity or event that had occurred when generating the Microsoft Teams audit log. Examples:
  • AppDeletedFromCatalog
  • AppInstalled
  • AppUninstalled
  • AppUpgraded
  • AppPublishedToCatalog
  • AppUpdatedInCatalog
  • BotAddedToTeam
  • BotRemovedFromTeam
  • ChannelAdded
  • ChannelDeleted
  • ChannelOwnerResponded
  • ChannelSettingChanged
  • ChatCreated
  • ChatRetrieved
  • ChatUpdated
  • ConnectorAdded
  • ConnectorRemoved
  • ConnectorUpdated
  • DeletedAllOrganizationApps
  • FailedValidation
  • InviteeResponded
  • InviteSent
  • MeetingDetail
  • MeetingParticipantDetail
  • MemberAdded
  • MessageHostedContentRead
  • MessageRead
  • MemberRemoved
  • MemberRoleChanged
  • MessageCreatedHasLink
  • MessageCreatedNotification
  • MessageDeleted
  • MessageEditedHasLink
  • MessageHostedContentsListed
  • MessageSent
  • MessageUpdated
  • MessagesExported
  • MessageDeletedNotification
  • MessagesListed
  • MessageUpdatedNotification
  • PerformedCardAction
  • RecordingExported
  • SensitivityLabelApplied
  • SensitivityLabelChanged
  • SensitivityLabelRemoved
  • SharingRestored
  • SubscribedToMessages
  • TabAdded
  • TabRemoved
  • TabUpdated
  • TeamCreated
  • TeamDeleted
  • TeamsTenantSettingChanged
  • TeamsSessionStarted
  • TeamSettingChanged
  • TerminatedSharing
  • TranscriptsExported
User Id: The name of the user that performed the action that generated the Teams Audit Log.
Additional Properties: Stores any new properties from Microsoft Teams Audit Log that are not captured elsewhere.
Application: The application that triggers the account login event from Microsoft Teams, such as Office 15.
Application Id: The GUID that represents the application that is requesting the login. The display name can be looked up via the Microsoft Graph API.
Extra Properties: Any extra properties of the Microsoft Teams event.
Object Id: The ID of the user that triggered the Microsoft Teams audit log event.
Record Type: Stores the Id of the record type for the Teams Audit Log.
Examples:
25: Events from Microsoft Teams
57: MicrosoftTeamsAdmin
59: MicrosoftTeamsDevice
60: MicrosoftTeamsAnalytics
73: MicrosoftTeamsShifts
230: TeamsUpdates
Result Status: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Success, Failed or Failure.
Scope: Indicates if the Teams event created by a hosted O365 service or an on-premises server.
User Id: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the Microsoft Teams audit record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included.
User Key: An alternative ID for the user identified in the UserId property.
User Type: The type of user that performed the operation that generated the SharePoint Audit Log. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version: The version number of the Microsoft Management Api that executed the request to retrieve the Microsoft Teams Audit Logs.
Client IP: The IP address of the device that was used when the Teams activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
AAD Group Id: A unique identifier of the group in Azure Active Directory that the message belongs to.
App Access Context: The application context for the user or service principal that performed the action that generated the Microsoft Teams Audit Log.
Action: Used for shared channel events. Stores the action taken by the invitee or the channel owner for a share with team invite.
Add On Guid: A unique identifier for the add-on that generated theMicrosoft Teams event.
Add On Name: The name of the add-on that generated the Teams event.
Add On Type: The type of add-on that generated the Microsoft Teams event. Values include:
  1. Microsoft Teams bot
  2. A Microsoft Teams connector
  3. A Microsoft Teams tab
Admin Action Detail: Stores information about Admin actions that caused the generation of the Microsoft Teams Audit record.
App Distribution Mode:
App External Id:
Attendees: A list of names that attended the Microsoft Teams Meeting.
Azure AD App Id: A unique identifier for the Azure AD Application ID that generated the Teams Audit Log.
Channel Guid: A unique identifier for the Teams channel that generated the Teams Audit Log.
Channel Name: The name of the channel that generated the Audit Log.
Channel Type: The type of channel that created the Audit Record: Values include:
  • Standard
  • Private
Chat Name: The name of the chat the message belongs to.
Communication Sub Type: Contains the sub type of the audit log created. Examples include:
  • ScheduledMeeting
  • RecurringMeeting
  • AdHocMeeting
  • ChannelMeeting
Conference Uri: Contains the Conference URI of the Microsoft Teams Audit Log.
Device Id: Contains the ID of the device used of the Microsoft Teams Audit Log.
Device Information: Contains the information of the device used of the Microsoft Teams Audit Log.
End Time: Stores the time that the Teams meeting ended.
Exchange Id:
Hosted Contents:
ICalUid: The iCalUId returned by the Calendar event resource type in Microsoft Graph is defined as a unique, read-only identifier that is shared by all instances of an event across different calendars.
Invitee: Used for shared channel events. Contains the UPN of the invitee team owner who accepts or declines the invite for a share with team invite.
Is Joined From Lobby: Boolean that indicates if the user has joined from the Teams lobby.
Item Name:
Join Time: Stores the time that the user has joined the Microsoft Teams meeting.
Leave Time: Stores the time that the user has left the Microsoft Teams meeting.
Meeting Detail Id:
Meeting URL: The URL of the meeting that generated the Microsoft Teams Audit Log.
Members: A list of users within a Team that generated the Audit Log.
Message Id: An identifier for a Microsoft Teams chat or channel message.
Message Reaction Type: Stores the type of reaction to a Teams Message. Examples Include:
  • heart
  • like
  • laugh
  • surprised
  • wonder
  • fistbump
Message URLs: Present for any URL sent in Teams messages.
Message Version: The version of the message in the Teams Audit Log.
Messages: A collection of chat or channel messages that generated the Teams Audit Log.
Message Size In Bytes: The size of a chat or channel message in bytes with UTF-16 encoding.
Modalities: Stores the different modes that the Team meeting has. Examples include:
  • Audio
  • Video
  • VideoAppSharing
Modified Properties: Contains the old values of the properties that were changed that caused the generation of the Microsoft Teams Audit log.
Name: Only used for settings events. Name of the setting that changed.
New Value: Only used for settings events. New value of the setting.
Old Value: Only used for settings events. Old value of the setting.
Operation Scope:
Organizer: JSON string that contains information about the Organizer of the Teams meeting. Organizer Id, Recipiant Type, User OBject Type and Role are all included.
Parent Message Id: The unique Id of the parent message.
Provider Types: Stores the provider type for the Microsoft Teams meeting. Examples include:
  • Teams
  • TeamsForLife
Resource Tenant Id: The unique Id of the tenant where the Teams Audit Log originated from.
Subscription Id: A unique identifier of a Microsoft Graph change notification subscription.
Tab Type: Only used for tab events. The type of tab that generated the Teams Audit Log.
Team Guid: A unique identifier for the Microsoft Team that generated the Audit Entry.
Team Name: The name of the Microsoft Team that caused the Audit Log to be generated.
User Claims: The value for User Claims. Example: AuthenticatedUser;GlobalAdmin
Additional Properties: Stores any Additional Proerties not captured elsewhere for the Microsoft Teams Audit Log.


Note: Audit vault for M365 will only store the values for the properties listed above if they are returned from Microsoft. Some information is present only if it is applicable.