在合规中心搜索审核日志Search the audit log in the compliance center

需要了解用户是否查看了特定文档或从其邮箱中清除了某项?如果是,可以使用 Microsoft 365 合规中心搜索统一的审核日志,以查看组织中的用户和管理员活动。因为你可以在 Microsoft 365 中搜索以下类型的用户和管理员活动Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the Microsoft 365 compliance center to search the unified audit log to view user and administrator activity in your organization. Why a unified audit log? Because you can search for the following types of user and admin activity in Microsoft 365:

  • SharePoint Online 和 OneDrive for Business 中的用户活动User activity in SharePoint Online and OneDrive for Business

  • Exchange Online 中的用户活动(Exchange 邮箱审核日志记录)User activity in Exchange Online (Exchange mailbox audit logging)

  • SharePoint Online 中的管理员活动Admin activity in SharePoint Online

  • Azure Active Directory 中的管理员活动(Microsoft 365 的目录服务)Admin activity in Azure Active Directory (the directory service for Microsoft 365)

  • Exchange Online 中的管理员活动(Exchange 管理员审核日志记录)Admin activity in Exchange Online (Exchange admin audit logging)

  • 安全与合规中心中的电子数据展示活动eDiscovery activities in the security and compliance center

  • Power BI 中的用户和管理员活动User and admin activity in Power BI

  • Microsoft Teams 中的用户和管理员活动User and admin activity in Microsoft Teams

  • Dynamics 365 中的用户和管理员活动User and admin activity in Dynamics 365

  • Yammer 中的用户和管理员活动User and admin activity in Yammer

  • Microsoft Power Automate 中的用户和管理员活动User and admin activity in Microsoft Power Automate

  • Microsoft Stream 中的用户和管理员活动User and admin activity in Microsoft Stream

  • Microsoft 工作区分析中的分析员和管理员活动Analyst and admin activity in Microsoft Workplace Analytics

  • Microsoft Power Apps 中的用户和管理员活动User and admin activity in Microsoft Power Apps

  • Microsoft Forms 中的用户和管理员活动User and admin activity in Microsoft Forms

  • 使用 SharePoint Online 或 Microsoft Teams 的网站的敏感度标签的用户和管理员活动User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams

搜索审核日志的要求Requirements to search the audit log

在开始搜索审核日志之前,请务必阅读以下各项。Be sure to read the following items before you start searching the audit log.

  • 你(或其他管理员)必须首先开启审核日志记录,然后才能开始搜索审核日志。若要将其打开,请单击安全与合规中心中 审核日志搜索 页面上的 打开审核。(如果未看到此链接,则已为你的组织开启审核。)打开后,将显示一条消息,称正在准备审核日志,你可以在准备完成后数小时内运行搜索。只需执行一次操作。有关详细信息,请参阅 开启或关闭审核日志搜索You (or another admin) must first turn on audit logging before you can start searching the audit log. To turn it on, click Turn on auditing on the Audit log search page in the Security & Compliance Center. (If you don't see this link, auditing has already been turned on for your organization.) After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this once. For more information, see Turn audit log search on or off.

    备注

    默认正在启用审核。在这之前,可以按上文所述启用审核。 We're in the process of turning on auditing by default. Until then, you can turn it on as previously described.

  • 必须分配有 Exchange Online 中的“仅供查看审核日志”或“审核日志”角色才能搜索审核日志。默认情况下,在 Exchange 管理中心中的“权限”页上将这些角色分配给“合规性管理”和“组织管理”角色组。请注意,Office 365 和 Microsoft 365 中的全局管理员将自动添加为 Exchange Online 的组织管理角色组成员。若要让用户能够使用最低权限级别搜索审核日志,可以在 Exchange Online 中创建自定义角色组,添加“仅供查看审核日志”或“审核日志”角色,然后将用户添加为新角色组的成员。有关详细信息,请参阅 在 Exchange Online 中管理角色You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Note global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online.

    重要

    如果在安全与合规中心中的“权限”页上向用户分配“仅供查看审核日志”或“审核日志”角色,则他们将无法搜索审核日志。必须在 Exchange Online 中分配权限。这是因为用于搜索审核日志的基础 cmdlet 是 Exchange Online cmdlet。If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Security & Compliance Center, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.

  • 当用户或管理员执行审核活动时,将生成审核记录并将其存储在组织的审核日志中。保留审核记录(并且可在审核日志中搜索)的时间长度取决于你的 Office 365 或 Microsoft 365 企业版订阅,具体而言是分配给特定用户的许可证类型。When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. The length of time that an audit record is retained (and searchable in the audit log) depends on your Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that is assigned to specific users.

    • 对于分配了 Office 365 E5 或 Microsoft 365 E5 许可证的用户(或拥有 Microsoft 365 E5 合规版或 Microsoft 365 E5 电子数据展示和审核附加许可证的用户),Azure Active Directory、Exchange 和 SharePoint 活动的审核记录默认保留一年。此外,组织还可以创建审核日志保留策略,以便将其他服务中的活动的审核记录保留最长一年时间。有关详细信息,请参阅管理审核日志保留策略For users assigned an Office 365 E5 or Microsoft 365 E5 license (or users with a Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-on license), audit records for Azure Active Directory, Exchange, and SharePoint activity are retained for one year by default. Organizations can also create audit log retention policies to retain audit records for activities in other services for up to one year. For more information, see Manage audit log retention policies.

      备注

      如果组织参与了审计记录保留一年的个人预览版计划,则在正式发布日期之前产生的审核记录的保留期限不会被重置。If your organization participated in the private preview program for the one-year retention of audit records, the retention duration for audit records that were generated before the general availability rollout date will not be reset.

    • 对于分配有任何其他(非E5)Office 365 或 Microsoft 365 许可证的用户,审核记录将保留 90 天。有关支持统一审核日志记录的 Office 365 和 Microsoft 365 订阅的列表,请参阅安全与合规中心服务说明For users assigned any other (non-E5) Office 365 or Microsoft 365 license, audit records are retained for 90 days. For a list of Office 365 and Microsoft 365 subscriptions that support unified audit logging, see the security and compliance center service description.

      备注

      即使启用了默认启用的邮箱审核,也可能会发现无法在安全与合规中心的审核日志搜索中找到某些用户的邮箱审核事件,也无法通过 Office 365 管理活动 API 找到这些事件。有关详细信息,请参阅有关邮箱审核日志记录的详细信息Even when mailbox auditing on by default is turned on, you might notice that mailbox audit events for some users aren't found in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. For more information, see More information about mailbox audit logging.

  • 如果希望为组织关闭审核日志搜索,可以在连接到 Exchange Online 组织的远程 PowerShell 中运行以下命令:If you want to turn off audit log search for your organization, you can run the following command in remote PowerShell connected to your Exchange Online organization:

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
    

    若要再次打开审核搜索,可在 Exchange Online PowerShell 中运行以下命令:To turn on audit search again, you can run the following command in Exchange Online PowerShell:

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
    

    有关详细信息,请参阅关闭审核日志搜索For more information, see Turn off audit log search.

  • 如前所述,用于搜索审核日志的基础 cmdlet 是 Exchange Online cmdlet,即 Search-UnifiedAuditLog。这意味着可使用此 cmdlet 搜索审核日志,而不是使用安全与合规中心中的“审核日志搜索”页面。必须在连接到 Exchange Online 组织的远程 PowerShell 中运行此 cmdlet。有关详细信息,请参阅 Search-UnifiedAuditLogAs previously stated, the underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is Search-UnifiedAuditLog. That means you can use this cmdlet to search the audit log instead of using the Audit log search page in the Security & Compliance Center. You have to run this cmdlet in remote PowerShell connected to your Exchange Online organization. For more information, see Search-UnifiedAuditLog.

    有关将 Search-UnifiedAuditLog cmdlet 所返回的搜索结果导出到 CSV 文件的信息,请参阅 导出、配置和查看审核日志记录中的“有关导出和查看审核日志的提示”部分。For information about exporting the search results returned by the Search-UnifiedAuditLog cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in Export, configure, and view audit log records.

  • 若想以编程方式从审核日志下载数据,建议使用 Office 365 管理活动 API,而不是使用 PowerShell 脚本。Office 365 管理活动 API 是一项 REST Web 服务,可用于为组织制定操作、安全和合规性监视解决方案。有关详细信息,请参阅 Office 365 管理活动 API 参考If you want to programmatically download data from the audit log, we recommend that you use the Office 365 Management Activity API instead of using a PowerShell script. The Office 365 Management Activity API is a REST web service that you can use to develop operations, security, and compliance monitoring solutions for your organization. For more information, see Office 365 Management Activity API reference.

  • 发生事件后,最多需要 30 分钟到 24 小时即可在审核日志搜索的结果中返回相应的审核日志记录。下表显示了 Office 365 中不同服务所花费的时间。It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. The following table shows the time it takes for the different services in Office 365.

    Microsoft 365 服务或功能Microsoft 365 service or feature 30 分钟30 minutes 24 小时24 hours
    Defender for Office 365 和威胁智能Defender for Office 365 and Threat Intelligence 复选标记
    Azure Active Directory(用户登录事件)Azure Active Directory (user login events) 复选标记
    Azure Active Directory(管理员事件)Azure Active Directory (admin events) 复选标记
    数据丢失防护Data Loss Prevention 复选标记
    Dynamics 365 CRMDynamics 365 CRM 复选标记
    电子数据展示eDiscovery 复选标记
    Exchange OnlineExchange Online 复选标记
    Microsoft Power AutomateMicrosoft Power Automate 复选标记
    Microsoft ProjectMicrosoft Project 复选标记
    Microsoft StreamMicrosoft Stream 复选标记
    Microsoft TeamsMicrosoft Teams 复选标记
    Power AppsPower Apps 复选标记
    Power BIPower BI 复选标记
    安全与合规中心Security & Compliance Center 复选标记
    敏感度标签Sensitivity labels 复选标记
    SharePoint Online 和 OneDrive for BusinessSharePoint Online and OneDrive for Business 复选标记
    工作区分析Workplace Analytics 复选标记
    YammerYammer 复选标记
    Microsoft FormsMicrosoft Forms 复选标记
  • Azure Active Directory (Azure AD) 是 Office 365 的目录服务。统一审核日志包含用户、组、应用程序、域以及在 Microsoft 365 管理中心或 Azure 管理门户中执行的目录活动。有关 Azure AD 事件的完整列表,请参阅 Azure Active Directory 审核报告事件Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin center or in the Azure management portal. For a complete list of Azure AD events, see Azure Active Directory Audit Report Events.

  • 默认情况下,未启用 Power BI 的审核日志记录。若要在审核日志中搜索 Power BI 活动,则必须在 Power BI 管理门户中启用审核。有关说明,请参阅 Power BI 管理门户中的“审核日志”部分。Audit logging for Power BI isn't enabled by default. To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the "Audit logs" section in Power BI admin portal.

搜索审核日志Search the audit log

备注

从 2020 年 10 月 22 日到 2020 年 11 月 6 日,审核日志搜索工具中存在 Azure AD 活动不可用的问题。这些活动包括 Azure AD 用户管理活动、组管理活动、应用程序管理活动、角色管理活动和目录管理活动。将在未来几天内提供影响期限的缺失事件,预计将于 2020 年 11 月 20 日前完成。在某些情况下,客户可能会发现在 2020 年 10 月 26 日至 11 月 5 日之间生成的事件的重复事件数据。There was an issue with Azure AD activities being unavailable in the audit log search tool from October 22, 2020 to November 6, 2020. These activites include Azure AD user administration activities, group administration activities, application administration activities, role administration activities, and directory administration activities. The missing events for the period of impact will be available over the next few days, and is expected to take no later than November 20, 2020 to complete. In some cases, customers might notice duplicate event data for events generated between October 26, 2020 and November 05, 2020.

下面介绍在 Office 365 中搜索审核日志的流程。Here's the process for searching the audit log in Office 365.

步骤 1:运行审核日志搜索Step 1: Run an audit log search

步骤 2:查看搜索结果Step 2: View the search results

步骤 3:筛选搜索结果Step 3: Filter the search results

步骤 4:将搜索结果导出到文件Step 4: Export the search results to a file

  1. 转到 https://protection.office.comGo to https://protection.office.com.

    提示

    使用专用浏览会话(而不是常规会话)来访问安全与合规中心,因为它会阻止你使用当前登录时使用的凭据。若要在 Internet Explorer 或 Microsoft Edge 中打开 InPrivate 浏览会话,只需按 CTRL+SHIFT+P。若要在 Google Chrome(称为隐身窗口)中打开专用浏览会话,请按 CTRL+SHIFT+N。Use a private browsing session (not a regular session) to access the Security & Compliance Center because this will prevent the credential that you are currently logged on with from being used. To open an InPrivate Browsing session in Internet Explorer or Microsoft Edge, just press CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press CTRL+SHIFT+N.

  2. 使用工作或学校帐户进行登录。Sign in using your work or school account.

  3. 在安全与合规中心的左侧窗格中,单击“搜索”,然后单击“审核日志搜索”。In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.

    此时将显示“审核日志搜索”页面。The Audit log search page is displayed.

    配置条件,然后单击“搜索”以运行报告

    备注

    必须首先打开审核日志记录,然后才能运行审核日志搜索。如果显示“开始记录用户和管理员活动”链接,请单击该链接以打开审核。如果未看到此链接,则已为你的组织开启审核。You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.

  4. 配置以下搜索条件:Configure the following search criteria:

    1. 活动:单击下拉列表以显示你可以搜索的活动。已将用户和管理员活动整理到相关活动组中。你可以选择特定活动,或单击活动组名称以选择该组中的所有活动。你也可以单击已选活动以取消选择。运行搜索后,仅将显示所选活动的审核日志项目。选择“显示所有活动的结果”将显示由所选用户或用户组执行的所有活动的结果。Activities: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting Show results for all activities displays results for all activities performed by the selected user or group of users.

      审核日志中记录了超过 100 个用户和管理员活动。单击本文主题处的“ 审核活动”选项卡可查看每个不同服务中每个活动的描述。Over 100 user and admin activities are logged in the audit log. Click the Audited activities tab at the topic of this article to see the descriptions of every activity in each of the different services.

    2. 开始日期”和“结束日期”默认选择了过去七天。选择日期和时间范围,以显示在这段时间内发生的事件。日期和时间将以协调世界时 (UTC) 格式显示。可指定的最大日期范围为 90 天。如果所选日期范围超过 90 天,将显示错误。Start date and End date: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.

      提示

      如果要使用为期 90 天的最大日期范围,请选择当前时间作为“开始日期”。否则,你将收到说明开始日期早于结束日期的错误消息。如果你在过去 90 天内打开了审核,则最大日期范围不能从打开审核的日期之前开始。If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.

    3. 用户”单击此框,然后选择要为其显示搜索结果的一名或多名用户。 由你在此框中所选用户执行的所选活动的审核日志项目将显示在结果列表中。 将此框留空以返回组织中所有用户(和服务帐户)的条目。Users: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.

    4. 文件、文件夹或网站:键入部分或完整的文件或文件夹名称,搜索与包含指定关键字文件夹的文件相关的活动。还可以指定文件或文件夹的 URL。若要使用 URL,请确保输入完整的 URL 路径,或者如果输入部分 URL,则请勿包含任何特殊字符或空格。File, folder, or site: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces.

      将此框留空以返回组织中所有文件和文件夹的条目。Leave this box blank to return entries for all files and folders in your organization.

      提示

      • 如果要查找与 网站 相关的所有活动,请在 URL 后面添加通配符 (*) 以返回该网站的所有条目,例如,"https://contoso-my.sharepoint.com/personal*"If you're looking for all activities related to a site, add the wildcard symbol (*) after the URL to return all entries for that site; for example, "https://contoso-my.sharepoint.com/personal*".

      • 如果要查找与 文件 相关的所有活动,请在文件名后面添加通配符 (*) 以返回该文件的所有条目,例如,"*Customer_Profitability_Sample.csv"If you're looking for all activities related to a file, add the wildcard symbol (*) before the file name to return all entries for that file; for example, "*Customer_Profitability_Sample.csv".

  5. 单击“搜索”以使用搜索条件运行搜索。Click Search to run the search using your search criteria.

    此时将加载搜索结果,片刻后将显示在“结果”下。完成搜索后会显示找到的结果数。“结果”窗格中最多显示 5,000 个事件(每次加载 150 个);如果符合搜索条件的事件超出 5,000 个,则显示最近的 5,000 个事件。The search results are loaded, and after a few moments they are displayed under Results. When the search is finished, the number of results found is displayed. A maximum of 5,000 events will be displayed in the Results pane in increments of 150 events. If more than 5,000 events meet the search criteria, the most recent 5,000 events are displayed.

    完成搜索后会显示结果数。

有关搜索审核日志的提示Tips for searching the audit log

  • 可以通过单击活动名称选择要搜索的特定活动。或者可以通过单击组名搜索该组中的所有活动(例如“文件和文件夹活动”)。如果选择了活动,可以单击该活动以取消选择。还可以使用搜索框显示包含所键入关键字的活动。You can select specific activities to search for by clicking the activity name. Or you can search for all activities in a group (such as File and folder activities) by clicking the group name. If an activity is selected, you can click it to cancel the selection. You can also use the search box to display the activities that contain the keyword that you type.

    单击活动组名称以选择所有活动

  • 必须选择“活动”列表中的“显示所有活动的结果”才能显示 Exchange 管理员审核日志中的事件。此审核日志中的事件将在结果的“活动”列中显示 cmdlet 名称(例如 Set-Mailbox)。有关详细信息,请单击本主题中的“已审核活动”选项卡,然后单击“Exchange 管理员活动”。You have to select Show results for all activities in the Activities list to display events from the Exchange admin audit log. Events from this audit log display a cmdlet name (for example, Set-Mailbox) in the Activity column in the results. For more information, click the Audited activities tab in this topic and then click Exchange admin activities.

    同样,某些审核活动在“活动”列表中没有相应项目。如果已知这些活动的操作名称,可搜索所有活动,然后通过在“活动”列的框中键入操作名称来筛选结果。有关筛选结果的详细信息,请参阅 步骤 3:筛选搜索结果Similarly, there are some auditing activities that don't have a corresponding item in the Activities list. If you know the name of the operation for these activities, you can search for all activities, then filter the results by typing the name of the operation in the box for the Activity column. See Step 3: Filter the search results for more information about filtering the results.

  • 单击“清除”以清除当前搜索条件。日期范围返回到默认值(过去七天)。还可以单击“全部清除以显示所有活动的结果”以取消所有选定活动。Click Clear to clear the current search criteria. The date range returns to the default of the last seven days. You can also click Clear all to show results for all activities to cancel all selected activities.

  • 如果找到了 5,000 条结果,则可以假定可能存在超过 5,000 个符合搜索条件的事件。可以优化搜索条件并重新运行搜索以返回较少结果,也可以通过选择“导出结果”>“下载所有结果”导出所有搜索结果。If 5,000 results are found, you can probably assume that there are more than 5,000 events that met the search criteria. You can either refine the search criteria and rerun the search to return fewer results, or you can export all of the search results by selecting Export results > Download all results.

步骤 2:查看搜索结果Step 2: View the search results

审核日志搜索结果会显示在“审核日志搜索”页中的“结果”下。如上文所述,最多显示 5000 个最新事件(每次加载 150 个)。若要显示更多事件,可以使用“结果”窗格中的滚动条,或按 Shift+End 显示随后的 150 个事件。The results of an audit log search are displayed under Results on the Audit log search page. As previously stated a maximum of 5,000 (newest) events are displayed in increments of 150 events. To display more events you can use the scroll bar in the Results pane or you can press Shift + End to display the next 150 events.

结果包含有关搜索返回的每个事件的以下信息:The results contain the following information about each event returned by the search:

  • 日期”:事件发生的日期和时间(采用 UTC 格式)。Date: The date and time (in UTC format) when the event occurred.

  • IP 地址:记录活动时所用设备的 IP 地址。IP 地址显示为 IPv4 或 IPv6 地址格式。IP address: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

    备注

    对于某些服务,此字段中显示的值可能是代表用户调用服务的受信任应用程序(例如,Web 应用上的 Office)的 IP 地址,而不是执行活动的人员所使用设备的 IP 地址。此外,对于针对 Azure Active Directory 相关事件的管理员活动(或由系统帐户执行的活动),未记录 IP 地址,此字段中显示的值为 nullFor some services, the value displayed in this field might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for admin activity (or activity performed by a system account) for Azure Active Directory-related events, the IP address isn't logged and the value displayed in this field is null.

  • 用户:执行触发事件的操作的用户(或服务帐户)。User: The user (or service account) who performed the action that triggered the event.

  • 活动:用户执行的活动。此值对应于你在“活动”下拉列表中选定的活动。对于来自 Exchange 管理员审核日志的事件,此列中的值为 Exchange cmdlet。 Activity: The activity performed by the user. This value corresponds to the activities that you selected in the Activities drop down list. For an event from the Exchange admin audit log, the value in this column is an Exchange cmdlet.

  • 项目:由于相应活动而创建或修改的对象。例如已查看或修改的文件或已更新的用户帐户。并非所有活动在此列中均有值。Item: The object that was created or modified as a result of the corresponding activity. For example, the file that was viewed or modified or the user account that was updated. Not all activities have a value in this column.

  • 详细信息:有关活动的其他详细信息。同样,并非所有活动均具有此值。Detail: Additional information about an activity. Again, not all activities have a value.

提示

单击“结果”下的列标题对结果进行排序。你可以将结果按从 A 到 Z 或从 Z 到 A 的顺序排序。单击“日期”标题以将结果按从旧到新或从新到旧的顺序排序。Click a column header under Results to sort the results. You can sort the results from A to Z or Z to A. Click the Date header to sort the results from oldest to newest or newest to oldest.

查看特定事件的详细信息View the details for a specific event

可以通过单击搜索结果列表中的事件记录查看有关事件的更多详细信息。此时将显示包含事件记录的详细属性的“详细信息”页。显示的属性取决于发生事件的服务。若要显示这些详细信息,请单击“更多信息”。有关介绍,请参阅 审核日志中的详细属性You can view more details about an event by clicking the event record in the list of search results. A Details page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the service in which the event occurs. To display these details, click More information. For descriptions, see Detailed properties in the audit log.

单击“详细信息”,查看审核日志事件记录的详细属性

步骤 3:筛选搜索结果Step 3: Filter the search results

除排序外,你还可以筛选审核日志搜索的结果。这是一项可帮助你快速筛选特定用户或活动的结果的强大功能。你可以首先创建一个广泛的搜索范围,然后快速筛选结果以查看特定事件。然后可以缩小搜索条件范围并重新运行搜索以返回更小、更简洁的结果集。In addition to sorting, you can also filter the results of an audit log search. This is a great feature that can help you quickly filter the results for a specific user or activity. You can initially create a wide search and then quickly filter the results to see specific events. Then you can narrow the search criteria and rerun the search to return a smaller, more concise set of results.

若要筛选结果,请执行以下操作:To filter the results:

  1. 运行审核日志搜索。Run an audit log search.

  2. 结果显示后,单击“筛选结果”。When the results are displayed, click Filter results.

    每个列标题下将显示关键字框。Keyword boxes are displayed under each column header.

  3. 根据要筛选的列,单击列标题下的其中一个框并键入字词。结果将动态重新调整以显示符合筛选条件的事件。Click one of the boxes under a column header and type a word or phrase, depending on the column you're filtering on. The results will dynamically readjust to display the events that match your filter.

    在筛选器中键入一个单词,以显示匹配筛选的事件

  4. 若要清除筛选器,请单击筛选器框中的“X”,或单击“隐藏筛选”。To clear a filter, click the X in the filter box or click Hide filtering.

提示

若要显示 Exchange 管理员审核日志中的事件,请在“活动”筛选器框中键入 -(破折号)。这将在 Exchange 管理员事件的“活动”列中显示 cmdlet 名称。然后你便可按字母顺序对 cmdlet 名称进行排序。To display events from the Exchange admin audit log, type a - (dash) in the Activity filter box. This will display cmdlet names, which are displayed in the Activity column for Exchange admin events. Then you can sort the cmdlet names in alphabetical order.

步骤 4:将搜索结果导出到文件Step 4: Export the search results to a file

可以将审核日志搜索的结果导出到本地计算机上的逗号分隔值 (CSV) 文件。可以在 Microsoft Excel 中打开此文件,然后使用搜索、排序、筛选和将(包含多属性的)单列拆分为多列等功能。 You can export the results of an audit log search to a comma-separated value (CSV) file on your local computer. You can open this file in Microsoft Excel and use features such as search, sorting, filtering, and splitting a single column (that contains multiple properties) into multiple columns.

  1. 运行审核日志搜索,然后修订搜索条件直到获得所需结果。Run an audit log search, and then revise the search criteria until you have the desired results.

  2. 单击“导出结果”,然后选择下列选项之一:Click Export results and select one of the following options:

    • 保存加载的结果:选择此选项可仅导出“审核日志搜索”页上“结果”之下显示的条目。下载的 CSV 文件包含(“日期”、“用户”、“活动”、“项目”和“详细信息”)页面上显示的相同列(和数据)。包含审核日志项目中更多信息的 CSV 文件包括一附加列(名为“更多”)。由于将导出“审核日志搜索”页上已加载(且可查看)的相同结果,因此最多可导出 5,000 个条目。Save loaded results: Choose this option to export only the entries that are displayed under Results on the Audit log search page. The CSV file that is downloaded contains the same columns (and data) displayed on the page (Date, User, Activity, Item, and Details). An extra column (named More) is included in the CSV file that contains more information from the audit log entry. Because you're exporting the same results that are loaded (and viewable) on the Audit log search page, a maximum of 5,000 entries are exported.

    • 下载所有结果:选择此选项可从审核日志中导出所有符合搜索条件的条目。对于较大的搜索结果集,选择此选项可下载审核日志的所有条目以及“审核日志搜索”页上显示的 5,000 条审核记录。此选项会将原始数据从审核日志下载到 CSV 文件,并在名为 “AuditData” 的列中包含审核日志项目中的其他信息。如果选择此导出选项,下载该文件可能需要更长时间,因为文件可能比选择其他选项下载的文件大得多。Download all results: Choose this option to export all entries from the audit log that meet the search criteria. For a large set of search results, choose this option to download all entries from the audit log in addition to the 5,000 audit records that can be displayed on the Audit log search page. This option downloads the raw data from the audit log to a CSV file, and contains additional information from the audit log entry in a column named AuditData. It may take longer to download the file if you choose this export option because the file may be much larger than the one that's downloaded if you choose the other option.

      重要

      你可以将最多 50,000 个条目从单个审核日志搜索中下载到 CSV 文件。如果下载了 50,000 个条目到 CSV 文件,则可以假定可能存在超过 50,000 个符合搜索条件的事件。若要导出的条目超出此限制,请尝试使用日期范围以减少审核日志项目。你可能需要使用更小日期范围运行多个搜索来导出超过 50,000 个条目。You can download a maximum of 50,000 entries to a CSV file from a single audit log search. If 50,000 entries are downloaded to the CSV file, you can probably assume there are more than 50,000 events that met the search criteria. To export more than this limit, try using a date range to reduce the number of audit log entries. You might have to run multiple searches with smaller date ranges to export more than 50,000 entries.

  3. 选择导出选项后,窗口底部将显示一条消息,提示你打开 CSV 文件并将其保存到“下载”文件夹或特定文件夹。After you select an export option, a message is displayed at the bottom of the window that prompts you to open the CSV file, save it to the Downloads folder, or save it to a specific folder.

有关导出和查看审核日志搜索结果的详细信息More information about exporting and viewing audit log search results

  • 如果下载所有搜索结果,则 CSV 文件将包含一个名为 “AuditData” 的列,其中包含每个事件的其他信息。此列中的数据由一个 JSON 对象组成,其中包含审核日志记录中的多个属性。JSON 对象中的每个 property:value 对都用逗号分隔。可以使用 Excel 中 Power Query 编辑器的 JSON 转换工具将 AuditData 列拆分为多个列,从而使 JSON 对象中的每个属性都有自己的列。这让你能够对一个或多个属性进行排序和筛选。有关使用 Power Query Editor 转换 JSON对象的分步说明,请参阅 导出,配置和查看审核日志记录If you download all search results, the CSV file contains a column named AuditData, which contains additional information about each event. The data in this column consists of a JSON object that contains multiple properties from the audit log record. Each property:value pair in the JSON object is separated by a comma. You can use the JSON transform tool in the Power Query Editor in Excel to split AuditData column into multiple columns so that each property in the JSON object has its own column. This lets you sort and filter on one or more of these properties. For step-by-step instructions using the Power Query Editor to transform the JSON object, see Export, configure, and view audit log records.

    拆分“AuditData”列后,你可以对“操作”列进行筛选以显示特定类型活动的详细属性。After you split the AuditData column, you can filter on the Operations column to display the detailed properties for a specific type of activity.

  • 下载所有结果”选项可将原始数据从审核日志下载到 CSV 文件。此文件包含的列名(CreationDate、UserIds、Operation、AuditData)与选择“保存已加载结果”选项下载的文件列名不同。对于同一活动,两个不同 CSV 文件中的值可能也有所不同。例如,CSV 文件的“操作”列中的活动值可能与显示在“审核日志搜索”页上的“活动”列中"用户友好"名称值不同;例如,分别为“MailboxLogin”与“用户已登录到邮箱”。The Download all results option downloads the raw data from the audit log to a CSV file. This file contains different column names (CreationDate, UserIds, Operation, AuditData) than the file that's downloaded if you select the Save loaded results option. The values in the two different CSV files for the same activity may also be different. For example, the activity in the Action column in the CSV file and may have a different value than the "user-friendly" name that's displayed in the Activity column on the Audit log search page. For example, MailboxLogin vs. User signed in to mailbox.

  • 下载(包含来自不同服务的事件的)搜索查询的所有结果时,CSV 文件中的“AuditData”列将含有不同属性,具体取决于在哪种服务中执行操作。例如,来自 Exchange 和 Azure AD 审核日志的条目包含一个名为 ResultStatus 的属性,它指示操作是否成功。来自 SharePoint 的事件不包含此属性。类似地,SharePoint 事件具有用于标识文件和文件夹相关活动的网站 URL 的属性。若要缓和此行为,建议使用多个搜索导出单个服务中活动的结果。When you download all results from a search query that contains events from different services, the AuditData column in the CSV file contains different properties depending on which service the action was performed in. For example, entries from Exchange and Azure AD audit logs include a property named ResultStatus that indicates if the action was successful or not. This property isn't included for events in SharePoint. Similarly, SharePoint events have a property that identifies the site URL for file and folder-related activities. To mitigate this behavior, consider using different searches to export the results for activities from a single service.

    有关下载所有结果时 CSV 文件的“AuditData”列中所列各个属性的说明以及每个属性适用的服务,请参阅 审核日志中的属性详细信息For a description of many of the properties that are listed in the AuditData column in the CSV file when you download all results, and the service each one applies to, see Detailed properties in the audit log.

已审核的活动Audited activities

本节中的表介绍了 Office 365 中经审核的活动。你可以通过在安全与合规中心中搜索审核日志来搜索这些事件。The tables in this section describe the activities that are audited in Office 365. You can search for these events by searching the audit log in the security and compliance center.

这些表对相关活动或特定服务中的活动进行分组。表中包含“活动”下拉列表中显示的友好名称,以及导出搜索结果时审核记录详细信息和 CSV 文件中显示的相应操作名称。有关详细信息的说明,请参阅 审核日志中详细的属性These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the Activities drop-down list and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see Detailed properties in the audit log.

单击以下任一链接转到特定表格。Click one of the following links to go to a specific table.

文件和页面活动File and page activities

下表介绍了 SharePoint Online 和 OneDrive for Business 中的文件和页面活动。The following table describes the file and page activities in SharePoint Online and OneDrive for Business.

友好名称Friendly name 操作Operation 说明Description
已访问文件Accessed file FileAccessedFileAccessed 用户或系统帐户访问文件。User or system account accesses a file.
(无)(none) FileAccessedExtendedFileAccessedExtended 这与“已访问文件”(FileAccessed) 活动有关。如果一个用户长时间(至 3 小时)持续访问某一文件,则会记录下 FileAccessedExtended 事件。This is related to the "Accessed file" (FileAccessed) activity. A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period (up to 3 hours).

记录 FileAccessedExtended 事件是为了减少持续访问文件时所记录的 FileAccessed 事件数。这有助于减小(实际上是)同一用户活动的多个 FileAccessed 记录的干扰,从而专注于初始(和更重要的)FileAccessed 事件。The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileAccessed event.
已更改文件的保留标签Changed retention label for a file ComplianceSettingChangedComplianceSettingChanged 保留标签已应用于文档或已从文档中删除。手动或自动将保留标签应用于消息时触发此事件。A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.
已将记录状态更改为“已锁定”Changed record status to locked LockRecordLockRecord 将文档分类为记录的保留标签的记录状态为“已锁定”。这意味着无法修改或删除文档。仅至少分配有网站参与者权限的用户才能更改文档的记录状态。The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
已将记录状态更改为“未锁定”Changed record status to unlocked UnlockRecordUnlockRecord 将文档分类为记录的保留标签的记录状态为“未锁定”。这意味着可以修改或删除文档。仅至少分配有网站参与者权限的用户才能更改文档的记录状态。The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
已签入文件Checked in file FileCheckedInFileCheckedIn 用户签入其从文档库中签出的文档。User checks in a document that they checked out from a document library.
已签出文件Checked out file FileCheckedOutFileCheckedOut 用户签出位于文档库中的文档。用户可以签出与之共享的文档并对其进行更改。User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.
已复制文件Copied file FileCopiedFileCopied 用户从网站复制文档。可以将复制的文件保存到网站上的其他文件夹中。User copies a document from a site. The copied file can be saved to another folder on the site.
已删除文件Deleted file FileDeletedFileDeleted 用户从网站删除文档。User deletes a document from a site.
从回收站删除文件Deleted file from recycle bin FileDeletedFirstStageRecycleBinFileDeletedFirstStageRecycleBin 用户从网站的回收站中删除文件。User deletes a file from the recycle bin of a site.
从第二阶段回收站删除文件Deleted file from second-stage recycle bin FileDeletedSecondStageRecycleBinFileDeletedSecondStageRecycleBin 用户从网站的第二阶段回收站中删除文件。User deletes a file from the second-stage recycle bin of a site.
标记为记录的已删除文件Deleted file marked as a record RecordDeleteRecordDelete 标记为记录的文档和电子邮件则已被删除。当标记为保留标签的项作为记录应用于内容时,此项被视为记录。A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
检测到文档敏感度不匹配Detected document sensitivity mismatch DocumentSensitivityMismatchDetectedDocumentSensitivityMismatchDetected 用户将文档上传到受敏感度标签保护的网站上,该文档的敏感度标签的优先级比该网站应用的敏感度标签高。例如,标有“机密”的文档上传到标有“常规”的网站上。User uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled Confidential is uploaded to a site labeled General.

如果文档的敏感度标签的优先级低于网站应用的敏感度标签,则不触发此事件。例如,标有“常规”的文档上传到标有“机密”的网站上。有关敏感度标签优先级的详细信息,请参阅标签优先级(顺序)This event isn't triggered if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential. For more information about sensitivity label priority, see Label priority (order matters).
在文件中检测到恶意软件Detected malware in file FileMalwareDetectedFileMalwareDetected SharePoint 防病毒引擎在文件中检测到恶意软件。SharePoint anti-virus engine detects malware in a file.
已放弃文件签出Discarded file checkout FileCheckOutDiscardedFileCheckOutDiscarded 用户放弃(或撤消)签出的文件。这意味着将放弃签出文件时对其所做的所有更改,而不将其保存到文档库中的文档版本。User discards (or undoes) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
已下载的文件Downloaded file FileDownloadedFileDownloaded 用户从网站下载文档。User downloads a document from a site.
已修改文件Modified file FileModifiedFileModified 用户或系统帐户修改网站上文档的内容或属性。User or system account modifies the content or the properties of a document on a site.
(无)(none) FileModifiedExtendedFileModifiedExtended 这与“已修改文件”(FileModified) 活动相关。如果一个用户长时间(至 3 小时)持续修改某一文件,则会记录下 FileModifiedExtended 事件。This is related to the "Modified file" (FileModified) activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period (up to 3 hours).

记录 FileModifiedExtended 事件是为了减少当某一文件持续被修改时所记录的 FileModified 事件数。这有助于减少实际上是同一用户活动导致的多个 FileModified 记录的干扰,使你可以专注于初始(并且更重要的)FileModified 事件。The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified. This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial (and more important) FileModified event.
已移动文件Moved file FileMovedFileMoved 用户将文档从网站上的当前位置移动到新位置。User moves a document from its current location on a site to a new location.
(无)(none) FilePreviewedFilePreviewed 用户在 SharePoint 或 OneDrive for Business 网站上预览文件。这些事件通常发生在基于单个活动的高容量情形中,例如查看图库。User previews files on a SharePoint or OneDrive for Business site. These events typically occur in high volumes based on a single activity, such as viewing an image gallery.
已执行的搜索查询Performed search query SearchQueryPerformedSearchQueryPerformed 用户或系统帐户在 SharePoint 或 OneDrive for Business 中执行搜索。部分服务帐户执行搜索查询的常见情形包括将电子数据展示挂起和保留策略应用到网站或 OneDrive 帐户,以及将保留或敏感度标签自动应用到网站内容。User or system account performs a search in SharePoint or OneDrive for Business. Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and auto-applying retention or sensitivity labels to site content.
已回收文件的次要版本Recycled all minor versions of file FileVersionsAllMinorsRecycledFileVersionsAllMinorsRecycled 用户从文件版本历史记录中删除所有次要版本。已删除的版本移动到网站的回收站。User deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
已回收所有版本的文件Recycled all versions of file FileVersionsAllRecycledFileVersionsAllRecycled 用户从文件版本历史记录中删除所有版本。已删除的版本移动到网站的回收站。User deletes all versions from the version history of a file. The deleted versions are moved to the site's recycle bin.
已回收文件版本Recycled version of file FileVersionRecycledFileVersionRecycled 用户从文件版本历史记录中删除某个版本。已删除的版本移动到网站的回收站。User deletes a version from the version history of a file. The deleted version is moved to the site's recycle bin.
已重命名文件Renamed file FileRenamedFileRenamed 用户重命名网站上的文档。User renames a document on a site.
已还原文件Restored file FileRestoredFileRestored 用户从网站回收站还原文档。 User restores a document from the recycle bin of a site.
已上传文件Uploaded file FileUploadedFileUploaded 用户将文档上传到网站上的文件夹。 User uploads a document to a folder on a site.
已查看页面Viewed page PageViewedPageViewed 用户在网站上查看页面。这不包括使用 Web 浏览器查看位于文档库中的文件。User views a page on a site. This doesn't include using a Web browser to view files located in a document library.
(无)(none) PageViewedExtendedPageViewedExtended 这与“已查看页面”(PageViewed) 活动相关。如果一个用户长时间(至 3 小时)持续查看某一网页,则会记录下 PageViewedExtended 事件。This is related to the "Viewed page" (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period (up to 3 hours).

记录 PageViewedExtended 事件是为了减少当某一页面持续被查看时所记录的 PageViewed 事件数。这有助于减少实际上是同一用户活动导致的多个 PageViewed 记录的干扰,使你可以专注于初始(并且更重要的)PageViewed 事件。The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed. This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.
按客户端查看信号View signaled by client ClientViewSignaledClientViewSignaled 用户的客户端(例如网站或移动应用)已发出信号,表明用户已查看指示的页面。此活动通常在页面的 PagePrefetched 事件后记录。A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page.

注意:由于 ClientViewSignaled 事件由客户端而非服务器发出信号,因此服务器可能不会记录该事件,从而导致该事件可能未显示在审核日志中。审核记录中的信息也可能不可信。但是,由于用户身份由用于创建信号的令牌验证,因此相应审核记录中列出的用户身份是准确的。NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.
(无)(none) PagePrefetchedPagePrefetched 用户的客户端(例如网站或移动应用)已请求指示的页面,以帮助提高用户浏览时的性能。记录此事件以指示页面内容已服务于用户的客户端。此事件未明确指示用户导航到页面。A user's client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page.

当客户端(根据用户请求)呈现页面内容时,应生成 ClientViewSignaled 事件。并非所有客户端都支持指示预提取,因此一些预提取的活动可能会被记录为 PageViewed 事件。When the page content is rendered by the client (as per the user's request) a ClientViewSignaled event should be generated. Not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events.

有关 FileAccessed 和 FilePreviewed 事件的常见问题Frequently asked questions about FileAccessed and FilePreviewed events

任何非用户活动都可以触发包含 "OneDriveMpc-Transform_Thumbnail" 等之类用户代理的 FilePreviewed 审核记录吗?Could any non-user activities trigger FilePreviewed audit records that contain a user agent like "OneDriveMpc-Transform_Thumbnail"?

我们不了解非用户操作生成类似事件的情况。比如打开用户配置文件卡片(通过在 Outlook 网页版中的邮件中单击其名称或电子邮件地址)生成类似事件的用户操作。We aren't aware of scenarios where non-user actions generate events like these. User actions like opening a user profile card (by clicking their name or email address in a message in Outlook on the web) would generate similar events.

对 OneDriveMpc Transform_Thumbnail 的调用是否始终由用户有意触发?Are calls to the OneDriveMpc-Transform_Thumbnail always intentionally being triggered by the user?

否。但是类似的事件可以作为浏览器预取的结果被记录下来。No. But similar events can be logged as a result of browser pre-fetch.

如果看到来自 Microsoft 注册的 IP 地址的 FilePreviewed 事件,是否表示预览显示在用户设备的屏幕上?If we see a FilePreviewed event coming from a Microsoft-registered IP address, does that mean that the preview was displayed on the screen of the user's device?

否。该事件可能已经作为浏览器预取的结果被记录下来。No. The event might have been logged as a result of browser pre-fetch.

是否存在用户预览文档时生成文件访问事件的场景?Are there scenarios where a user previewing a document generates FileAccessed events?

FilePreviewed 和 FileAccessed 事件都表明用户的调用导致了对文件的读取(或对文件的缩略图呈现的读取)。虽然这些事件旨在与访问意向保持一致,但事件的区别并不能保证用户的意图。Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). While these events are intended to align with preview vs. access intention, the event distinction isn't a guarantee of the user's intent.

审核记录中的 app@sharepoint 用户The app@sharepoint user in audit records

在某些文件活动(和其他 SharePoint 相关活动)的审核记录中,你可能会注意到执行该活动的用户(在“用户”和“用户 ID”字段中识别)是 app@sharepoint。这表示执行活动的“用户”是一个应用程序。在这种情况下,该应用程序被授予 SharePoint 中代表用户、管理员或服务执行组织范围内操作(例如,搜索 SharePoint 网站或 OneDrive 帐户)的权限。授予应用程序权限的过程被称为“仅限 SharePoint 应用”访问权限。这表明提供给 SharePoint 执行操作的身份验证是由应用程序而不是用户做出的。这就是为什么在某些审核记录中标识 app@sharepoint 用户的原因。有关详细信息,请参阅 通过仅限 SharePoint 应用令牌授予访问权限In audit records for some file activities (and other SharePoint-related activities), you may notice the user who performed the activity (identified in the User and UserId fields) is app@sharepoint. This indicates that the "user" who performed the activity was an application. In this case, the application was granted permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. This process of giving permissions to an application is called SharePoint App-Only access. This indicates that the authentication presented to SharePoint to perform an action was made by an application, instead of a user. This is why the app@sharepoint user is identified in certain audit records. For more information, see Grant access using SharePoint App-Only.

例如,app@sharepoint 通常被标识为“已执行搜索查询”和“已访问文件”事件的用户。这是因为在将保留策略应用到网站和 OneDrive 帐户时,组织中具有仅限 SharePoint 应用访问权限的应用程序会执行搜索查询和访问文件。For example, app@sharepoint is often identified as the user for "Performed search query" and "Accessed file" events. That's because an application with SharePoint App-Only access in your organization performs search queries and accesses files when applying retention policies to sites and OneDrive accounts.

以下是一些其他情形,其中审核记录中的 app@sharepoint 可能被标识为执行活动的用户:Here are a few other scenarios where app@sharepoint may be identified in an audit record as the user who performed an activity:

  • Microsoft 365 组。用户或管理员创建新组时,会生成审核记录,用于创建网站集、更新列表以及将成员添加到 SharePoint 组。应用程序将代表创建组的用户执行这些任务。Microsoft 365 Groups. When a user or admin creates a new group, audit records are generated for creating a site collection, updating lists, and adding members to a SharePoint group. These tasks are performed an application on behalf of the user who created the group.

  • Microsoft Teams。与 Microsoft 365 组类似,也会生成审核记录,用于创建网站集、更新列表以及在创建团队时将成员添加到 SharePoint 组。Microsoft Teams. Similar to Microsoft 365 Groups, audit records are generated for creating a site collection, updating lists, and adding members to a SharePoint group when a team is created.

  • 合规性功能。理员实现合规性功能(如保留策略、电子数据展示保留和自动应用敏感度标签)时。Compliance features. When an admin implements compliance features, such as retention policies, eDiscovery holds, and auto-applying sensitivity labels.

在这些和其他情形下,你还会注意到,以 app@sharepoint 作为指定用户的多个审核记录是在较短的时间范围内创建的,通常每条记录只需几秒钟。这也表明它们可能由同一个用户启动的任务触发。而且,审核记录中的 ApplicationDisplayName 和 EventData 字段可以帮助你识别触发此事件的应用场景或应用程序。In these and other scenarios, you'll also notice that multiple audit records with app@sharepoint as the specified user were created within a short time frame, often within a few seconds of each other. This also indicates they were probably triggered by the same user-initiated task. Also, the ApplicationDisplayName and EventData fields in the audit record may help you identify the scenario or application that triggered the event.

文件夹活动Folder activities

下表介绍了 SharePoint Online 和 OneDrive for Business 中的文件夹活动。如前所述,某些 SharePoint 活动的审核记录将表明 app@sharepoint 用户代表启动操作的用户或管理员执行了该活动。有关详细信息,请参阅审核记录中的 app@sharepoint 用户The following table describes the folder activities in SharePoint Online and OneDrive for Business. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

友好名称Friendly name 操作Operation 说明Description
已复制文件夹Copied folder FolderCopiedFolderCopied 用户将文件夹从网站复制到 SharePoint 或 OneDrive for Business 的其他位置。User copies a folder from a site to another location in SharePoint or OneDrive for Business.
已创建文件夹Created folder FolderCreatedFolderCreated 用户在网站上创建一个文件夹。User creates a folder on a site.
已删除文件夹Deleted folder FolderDeletedFolderDeleted 用户从网站中删除一个文件夹。User deletes a folder from a site.
从回收站删除文件夹Deleted folder from recycle bin FolderDeletedFirstStageRecycleBinFolderDeletedFirstStageRecycleBin 用户从网站上的回收站中删除文件夹。User deletes a folder from the recycle bin on a site.
从第二阶段回收站删除文件夹Deleted folder from second-stage recycle bin FolderDeletedSecondStageRecycleBinFolderDeletedSecondStageRecycleBin 用户从网站上的第二阶段回收站中删除文件夹。User deletes a folder from the second-stage recycle bin on a site.
已修改文件夹Modified folder FolderModifiedFolderModified 用户在网站上修改文件夹。这包括更改文件夹元数据,例如更改标签和属性。User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.
已移动文件夹Moved folder FolderMovedFolderMoved 用户将文件夹移动到网站上的其他位置。User moves a folder to a different location on a site.
已重命名文件夹Renamed folder FolderRenamedFolderRenamed 用户在网站上重命名文件夹。User renames a folder on a site.
已还原文件夹Restored folder FolderRestoredFolderRestored 用户从网站上的回收站中还原文件夹。User restores a deleted folder from the recycle bin on a site.

SharePoint 列表活动SharePoint list activities

下表介绍了当用户与 SharePoint Online 中的列表和列表项进行交互时执行的相关活动。如前所述,某些 SharePoint 活动的审核记录将表明 app@sharepoint 用户代表启动操作的用户或管理员执行了该活动。有关详细信息,请参阅审核记录中的应用 @sharepoint 用户The following table describes activities related to when users interact with lists and list items in SharePoint Online. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

友好名称Friendly name 操作Operation 说明Description
已创建列表Created list ListCreatedListCreated 用户已创建 SharePoint 列表。A user created a SharePoint list.
已创建列表列Created list column ListColumnCreatedListColumnCreated 用户已创建 SharePoint 列表列。列表列是指附加到一个或多个 SharePoint 列表的列。A user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists.
已创建列表内容类型Created list content type ListContentTypeCreatedListContentTypeCreated 用户已创建列表内容类型。列表内容类型是指附加到一个或多个 SharePoint 列表的内容类型。A user created a list content type. A list content type is a content type that's attached to one or more SharePoint lists.
已创建列表项Created list item ListItemCreatedListItemCreated 用户已在现有的 SharePoint 列表中创建项目。A user created an item in an existing SharePoint list.
已创建网站列Created site column SiteColumnCreatedSiteColumnCreated 用户已创建 SharePoint 网站列。网站列是指未附加到列表的列。网站列还是一种可供给定 Web 中的任何列表使用的元数据结构。A user created a SharePoint site column. A site column is a column that isn't attached to a list. A site column is also a metadata structure that can be used by any list in a given web.
已创建网站内容类型Created site content type Site ContentType CreatedSite ContentType Created 用户已创建网站内容类型。网站内容类型是指附加到父网站的内容类型。A user created a site content type. A site content type is a content type that's attached to the parent site.
已删除列表Deleted list ListDeletedListDeleted 用户已删除 SharePoint 列表。A user deleted a SharePoint list.
已删除列表列Deleted list column List Column DeletedList Column Deleted 用户已删除 SharePoint 列表列。A user deleted a SharePoint list column.
已删除列表内容类型Deleted list content type ListContentTypeDeletedListContentTypeDeleted 用户已删除列表内容类型。A user deleted a list content type.
已删除列表项Deleted list item List Item DeletedList Item Deleted 用户已删除 SharePoint 列表项。A user deleted a SharePoint list item.
已删除网站列Deleted site column SiteColumnDeletedSiteColumnDeleted 用户已删除 SharePoint 网站列。A user deleted a SharePoint site column.
已删除网站内容类型Deleted site content type SiteContentTypeDeletedSiteContentTypeDeleted 用户已删除网站内容类型。A user deleted a site content type.
已回收列表项Recycled list item ListItemRecycledListItemRecycled 用户已将 SharePoint 列表项移到回收站。A user moved a SharePoint list item to the Recycle Bin.
已还原列表Restored list ListRestoredListRestored 用户已从回收站还原 SharePoint 列表。A user restored a SharePoint list from the Recycle Bin.
已还原列表项Restored list item ListItemRestoredListItemRestored 用户已从回收站还原 SharePoint 列表项。A user restored a SharePoint list item from the Recycle Bin.
已更新列表Updated list ListUpdatedListUpdated 用户通过修改一个或多个属性更新了 SharePoint 列表。A user updated a SharePoint list by modifying one or more properties.
已更新列表列Updated list column ListColumnUpdatedListColumnUpdated 用户通过修改一个或多个属性更新了 SharePoint 列表列。A user updated a SharePoint list column by modifying one or more properties.
已更新列表内容类型Updated list content type ListContentTypeUpdatedListContentTypeUpdated 用户通过修改一个或多个属性更新了列表内容类型。A user updated a list content type by modifying one or more properties.
已更新列表项Updated list item ListItemUpdatedListItemUpdated 用户通过修改一个或多个属性更新了 SharePoint 列表项。A user updated a SharePoint list item by modifying one or more properties.
已更新网站列Updated site column SiteColumnUpdatedSiteColumnUpdated 用户通过修改一个或多个属性更新了 SharePoint 网站列。A user updated a SharePoint site column by modifying one or more properties.
已更新网站内容类型Updated site content type SiteContentTypeUpdatedSiteContentTypeUpdated 用户通过修改一个或多个属性更新了网站内容类型。A user updated a site content type by modifying one or more properties.

共享和访问请求活动Sharing and access request activities

下表介绍了 SharePoint Online 和 OneDrive for Business 中的用户共享和访问请求活动。对于共享事件,“结果”下的“详细信息”列标识了与之共享项目的用户名或组名以及该用户或组是否为组织中的成员或来宾。有关详细信息,请参阅 在审核日志中使用共享审核The following table describes the user sharing and access request activities in SharePoint Online and OneDrive for Business. For sharing events, the Detail column under Results identifies the name of the user or group the item was shared with and whether that user or group is a member or guest in your organization. For more information, see Use sharing auditing in the audit log.

备注

根据用户对象的 UserType 属性,用户可以是 成员来宾 通常,成员为员工,来宾则为组织外部的合作者。用户接受共享邀请(而尚未成为你组织的一员)时,将在组织的目录中为其创建来宾帐户。来宾用户在你的目录中拥有帐户后,即可与其直接共享资源(无需邀请)。Users can be either members or guests based on the UserType property of the user object. A member is usually an employee, and a guest is usually a collaborator outside of your organization. When a user accepts a sharing invitation (and isn't already part of your organization), a guest account is created for them in your organization's directory. Once the guest user has an account in your directory, resources may be shared directly with them (without requiring an invitation).

友好名称Friendly name 操作Operation 说明Description
已向网站集添加权限级别Added permission level to site collection PermissionLevelAddedPermissionLevelAdded 已向网站集添加权限级别。A permission level was added to a site collection.
已接受访问请求Accepted access request AccessRequestAcceptedAccessRequestAccepted 已接受对网站、文件夹或文档的访问请求,并已授予请求用户访问权限。An access request to a site, folder, or document was accepted and the requesting user has been granted access.
已接受共享邀请Accepted sharing invitation SharingInvitationAcceptedSharingInvitationAccepted 用户(成员或来宾)接受共享邀请并被授予对资源的访问权限。此事件包含受邀用户的信息以及用于接受邀请的电子邮件地址(可能有所不同)。此活动通常伴有第二事件,描述向用户授予资源访问权限的方式,例如将用户添加到可以访问资源的组。 User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
已阻止共享邀请Blocked sharing invitation SharingInvitationBlockedSharingInvitationBlocked 由于基于目标用户的域允许或拒绝外部共享的外部共享策略,由你组织中的用户发送的共享邀请已被阻止。在这种情况下,共享邀请被阻止的原因如下: A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because:
允许的域列表中不包含目标用户的域。The target user's domain isn't included in the list of allowed domains.
Or
目标用户的域包含在阻止的域列表中。The target user's domain is included in the list of blocked domains.
有关基于域允许或阻止外部共享的详细信息,请参阅 SharePoint Online 和 OneDrive for Business 中的受限域共享For more information about allowing or blocking external sharing based on domains, see Restricted domains sharing in SharePoint Online and OneDrive for Business.
已创建访问请求Created access request AccessRequestCreatedAccessRequestCreated 用户请求访问其无权访问的网站、文件夹或文档。User requests access to a site, folder, or document they don't have permissions to access.
已创建公司可共享链接 Created a company shareable link CompanyLinkCreatedCompanyLinkCreated 用户创建指向某资源的公司范围链接。仅组织中的成员可使用公司范围链接。来宾无法使用。User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't be used by guests.
已创建匿名链接Created an anonymous link AnonymousLinkCreatedAnonymousLinkCreated 用户创建了指向某资源的匿名链接。拥有此链接的任何人均可访问资源,无需通过身份验证。User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.
已创建安全链接Created secure link SecureLinkCreatedSecureLinkCreated 已为此项目创建安全共享链接。A secure sharing link was created to this item.
已创建共享邀请Created sharing invitation SharingInvitationCreatedSharingInvitationCreated 用户与不在组织目录中的用户共享了 SharePoint Online 或 OneDrive for Business 中的资源。User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.
已删除安全链接Deleted secure link SecureLinkDeletedSecureLinkDeleted 已删除安全共享链接。A secure sharing link was deleted.
已拒绝访问请求 Denied access request AccessRequestDeniedAccessRequestDenied 对网站、文件夹或文档的访问请求被拒绝。An access request to a site, folder, or document was denied.
已删除公司可共享链接Removed a company shareable link CompanyLinkRemovedCompanyLinkRemoved 用户删除了指向某资源的公司范围链接。无法再使用该链接访问资源。User removed a company-wide link to a resource. The link can no longer be used to access the resource.
已删除匿名链接Removed an anonymous link AnonymousLinkRemovedAnonymousLinkRemoved 用户删除了指向某资源的匿名链接。无法再使用该链接访问资源。User removed an anonymous link to a resource. The link can no longer be used to access the resource.
已共享文件、文件夹或网站Shared file, folder, or site SharingSetSharingSet 用户(成员或来宾)与组织目录中的用户共享了 SharePoint 或 OneDrive for Business 中的文件、文件夹或网站。此活动的“详细信息”列中的值标识了与之共享资源的用户的名称以及该用户是成员还是来宾。User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest.

此活动通常伴有第二事件,描述向用户授予资源访问权限的方式,例如将用户添加到可以访问资源的组。This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource.
已更新访问请求Updated access request AccessRequestUpdatedAccessRequestUpdated 已更新项目的访问请求。An access request to an item was updated.
已更新匿名链接Updated an anonymous link AnonymousLinkUpdatedAnonymousLinkUpdated 用户更新了指向某资源的匿名链接。导出搜索结果时,EventData 属性中包括更新后的字段。User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
已更新共享邀请Updated sharing invitation SharingInvitationUpdatedSharingInvitationUpdated 已更新外部共享邀请。An external sharing invitation was updated.
已使用匿名链接Used an anonymous link AnonymousLinkUsedAnonymousLinkUsed 匿名用户使用匿名链接访问了资源。用户身份可能未知,但你可以获得其他详细信息,例如用户的 IP 地址。An anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address.
已取消共享文件、文件夹或网站Unshared file, folder, or site SharingRevokedSharingRevoked 用户(成员或来宾)取消共享以前与其他用户共享的文件、文件夹或网站。User (member or guest) unshared a file, folder, or site that was previously shared with another user.
已使用公司可共享链接Used a company shareable link CompanyLinkUsedCompanyLinkUsed 用户使用公司范围链接访问了资源。User accessed a resource by using a company-wide link.
已使用安全链接Used secure link SecureLinkUsedSecureLinkUsed 用户已使用安全链接。A user used a secure link.
已将用户添加到安全链接User added to secure link AddedToSecureLinkAddedToSecureLink 已将用户添加到可使用安全共享链接的实体列表中。A user was added to the list of entities who can use a secure sharing link.
已从安全链接中删除用户User removed from secure link RemovedFromSecureLinkRemovedFromSecureLink 已从可使用安全共享链接的实体列表中删除用户。A user was removed from the list of entities who can use a secure sharing link.
已撤消共享邀请Withdrew sharing invitation SharingInvitationRevokedSharingInvitationRevoked 用户撤消了针对某资源的共享邀请。User withdrew a sharing invitation to a resource.

同步活动Synchronization activities

下表列出了 SharePoint Online 和 OneDrive for Business 中的文件同步活动。The following table lists file synchronization activities in SharePoint Online and OneDrive for Business.

友好名称Friendly name 操作Operation 说明Description
已允许计算机同步文件Allowed computer to sync files ManagedSyncClientAllowedManagedSyncClientAllowed 用户成功建立与网站的同步关系。同步关系建立成功是因为用户的计算机是已添加到可访问组织文档库的域列表(称为 安全收件人列表)的域的成员。 User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization.

有关此功能的详细信息,请参阅使用 Windows PowerShell cmdlet 为安全收件人列表中的域启用 OneDrive 同步For more information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
已阻止计算机同步文件Blocked computer from syncing files UnmanagedSyncClientBlockedUnmanagedSyncClientBlocked 用户尝试从某计算机与网站建立同步关系,该计算机不是组织域的成员,或是尚未添加到可访问组织文档库的域列表(称为 安全收件人列表)的域的成员。不允许同步关系,并阻止用户的计算机同步、下载或上传文档库中的文件。User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library.

有关此功能的信息,请参阅使用 Windows PowerShell cmdlet 为安全收件人列表中的域启用 OneDrive 同步For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
已将文件下载到计算机Downloaded files to computer FileSyncDownloadedFullFileSyncDownloadedFull 用户建立同步关系,并首次成功将文件从文档库下载到计算机。User establishes a sync relationship and successfully downloads files for the first time to their computer from a document library.
已将文件更改下载到计算机Downloaded file changes to computer FileSyncDownloadedPartialFileSyncDownloadedPartial 用户从文档库成功下载对文件所做的任何更改。此活动表明对文档库中的文件所做的任何更改均已被下载到用户计算机中。仅下载了更改,因为用户以前下载过文档库(如 已将文件下载到计算机 活动所示)。User successfully downloads any changes to files from a document library. This activity indicates that any changes that were made to files in the document library were downloaded to the user's computer. Only changes were downloaded because the document library was previously downloaded by the user (as indicated by the Downloaded files to computer activity).
已将文件上传到文档库Uploaded files to document library FileSyncUploadedFullFileSyncUploadedFull 用户建立同步关系,并首次成功将文件从计算机上传到文档库。User establishes a sync relationship and successfully uploads files for the first time from their computer to a document library.
已将文件更改上传到文档库Uploaded file changes to document library FileSyncUploadedPartialFileSyncUploadedPartial 用户成功上传对文档库中的文件所做的更改。此事件表明对文档库中的文件本地版本所做的任何更改均已被成功上传到文档库。仅已上传更改内容,因为用户以前上传过这些文件(如 已将文件上传到文档库 活动所示)。User successfully uploads changes to files on a document library. This event indicates that any changes made to the local version of a file from a document library are successfully uploaded to the document library. Only changes are uploaded because those files were previously uploaded by the user (as indicated by the Uploaded files to document library activity).

网站权限活动Site permissions activities

下表列出了与在 SharePoint 中分配权限以及使用组授予(和撤销)网站访问权限相关的事件。如前所述,某些 SharePoint 活动的审核记录将表明 app@sharepoint 用户代表启动操作的用户或管理员执行了该活动。有关详细信息,请参阅审核记录中的 app@sharepoint 用户The following table lists events related to assigning permissions in SharePoint and using groups to give (and revoke) access to sites. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

友好名称Friendly name 操作Operation 说明Description
已添加网站集管理员Added site collection admin SiteCollectionAdminAddedSiteCollectionAdminAdded 网站集管理员或所有者为网站添加了作为网站集管理员的人员。 网站集管理员具有对网站集和所有子网站的完全控制权限。当管理员(通过编辑 SharePoint 管理中心的用户配置文件或使用 Microsoft 365 管理中心)向自己授予对用户 OneDrive 帐户的访问权限时,也将记录此活动。Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites. This activity is also logged when an admin gives themselves access to a user's OneDrive account (by editing the user profile in the SharePoint admin center or by using the Microsoft 365 admin center).
已向 SharePoint 组添加用户或组Added user or group to SharePoint group AddedToGroupAddedToGroup 用户向 SharePoint 组添加了成员或来宾。这可能是目的性操作,也可能是其他活动(例如共享事件)的结果。User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.
中断权限级别继承Broke permission level inheritance PermissionLevelsInheritanceBrokenPermissionLevelsInheritanceBroken 已更改项目,使其不再从父级继承权限级别。An item was changed so that it no longer inherits permission levels from its parent.
中断共享继承Broke sharing inheritance SharingInheritanceBrokenSharingInheritanceBroken 已更改项目,使其不再从父级继承共享权限。An item was changed so that it no longer inherits sharing permissions from its parent.
已创建组Created group GroupAddedGroupAdded 网站管理员或所有者为网站创建组,或执行将导致创建组的任务。例如,当用户首次创建共享文件的链接时,系统组会被添加到用户的 OneDrive for Business 网站中。此事件也可以是用户使用编辑权限创建共享文件链接的结果。Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
已删除组Deleted group GroupRemovedGroupRemoved 用户从网站删除组。User deletes a group from a site.
已修改访问请求设置Modified access request setting WebRequestAccessModifiedWebRequestAccessModified 已修改网站上的访问请求设置。The access request settings were modified on a site.
已修改“成员可共享”设置Modified 'Members Can Share' setting WebMembersCanShareModifiedWebMembersCanShareModified 已修改网站上的“成员可共享”设置。The Members Can Share setting was modified on a site.
已修改网站集的权限级别Modified permission level on a site collection PermissionLevelModifiedPermissionLevelModified 已更改网站集的权限级别。A permission level was changed on a site collection.
已修改网站权限Modified site permissions SitePermissionsModifiedSitePermissionsModified 网站管理员或所有者(或系统帐户)更改分配给网站上的组的权限级别。 如果从组中删除所有权限,也将记录此活动。Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group.

注意:SharePoint Online 中已弃用此操作。若要查找相关事件,可搜索其他权限相关的活动,例如 已添加网站集管理员已向 SharePoint 组添加用户或组已允许用户创建组已创建组已删除组NOTE: This operation has been deprecated in SharePoint Online. To find related events, you can search for other permission-related activities such as Added site collection admin, Added user or group to SharePoint group, Allowed user to create groups, Created group, and Deleted group.
已删除网站集的权限级别Removed permission level from site collection PermissionLevelRemovedPermissionLevelRemoved 已删除网站集的权限级别。A permission level was removed from a site collection.
已删除网站集管理员Removed site collection admin SiteCollectionAdminRemovedSiteCollectionAdminRemoved 网站集管理员或所有者为网站删除了作为网站集管理员的人员。当管理员(通过在 SharePoint 管理中心编辑用户配置文件)从用户 OneDrive 帐户的网站集管理员列表中删除自己时,也会记录此活动。若要在审核日志搜索结果中返回此活动,必须搜索所有活动。Site collection administrator or owner removes a person as a site collection administrator for a site. This activity is also logged when an admin removes themselves from the list of site collection administrators for a user's OneDrive account (by editing the user profile in the SharePoint admin center). To return this activity in the audit log search results, you have to search for all activities.
已从 SharePoint 组中删除用户或组Removed user or group from SharePoint group RemovedFromGroupRemovedFromGroup 用户从 SharePoint 组中删除成员或来宾。这可能是一项目的性操作,也可能是其他活动(例如取消共享事件)的结果。User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.
已请求网站管理员权限Requested site admin permissions SiteAdminChangeRequestSiteAdminChangeRequest 用户请求将自己添加为网站集的网站集管理员。网站集管理员具有对网站集和所有子网站的完全控制权限。User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.
已还原共享继承Restored sharing inheritance SharingInheritanceResetSharingInheritanceReset 已进行更改,使项目能够从父级继承共享权限。A change was made so that an item inherits sharing permissions from its parent.
已更新组Updated group GroupUpdatedGroupUpdated 网站管理员或所有者为网站更改组设置。这可能包括更改组名、可查看或编辑组成员身份的人员,以及成员身份请求的处理方式。Site administrator or owner changes the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.

网站管理活动Site administration activities

下表列出了 SharePoint Online 中的网站管理任务所产生的事件。如前所述,某些 SharePoint 活动的审核记录将表明 app@sharepoint 用户代表启动操作的用户或管理员执行了该活动。有关详细信息,请参阅审核记录中的 app@sharepoint 用户The following table lists events that result from site administration tasks in SharePoint Online. As previously explained, audit records for some SharePoint activities will indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see The app@sharepoint user in audit records.

友好名称Friendly name 操作Operation 说明Description
已添加允许的数据位置Added allowed data location AllowedDataLocationAddedAllowedDataLocationAdded SharePoint 或全局管理员在多地理环境中添加了允许的数据位置。A SharePoint or global administrator added an allowed data location in a multi-geo environment.
已添加豁免用户代理Added exempt user agent ExemptUserAgentSetExemptUserAgentSet SharePoint 或全局管理员向 SharePoint 管理中心的豁免用户代理列表添加了用户代理。A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.
已添加地理位置管理员Added geo location admin GeoAdminAddedGeoAdminAdded SharePoint 或全局管理员已将用户添加为地理位置管理员。A SharePoint or global administrator added a user as a geo admin of a location.
已允许用户创建组Allowed user to create groups AllowGroupCreationSetAllowGroupCreationSet 网站管理员或所有者向网站添加权限级别,允许分配了该权限的用户为网站创建组。 Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
已取消网站地域移动Canceled site geo move SiteGeoMoveCancelledSiteGeoMoveCancelled SharePoint 或全局管理员成功取消 SharePoint 或 OneDrive 网站地域移动。Multi-Geo 功能可让一个组织跨越多个 Microsoft 数据中心地理位置(称之为“地理位置”)。有关详细信息,请参阅 OneDrive 和 SharePoint Online 的 Multi-Geo 功能A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online.
已更改共享策略Changed a sharing policy SharingPolicyChangedSharingPolicyChanged SharePoint 或全局管理员使用 Microsoft 365 管理门户、SharePoint 管理门户或 SharePoint Online 命令行管理程序更改了 SharePoint 共享策略。将记录对组织中的共享策略设置所做的任何更改。已更改的策略在事件记录详细属性的 ModifiedProperties 字段中标识。A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin portal, SharePoint admin portal, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperties field in the detailed properties of the event record.
已更改设备访问策略Changed device access policy DeviceAccessPolicyChangedDeviceAccessPolicyChanged SharePoint 或全局管理员已更改组织的非托管设备策略。此策略控制未加入组织的设备对 SharePoint、OneDrive 和 Microsoft 365 的访问权限。配置此策略需要企业移动性 + 安全性订阅。有关详细信息,请参阅控制非托管设备的访问A SharePoint or global administrator changed the unmanaged devices policy for your organization. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organization. Configuring this policy requires an Enterprise Mobility + Security subscription. For more information, see Control access from unmanaged devices.
已更改豁免用户代理Changed exempt user agents CustomizeExemptUsersCustomizeExemptUsers SharePoint 或全局管理员自定义 SharePoint 管理中心的豁免用户代理列表。可以指定免于接收要索引的整个网页的用户代理。这意味着指定的豁免用户代理遇到 InfoPath 表单时,该表单将作为 XML 文件而非整个网页返回。这可加速索引 InfoPath 表单。A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.
已更改网络访问策略Changed network access policy NetworkAccessPolicyChangedNetworkAccessPolicyChanged SharePoint 或全局管理员已通过 SharePoint 管理中心或 SharePoint Online PowerShell 更改基于位置的访问策略(也称为“受信任的网络边界”)。这类策略基于指定的授权 IP 地址范围控制组织中的用户对 SharePoint 和 OneDrive 资源的访问权限。有关详细信息,请参阅基于网络位置控制对 SharePoint Online 和 OneDrive 数据的访问权限A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell. This type of policy controls who can access SharePoint and OneDrive resources in your organization based on authorized IP address ranges that you specify. For more information, see Control access to SharePoint Online and OneDrive data based on network location.
已完成网站地域移动Completed site geo move SiteGeoMoveCompletedSiteGeoMoveCompleted 组织中的全局管理员计划的网站地域移动已成功完成。Multi-Geo 功能可让一个组织跨越多个 Microsoft 数据中心地理位置(称之为“地理位置”)。有关详细信息,请参阅 Office 365 中 OneDrive 和 SharePoint Online 的多地理位置功能A site geo move that was scheduled by a global administrator in your organization was successfully completed. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
已创建“收件人​​”连接Created Sent To connection SendToConnectionAddedSendToConnectionAdded SharePoint 或全局管理员在 SharePoint 管理中心的“记录管理”页上创建新的“收件人”连接。“收件人”连接指定文档存储库或记录中心的设置。创建“收件人”连接时,内容管理器可以将文档提交到指定位置。A SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
已创建网站集Created site collection SiteCollectionCreatedSiteCollectionCreated SharePoint 或全局管理员在 SharePoint Online 组织中创建网站集,或者用户设置其 OneDrive for Business 网站。A SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.
已删除孤立中心网站Deleted orphaned hub site HubSiteOrphanHubDeletedHubSiteOrphanHubDeleted SharePoint 或全局管理员已删除孤立中心网站,它是没有任何关联网站的中心网站。孤立中心可能是由删除原始中心网站引起的。A SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it. An orphaned hub is likely caused by the deletion of the original hub site.
已删除“收件人”连接Deleted Sent To connection SendToConnectionRemovedSendToConnectionRemoved SharePoint 或全局管理员在 SharePoint 管理中心的“记录管理”页上删除“发送至”连接。A SharePoint or global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
已删除网站Deleted site SiteDeletedSiteDeleted 网站管理员删除网站。Site administrator deletes a site.
已启用文档预览Enabled document preview PreviewModeEnabledSetPreviewModeEnabledSet 网站管理员为网站启用文档预览。Site administrator enables document preview for a site.
已启用传统工作流Enabled legacy workflow LegacyWorkflowEnabledSetLegacyWorkflowEnabledSet 网站管理员或所有者向网站添加 SharePoint 2013 工作流任务内容类型。全局管理员还可以在 SharePoint 管理中心为整个组织启用工作流。Site administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
已启用 Office on DemandEnabled Office on Demand OfficeOnDemandSetOfficeOnDemandSet 网站管理员启用 Office on Demand,允许用户访问最新版本的 Office 桌面应用程序。SharePoint 管理中心启用了 Office on Demand,并需要包括全套已安装的 Office 应用程序的 Microsoft 365 订阅。Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires a Microsoft 365 subscription that includes full, installed Office applications.
已启用人员搜索的结果来源Enabled result source for People Searches PeopleResultsScopeSetPeopleResultsScopeSet 网站管理员为网站创建人员搜索的结果来源。Site administrator creates the result source for People Searches for a site.
已启用 RSS 源Enabled RSS feeds NewsFeedEnabledSetNewsFeedEnabledSet 网站管理员或所有者为网站启用 RSS 源。全局管理员还可以在 SharePoint 管理中心为整个组织启用 RSS 源。Site administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
已将网站加入到中心网站Joined site to hub site HubSiteJoinedHubSiteJoined 网站所有者将其网站与中心网站相关联。A site owner associates their site with a hub site.
注册中心网站Registered hub site HubSiteRegisteredHubSiteRegistered 结果是该网站已注册为中心网站。SharePoint 或全局管理员创建中心网站。A SharePoint or global administrator creates a hub site. The results are that the site is registered to be a hub site.
已删除允许的数据位置Removed allowed data location AllowedDataLocationDeletedAllowedDataLocationDeleted SharePoint 或全局管理员在多地理环境中删除了允许的数据位置。A SharePoint or global administrator removed an allowed data location in a multi-geo environment.
已删除地理位置管理员Removed geo location admin GeoAdminDeletedGeoAdminDeleted SharePoint 或全局管理员已删除作为地理位置管理员的用户。A SharePoint or global administrator removed a user as a geo admin of a location.
已重命名网站Renamed site SiteRenamedSiteRenamed 网站管理员或所有者重命名网站Site administrator or owner renames a site
已计划网站地域移动Scheduled site geo move SiteGeoMoveScheduledSiteGeoMoveScheduled SharePoint 或全局管理员成功计划 SharePoint 或 OneDrive 网站地域移动。Multi-Geo 功能可让一个组织跨越多个 Microsoft 数据中心地理位置(称之为“地理位置”)。有关详细信息,请参阅 Office 365 中 OneDrive 和 SharePoint Online 的多地理位置功能A SharePoint or global administrator successfully schedules a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365.
已设置主机网站Set host site HostSiteSetHostSiteSet SharePoint 或全局管理员更改了用于托管个人或 OneDrive for Business 网站的指定网站。A SharePoint or global administrator changes the designated site to host personal or OneDrive for Business sites.
已为地理位置设置存储配额Set storage quota for geo location GeoQuotaAllocatedGeoQuotaAllocated SharePoint 或全局管理员为多地理环境中的地理位置配置了存储配额。A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.
已从中心网站脱离网站Unjoined site from hub site HubSiteUnjoinedHubSiteUnjoined 网站所有者解除其网站与中心网站的关联。A site owner disassociates their site from a hub site.
已注销中心网站Unregistered hub site HubSiteUnregisteredHubSiteUnregistered SharePoint 或全局管理员注销作为中心网站的网站。如果已注销中心网站,则它将不再用作中心网站。A SharePoint or global administrator unregisters a site as a hub site. When a hub site is unregistered, it no longer functions as a hub site.

Exchange 邮箱活动Exchange mailbox activities

下表列出了可以由邮箱审核日志记录的活动。在审核日志中自动将由邮箱所有者、委派用户或管理员执行的邮箱活动记录长达 90 天。管理员可以为组织中的所有用户关闭邮箱审核日志记录。在这种情况下, ,不会记录任何用户的邮箱操作。有关详细信息,请参阅管理邮箱审核The following table lists the activities that can be logged by mailbox audit logging. Mailbox activities performed by the mailbox owner, a delegated user, or an administrator are automatically logged in the audit log for up to 90 days. It's possible for an admin to turn off mailbox audit logging for all users in your organization. In this case, no mailbox actions for any user are logged. For more information, see Manage mailbox auditing.

你还可以使用 Exchange Online PowerShell 中的 Search-MailboxAuditLog cmdlet 来搜索邮箱活动。You can also search for mailbox activities by using the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell.

友好名称Friendly name 操作Operation 说明Description
访问的邮箱项目Accessed mailbox items MailItemsAccessedMailItemsAccessed 已在邮箱中读取或访问邮件。此活动的审核记录通过下面两种方式之一触发:当邮箱客户端(如 Outlook)对邮件执行绑定操作时,或者当邮箱客户端(如 Exchange ActiveSync 或 IMAP)同步邮箱文件夹中的项目时。仅对具有 Office 365 或 Microsoft 365 E5 许可证的用户记录此活动。调查被盗用的电子邮件帐户时,分析此活动的审核记录非常有用。有关详细信息,请参阅 高级审核中的“访问关键事件进行调查”部分。Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account. For more information, see the "Access to crucial events for investigations" section in Advanced Audit.
已添加代理邮箱权限Added delegate mailbox permissions AddMailboxPermissionsAddMailboxPermissions 管理员已将一位用户(称为“代理”)的 FullAccess 邮箱权限分配给另一用户邮箱。FullAccess 权限允许代理打开他人的邮箱,查看和管理邮箱内容。An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox.
已添加或删除具有日历文件夹代理访问权限的用户Added or removed user with delegate access to calendar folder UpdateCalendarDelegationUpdateCalendarDelegation 已在其他用户邮箱的日历中添加或删除具有代理身份的用户。日历代理为同一组织内的其他人授予管理邮箱所有者日历的权限。A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.
已向文件夹添加权限Added permissions to folder AddFolderPermissionsAddFolderPermissions 文件夹权限已添加。文件夹权限用于控制组织中的哪些用户可以访问邮箱中的文件夹以及位于这些文件夹中的邮件。A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
已将邮件复制到其他文件夹Copied messages to another folder 复制Copy 已将邮件复制到其他文件夹。A message was copied to another folder.
已创建邮箱项目Created mailbox item 创建Create 在邮箱的日历、联系人、备注或任务文件夹中创建项目。例如,创建新的会议请求。不会审核邮件的创建、发送或接收。也不会审核邮箱文件夹的创建。An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.
已在 Outlook Web App 中创建新的收件箱规则Created new inbox rule in Outlook web app New-InboxRuleNew-InboxRule 有权访问邮箱的邮箱所有者或其他用户在 Outlook Web App 中创建了收件箱规则。A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.
已从“已删除邮件”文件夹中删除邮件Deleted messages from Deleted Items folder SoftDeleteSoftDelete 已永久删除或已从“已删除邮件”文件夹中删除邮件。系统会将这些项目移动到“可恢复邮件”文件夹。用户选择邮件并按 Shift+Delete 时,会将该邮件移动到“可恢复邮件”文件夹。A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete.
已将邮件标记为记录Labeled message as a record ApplyRecordLabelApplyRecordLabel 已将邮件分类为记录。为邮件手动或自动应用将内容分类为记录的保留标签时,会发生此事件。A message was classified as a record. This occurs when a retention label that classifies content as a record is manually or automatically applied to a message.
已将邮件移动到其他文件夹Moved messages to another folder 移动Move 已将邮件移动到其他文件夹。A message was moved to another folder.
已将邮件移动到“已删除邮件”文件夹Moved messages to Deleted Items folder MoveToDeletedItemsMoveToDeletedItems 已删除邮件,并已将其移动到“已删除邮件”文件夹。A message was deleted and moved to the Deleted Items folder.
已修改文件夹权限Modified folder permission UpdateFolderPermissionsUpdateFolderPermissions 文件夹权限已更改。文件夹权限用于控制组织中哪些用户可以访问邮箱文件夹以及文件夹中的邮件。A folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder.
已在 Outlook Web App 中修改收件箱规则Modified inbox rule from Outlook web app Set-InboxRuleSet-InboxRule 有权访问邮箱的邮箱所有者或其他用户在 Outlook Web App 中修改了收件箱规则。A mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app.
已从邮箱清除邮件Purged messages from the mailbox HardDeleteHardDelete 已从“可恢复邮件”文件夹中清除邮件(已从邮箱中永久删除)。A message was purged from the Recoverable Items folder (permanently deleted from the mailbox).
已删除代理邮箱权限Removed delegate mailbox permissions Remove-MailboxPermissionRemove-MailboxPermission 管理员已从用户邮箱删除分配给代理的 FullAccess 权限。FullAccess 权限删除后,代理无法打开他人的邮箱,也无法访问该邮箱中的任何内容。An administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it.
已从文件夹中删除权限Removed permissions from folder RemoveFolderPermissionsRemoveFolderPermissions 文件夹权限已删除。文件夹权限用于控制组织中的哪些用户可以访问邮箱中的文件夹以及位于这些文件夹中的邮件。A folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
已发送邮件Sent message 发送Send 邮件已发送、答复或转发。仅对具有 Office 365 或 Microsoft 365 E5 许可证的用户记录此活动。有关详细信息,请参阅 高级审核中的“访问关键事件进行调查”部分。A message was sent, replied to or forwarded. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. For more information, see the "Access to crucial events for investigations" section in Advanced Audit.
已使用“发送方式”权限发送邮件Sent message using Send As permissions SendAsSendAs 已使用 SendAs 权限发送某个邮件。这表示另一个用户发送了邮件,而该邮件就好像来自于邮箱所有者。A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.
已使用“代表发送”权限发送邮件Sent message using Send On Behalf permissions SendOnBehalfSendOnBehalf 已使用 SendOnBehalf 权限发送某个邮件。这表示另一个用户代表邮箱所有者发送了邮件。此邮件向收件人表明,此邮件是代表谁发送的以及实际发送此邮件的是谁。A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.
已从 Outlook 客户端更新收件箱规则Updated inbox rules from Outlook client UpdateInboxRulesUpdateInboxRules 有权访问邮箱的邮箱所有者或其他用户在 Outlook 客户端中修改了收件箱规则。A mailbox owner or other user with access to the mailbox modified an inbox rule in the Outlook client.
已更新邮件Updated message 更新Update 已更改邮件或其属性。A message or its properties was changed.
用户已登录到邮箱User signed in to mailbox MailboxLoginMailboxLogin 用户登录其邮箱。The user signed in to their mailbox.
将邮件标记为记录Label message as a record 用户已将保留标签应用于电子邮件,并且该标签被配置为将项目标记为记录。A user applied a retention label to an email message and that label is configured to mark the item as a record.

用户管理活动User administration activities

下表列出了管理员使用 Microsoft 365 管理中心或 Azure 管理门户添加或更改用户帐户时记录的用户管理活动。The following table lists user administration activities that are logged when an admin adds or changes a user account by using the Microsoft 365 admin center or the Azure management portal.

活动Activity 操作Operation 说明Description
已添加用户Added user 添加用户Add user 已创建用户帐户。A user account was created.
已更改用户许可证Changed user license 更改用户许可证Change user license 分配给用户的许可证有所更改。若要查看已更改的许可证,请参阅相应的“已更新用户”活动。The license assigned to a user what changed. To see what licenses were changes, see the corresponding Updated user activity.
已更改用户密码Changed user password 更改用户密码Change user password 用户更改了密码。必须为组织中的所有用户或选定的用户启用自助密码重置,以允许用户重置其密码。还可以在 Azure Active Directory 中跟踪自助服务密码重置活动。有关详细信息,请参阅 Azure AD 密码管理报告选项A user changes their password. Self-service password reset has to be enabled (for all or selected users) in your organization to allow users to reset their password. You can also track self-service password reset activity in Azure Active Directory. For more information, see Reporting options for Azure AD password management.
已删除用户Deleted user 删除用户Delete user 已删除用户帐户。A user account was deleted.
重置用户密码Reset user password 重置用户密码Reset user password 管理员重置了用户的密码。Administrator resets the password for a user.
已设置强制用户更改密码的属性Set property that forces user to change password 设置强制更改用户密码Set force change user password 管理员设置了强制用户在下次登录到 Office 365 时更改密码的属性。Administrator set the property that forces a user to change their password the next time the user signs in to Office 365.
设置许可证属性Set license properties 设置许可证属性Set license properties 管理员修改分配给用户的许可证属性。Administrator modifies the properties of a licensed assigned to a user.
已更新用户Updated user 更新用户Update user 管理员更改了用户帐户的一个或多个属性。有关可更新的用户属性列表,请参阅 Azure Active Directory Audit Report Events(Azure Active Directory 审核报表事件)中的“‘Update user’ attributes”(“更新用户”属性)部分。Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in Azure Active Directory Audit Report Events.

Azure AD 组管理活动Azure AD group administration activities

下表列出了管理员或用户创建或更改 Microsoft 365 组或管理员使用 Microsoft 365 管理中心或 Azure 管理门户创建安全组时记录的组管理活动。有关 Office 365 中组的详细信息,请参阅在 Office 365 管理中心查看、创建和删除组The following table lists group administration activities that are logged when an admin or a user creates or changes a Microsoft 365 group or when an admin creates a security group by using the Microsoft 365 admin center or the Azure management portal. For more information about groups in Office 365, see View, create, and delete Groups in the Microsoft 365 admin center.

友好名称Friendly name 操作Operation 说明Description
已添加组Added group 添加组Add group 已创建组。A group was created.
已向组添加成员Added member to group 向组添加成员Add member to group 已将成员添加到组。A member was added to a group.
已删除组Deleted group 删除组Delete group 已删除组。A group was deleted.
已删除组中成员Removed member from group 删除组中成员Remove member from group 已删除组中成员。A member was removed from a group.
已更新组Updated group 更新组Update group 已更改组的属性。A property of a group was changed.

应用程序管理活动Application administration activities

下表列出了管理员添加或更改已在 Azure AD 中注册的应用程序时记录的应用程序管理活动。利用 Azure AD 进行身份验证的任何应用程序必须在本目录中注册。The following table lists application admin activities that are logged when an admin adds or changes an application that's registered in Azure AD. Any application that relies on Azure AD for authentication must be registered in the directory.

友好名称Friendly name 操作Operation 说明Description
已添加委派条目Added delegation entry 添加委派条目Add delegation entry 已对 Azure AD 中的应用程序创建/授予身份验证权限。An authentication permission was created/granted to an application in Azure AD.
已添加服务主体Added service principal 添加服务主体Add service principal 已在 Azure AD 中注册应用程序。在目录中,应用程序由服务主体表示。An application was registered in Azure AD. An application is represented by a service principal in the directory.
已向服务主体添加凭据Added credentials to a service principal 添加服务主体凭据Add service principal credentials 已向 Azure AD 中的服务主体添加凭据。在目录中,服务主体代表应用程序。Credentials were added to a service principal in Azure AD. A service principle represents an application in the directory.
已删除委派条目Removed delegation entry 删除委派条目Remove delegation entry 已删除 Azure AD 中应用程序的身份验证权限。An authentication permission was removed from an application in Azure AD.
已从目录删除服务主体Removed a service principal from the directory 删除服务主体Remove service principal 已删除/注销 Azure AD 中的应用程序。在目录中,应用程序由服务主体表示。An application was deleted/unregistered from Azure AD. An application is represented by a service principal in the directory.
已从服务主体删除凭据Removed credentials from a service principal 删除服务主体凭据Remove service principal credentials 已从 Azure AD 的中服务主体删除凭据。在目录中,服务主体代表应用程序。Credentials were removed from a service principal in Azure AD. A service principle represents an application in the directory.
已设置委派条目Set delegation entry 设置委派条目Set delegation entry 已更新 Azure AD 中应用程序的身份验证权限。An authentication permission was updated for an application in Azure AD.

角色管理活动Role administration activities

下表列出了管理员在 Microsoft 365 管理中心或 Azure 管理门户中管理管理员角色时记录的 Azure AD 角色管理活动。The following table lists Azure AD role administration activities that are logged when an admin manages admin roles in the Microsoft 365 admin center or in the Azure management portal.

友好名称Friendly name 操作Operation 说明Description
向角色添加成员Add member to Role 向角色添加角色成员Add role member to role 已向 Microsoft 365 中的管理员角色添加用户。Added a user to an admin role in Microsoft 365.
已从目录角色删除用户Removed a user from a directory role 删除角色中的角色成员Remove role member from role 已从 Microsoft 365 中的管理员角色删除用户。Removed a user to from an admin role in Microsoft 365.
设置公司联系人信息Set company contact information 设置公司联系人信息Set company contact information 已为你的组织更新公司级别联系人首选项。这包括由 Microsoft 365 发送的订阅相关电子邮件的电子邮件地址,以及有关服务的技术通知。Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.

目录管理活动Directory administration activities

下表列出了管理员在 Microsoft 365 管理中心或 Azure 管理门户中管理其组织时记录的与 Azure AD 目录和域相关的活动。The following table lists Azure AD directory and domain-related activities that are logged when an administrator manages their organization in the Microsoft 365 admin center or in the Azure management portal.

友好名称Friendly name 操作Operation 说明Description
已向公司添加域Added domain to company 向公司添加域Add domain to company 已向你的组织添加域。Added a domain to your organization.
已向目录添加合作伙伴Added a partner to the directory 向公司添加合作伙伴Add partner to company 已向你的组织添加合作伙伴(委派管理员)。Added a partner (delegated administrator) to your organization.
已从公司删除域Removed domain from company 从公司删除域Remove domain from company 已从你的组织删除域。Removed a domain from your organization.
已从目录删除合作伙伴Removed a partner from the directory 从公司删除合作伙伴Remove partner from company 已从你的组织删除合作伙伴(委派管理员)。Removed a partner (delegated administrator) from your organization.
设置公司信息Set company information 设置公司信息Set company information 已更新你的组织的公司信息。这包括由 Microsoft 365 发送的订阅相关电子邮件的电子邮件地址,以及有关 Microsoft 365 服务的技术通知。Updated the company information for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
设置域身份验证Set domain authentication 设置域身份验证Set domain authentication 已更改你的组织的域身份验证设置。Changed the domain authentication setting for your organization.
已更新域的联盟设置Updated the federation settings for a domain 设置域的联盟设置Set federation settings on domain 已更改你的组织的联盟(外部共享)设置。Changed the federation (external sharing) settings for your organization.
设置密码策略Set password policy 设置密码策略Set password policy 已更改你的组织中用户密码的长度和字符约束。Changed the length and character constraints for user passwords in your organization.
已打开 Azure AD 同步Turned on Azure AD sync 已对公司设置 DirSyncEnabled 标志Set DirSyncEnabled flag on company 设置启用 Azure AD Sync 同步的目录的属性。Set the property that enables a directory for Azure AD Sync.
已更新域Updated domain 更新域Update domain 已更新你组织中的域设置。Updated the settings of a domain in your organization.
已验证域Verified domain 验证域Verify domain 已验证你的组织是否为域所有者。Verified that your organization is the owner of a domain.
已验证通过电子邮件验证的域Verified email verified domain 验证通过电子邮件验证的域Verify email verified domain 已使用电子邮件验证来验证你的组织是否为域所有者。Used email verification to verify that your organization is the owner of a domain.

电子数据展示活动eDiscovery activities

在安全与合规中心中执行或通过运行相应 PowerShell cmdlet 执行的内容搜索和电子数据展示相关活动将记录在审核日志中。这包括下列活动:Content Search and eDiscovery-related activities that are performed in the security and compliance center or by running the corresponding PowerShell cmdlets are logged in the audit log. This includes the following activities:

  • 创建和管理电子数据展示事例Creating and managing eDiscovery cases

  • 创建、启动和编辑“内容搜索”Creating, starting, and editing Content Searches

  • 执行“内容搜索”操作,如预览、导出和删除搜索结果Performing Content Search actions, such as previewing, exporting, and deleting search results

  • 为“内容搜索”配置权限筛选Configuring permissions filtering for Content Search

  • 管理电子数据展示管理员角色Managing the eDiscovery Administrator role

有关记录的电子数据展示活动的列表和详细说明,请参阅搜索审核日志中的电子数据展示活动For a list and detailed description of the eDiscovery activities that are logged, see Search for eDiscovery activities in the audit log.

备注

活动”下拉列表中“电子数据展示活动”和“高级电子数据展示活动”下列出的活动结果需要最多 30 分钟即可显示在搜索结果中。相反,电子数据展示 cmdlet 活动的相应事件需要长达 24 小时才可显示在搜索结果中。It takes up to 30 minutes for events that result from the activities listed under eDiscovery activities and Advanced eDiscovery activities in the Activities drop-down list to be displayed in the search results. Conversely, it takes up to 24 hours for the corresponding events from eDiscovery cmdlet activities to appear in the search results.

高级电子数据展示活动Advanced eDiscovery activities

你还可以在审核日志中搜索高级电子数据展示中的活动。有关这些活动的说明,请参阅在审核日志中搜索电子数据展示活动中的“高级电子数据展示活动”部分。You can also search the audit log for activities in Advanced eDiscovery. For a description of these activities, see the "Advanced eDiscovery activities" section in Search for eDiscovery activities in the audit log.

Power BI 活动Power BI activities

可以在审核日志中搜索 Power BI 内的活动。有关 Power BI 活动的信息,请参阅在组织内部使用审核中的“Power BI 审核的活动”部分。You can search the audit log for activities in Power BI. For information about Power BI activities, see the "Activities audited by Power BI" section in Using auditing within your organization.

默认情况下,未启用 Power BI 的审核日志记录。若要在审核日志中搜索 Power BI 活动,则必须在 Power BI 管理门户中启用审核。有关说明,请参阅 Power BI 管理门户中的“审核日志”部分。Audit logging for Power BI isn't enabled by default. To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the "Audit logs" section in Power BI admin portal.

Microsoft 工作区分析活动Microsoft Workplace Analytics activities

工作区分析可让你深入了解整个组织内的组协作方式。下表列出了由在工作区分析中分配有管理员角色或分析员角色的用户执行的活动。分配有管理员角色的用户可以配置隐私设置和系统默认设置,并且可以在工作区分析中准备、上传和验证组织数据。有关详细信息,请参阅工作区分析Workplace Analytics provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Workplace Analytics. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Workplace Analytics. For more information, see Workplace Analytics.

友好名称Friendly name 操作Operation 说明Description
已访问 OData 链接Accessed OData link AccessedOdataLinkAccessedOdataLink 分析员已访问查询的 OData 链接。Analyst accessed the OData link for a query.
已取消查询Canceled query CanceledQueryCanceledQuery 分析员已取消正在运行的查询。Analyst canceled a running query.
已创建会议排除Created meeting exclusion MeetingExclusionCreatedMeetingExclusionCreated 分析员已创建会议排除规则。Analyst created a meeting exclusion rule.
已删除结果Deleted result DeletedResultDeletedResult 分析员已删除查询结果。Analyst deleted a query result.
已下载报告Downloaded report DownloadedReportDownloadedReport 分析员已下载查询结果文件。Analyst downloaded a query result file.
已执行查询Executed query ExecutedQueryExecutedQuery 分析员已运行查询。Analyst ran a query.
已更新数据访问设置Updated data access setting UpdatedDataAccessSettingUpdatedDataAccessSetting 管理员已更新数据访问设置。Admin updated data access settings.
已更新隐私设置Updated privacy setting UpdatedPrivacySettingUpdatedPrivacySetting 管理员已更新隐私设置;例如,最小组大小。Admin updated privacy settings; for example, minimum group size.
已上传组织数据Uploaded organization data UploadedOrgDataUploadedOrgData 管理员已上传组织数据文件。Admin uploaded organizational data file.
已查看“探索”页Viewed Explore ViewedExploreViewedExplore 分析员在一个或多个“探索”页选项卡中查看了可视化。Analyst viewed visualizations in one or more Explore page tabs.

Microsoft Teams 活动Microsoft Teams activities

你可以在审核日志中搜索 Microsoft Teams 内的用户和管理员活动。Teams 是 Office 365 内以聊天为中心的工作区。它将团队的对话、会议、文件和笔记集中到一个位置。有关所审核的 Teams 活动的说明,请参阅在审核日志中搜索 Microsoft Teams 中的活动You can search the audit log for user and admin activities in Microsoft Teams. Teams is a chat-centered workspace in Office 365. It brings a team's conversations, meetings, files, and notes together into a single place. For descriptions of the Teams activities that are audited, see Search the audit log for events in Microsoft Teams.

Microsoft Teams 医疗保健活动Microsoft Teams Healthcare activities

如果你的组织正在使用 Microsoft Teams 中的 患者应用程序,你可以在审核日志中搜索与使用患者应用相关的活动。如果你的环境配置为支持“患者”应用,则可在“活动”选择器列表中找到这些活动的附加活动组。If your organization is using the Patients application in Microsoft Teams, you can search the audit log for activities related to the using the Patients app. If your environment is configured to support Patients app, an additional activity group for these activities is available in the Activities picker list.

“活动”选取器列表中的 Microsoft Teams 医疗保健活动

有关患者应用活动的说明,请参阅患者应用的审核日志For a description of the Patients app activities, see Audit logs for Patients app.

Microsoft Teams 班次活动Microsoft Teams Shifts activities

如果你的组织正在使用 Microsoft Teams 中的“班次”应用,你可以在审核日志中搜索与使用“班次”应用相关的活动。如果你的环境配置为支持“班次”应用,则可在“活动”选择器列表中找到这些活动的附加活动组。If your organization is using the Shifts app in Microsoft Teams, you can search the audit log for activities related to the using the Shifts app. If your environment is configured to support Shifts apps, an additional activity group for these activities is available in the Activities picker list.

有关“班次”应用活动的说明,请参阅在 Microsoft Teams 中搜索审核日志查找事件For a description of Shifts app activities, see Search the audit log for events in Microsoft Teams.

Yammer 活动Yammer activities

下表列出了 Yammer 中记录在审核日志中的用户和管理员活动。若要从审核日志返回到与 Yammer 相关的活动,必须选择“活动”列表中的“显示所有活动的结果”。使用日期范围框和“用户”列表,缩小搜索结果的范围。The following table lists the user and admin activities in Yammer that are logged in the audit log. To return Yammer-related activities from the audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results.

友好名称Friendly name 操作Operation 说明Description
已更改数据保留策略Changed data retention policy SoftDeleteSettingsUpdatedSoftDeleteSettingsUpdated 验证管理员将网络数据保留策略的设置更新为了硬删除或软删除。仅验证管理员可以执行此操作。Verified admin updates the setting for the network data retention policy to either Hard Delete or Soft Delete. Only verified admins can perform this operation.
已更改网络配置Changed network configuration NetworkConfigurationUpdatedNetworkConfigurationUpdated 网络管理员或验证管理员更改了 Yammer 网络的配置。其中包括设置了导出数据和启用聊天室的时间间隔。Network or verified admin changes the Yammer network's configuration. This includes setting the interval for exporting data and enabling chat.
已更改网络配置文件设置Changed network profile settings ProcessProfileFieldsProcessProfileFields 网络或验证管理员更改了网络用户网络的成员配置文件上显示的信息。Network or verified admin changes the information that appears on member profiles for network users network.
已更改私密内容模式Changed private content mode SupervisorAdminToggledSupervisorAdminToggled 验证管理员启用或禁用了“私密内容模式”。此模式使管理员能够在专用组中查看公告并可在个人用户(或用户组)之间查看私人消息。只有验证管理员可执行此操作。Verified admin turns Private Content Mode on or off. This mode lets an admin view the posts in private groups and view private messages between individual users (or groups of users). Only verified admins only can perform this operation.
已更改安全配置Changed security configuration NetworkSecurityConfigurationUpdatedNetworkSecurityConfigurationUpdated 验证管理员更新了 Yammer 网络的安全配置。其中包括设置了密码过期策略和 IP 地址限制。仅验证管理员可以执行此操作。Verified admin updates the Yammer network's security configuration. This includes setting password expiration policies and restrictions on IP addresses. Only verified admins can perform this operation.
已创建文件Created file FileCreatedFileCreated 用户上传了文件。User uploads a file.
已创建组Created group GroupCreationGroupCreation 用户创建组。User creates a group.
已删除组Deleted group GroupDeletionGroupDeletion 从 Yammer 中删除了组。A group is deleted from Yammer.
已删除消息Deleted message MessageDeletedMessageDeleted 用户删除了消息。User deletes a message.
已下载的文件Downloaded file FileDownloadedFileDownloaded 用户下载了文件。User downloads a file.
已导出数据Exported data DataExportDataExport 验证管理员导出了 Yammer 网络数据。仅验证管理员可以执行此操作。Verified admin exports Yammer network data. Only verified admins can perform this operation.
已共享文件Shared file FileSharedFileShared 用户与其他用户共享了文件。User shares a file with another user.
已挂起网络用户Suspended network user NetworkUserSuspendedNetworkUserSuspended 网络管理员或验证管理员从 Yammer 中挂起(停用)了用户。Network or verified admin suspends (deactivates) a user from Yammer.
已挂起用户Suspended user UserSuspensionUserSuspension 挂起(停用)了用户帐户。User account is suspended (deactivated).
已更新文件说明Updated file description FileUpdateDescriptionFileUpdateDescription 用户更改了文件说明。User changes the description of a file.
已更新文件名Updated file name FileUpdateNameFileUpdateName 用户更改了文件名。User changes the name of a file.
已查看文件Viewed file FileVisitedFileVisited 用户查看了文件。User views a file.

Microsoft Power Automate 活动Microsoft Power Automate activities

可以在审核日志中搜索 Power Automate(以前称为 Microsoft Flow)内的活动。这些活动包括创建、编辑和删除流以及更改流权限。有关 Power Automate 活动审核的信息,请参阅博客现已在安全与合规中心提供 Microsoft Flow 审核事件You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog Microsoft Flow audit events now available in Security & Compliance Center.

Microsoft Power Apps 活动Microsoft Power Apps activities

可以在审核日志中搜索 Power Apps 中与应用相关的活动。这些活动包括创建、启动和发布应用。还会审核为应用分配权限。有关所有Power Apps活动的说明,请参阅 Power Apps 的活动日志记录You can search the audit log for app-related activities in Power Apps. These activities include creating, launching, and publishing an app. Assigning permissions to apps is also audited. For a description of all Power Apps activities, see Activity logging for Power Apps.

Microsoft Stream 活动Microsoft Stream activities

可以在审核日志中搜索 Microsoft Stream 内的活动。这些活动包括用户执行的视频活动、组频道活动和管理员活动,例如管理用户、管理组织设置和导出报告。有关这些活动的说明,请参阅 Microsoft Stream 中的审核日志的“Stream 中记录的活动”部分。You can search the audit log for activities in Microsoft Stream. These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. For a description of these activities, see the "Actions logged in Stream" section in Audit Logs in Microsoft Stream.

内容浏览器活动Content explorer activities

下表列出了审核日志中记录的内容浏览器活动。内容浏览器,可以在 Microsoft 365 合规中心的数据分类工具上访问。有关详细信息,请参阅使用数据分类内容浏览器The following table lists the activities in content explorer that are logged in the audit log. Content explorer, which is accessed on the Data classifications tool in the Microsoft 365 compliance center. For more information, see Using data classification content explorer.

友好名称Friendly name 操作Operation 说明Description
访问的项Accessed item LabelContentExplorerAccessedItemLabelContentExplorerAccessedItem 管理员(或是作为内容浏览器内容查看器角色组成员的用户)使用内容浏览器来查看电子邮件或 SharePoint/OneDrive 文档。An admin (or a user who's a member of the Content Explorer Content Viewer role group) uses content explorer to view an email message or SharePoint/OneDrive document.

隔离活动Quarantine activities

下表列出了可在审核日志中搜索的隔离活动。有关隔离的详细信息,请参阅 Office 365 中的隔离电子邮件The following table lists the quarantine activities that you can search for in the audit log. For more information about quarantine, see Quarantine email messages in Office 365.

友好名称Friendly name 操作Operation 说明Description
已删除隔离邮件Deleted quarantine message QuarantineDeleteQuarantineDelete 用户删除了被视为有害的电子邮件。A user deleted an email message that was deemed to be harmful.
已导出隔离邮件Exported quarantine message QuarantineExportQuarantineExport 用户导出了被视为有害的电子邮件。A user exported an email message that was deemed to be harmful.
已预览隔离邮件Previewed quarantine message QuarantinePreviewQuarantinePreview 用户预览了被视为有害的电子邮件。A user previewed an email message that was deemed to be harmful.
已发布隔离邮件Released quarantine message QuarantineReleaseQuarantineRelease 用户发布了来自被视为有害的隔离区的电子邮件。A user released an email message from quarantine that was deemed to be harmful.
已查看隔离邮件的标题Viewed quarantine message's header QuarantineViewHeaderQuarantineViewHeader 用户查看了被视为有害的电子邮件的标题。A user viewed the header an email message that was deemed to be harmful.

Microsoft Forms 活动Microsoft Forms activities

下表列出了 Microsoft Forms 中记录在审核日志中的用户和管理员活动。Microsoft Forms 是用于收集分析数据的表单/测验/调查工具。The following table lists the user and admin activities in Microsoft Forms that are logged in the audit log. Microsoft Forms is a forms/quiz/survey tool used to collect data for analysis.

在下面的说明中可以看到,一些操作包含其他活动参数。Where noted below in the descriptions, some operations contain additional activity parameters.

备注

如果 Forms 活动由共同创作者或匿名响应者执行,则记录方式会稍有不同。有关详细信息,请参阅共同创作者和匿名响应者执行的 Forms 活动部分。If a Forms activity is performed by a co-author or an anonymous responder, it will be logged slightly differently. For more information, see the Forms activities performed by co-authors and anonymous responders section.

友好名称Friendly name 操作Operation 说明Description
已创建批注Created comment CreateCommentCreateComment 表单所有者向测验添加批注或分数。Form owner adds comment or score to a quiz.
已创建表单Created form CreateFormCreateForm 表单所有者创建一个新表单。Form owner creates a new form.
已编辑表单Edited form EditFormEditForm 表单所有者编辑表单,如创建、删除或编辑问题。EditOperation:string 属性表示编辑操作名称。可能的操作如下:Form owner edits a form such, as creating, removing, or editing a question. The property EditOperation:string indicates the edit operation name. The possible operations are:
- CreateQuestion- CreateQuestion
- CreateQuestionChoice- CreateQuestionChoice
- DeleteQuestion- DeleteQuestion
- DeleteQuestionChoice- DeleteQuestionChoice
- DeleteFormImage- DeleteFormImage
- DeleteQuestionImage- DeleteQuestionImage
- UpdateQuestion- UpdateQuestion
- UpdateQuestionChoice- UpdateQuestionChoice
- UploadFormImage/Bing/Onedrive- UploadFormImage/Bing/Onedrive
- UploadQuestionImage- UploadQuestionImage
- ChangeTheme- ChangeTheme

FormImage 包含表单中用户可上传图像的任何位置,例如在查询中或作为背景主题。FormImage includes any place within Forms that user can upload an image, such as in a query or as a background theme.
已移动表单Moved form MoveFormMoveForm 表单所有者移动表单。Form owner moves a form.

属性 DestinationUserId:string 表示移动表单的人员的用户 ID。属性 NewFormId:string 是新复制的表单的新 ID。Property DestinationUserId:string indicates the user ID of the person who moved the form. Property NewFormId:string is the new ID for the newly copied form.
已删除表单Deleted form DeleteFormDeleteForm 表单所有者删除表单。这包括 SoftDelete(使用删除选项并将表单移动到回收站)和 HardDelete(清空回收站)。Form owner deletes a form. This includes SoftDelete (delete option used and form moved to recycle bin) and HardDelete (Recycle bin is emptied).
已查看表单(设计时)Viewed form (design time) ViewFormViewForm 表单所有者打开现有表单进行编辑。Form owner opens an existing form for editing.
已预览表单Previewed form PreviewFormPreviewForm 表单所有者使用“预览”功能预览表单。Form owner previews a form using the Preview function.
已导出表单Exported form ExportFormExportForm 表单所有者将结果导出到 Excel。Form owner exports results to Excel.

属性 ExportFormat:string 表示 Excel 文件是下载还是在线文件。Property ExportFormat:string indicates if the Excel file is Download or Online.
已允许共享表单以进行复制Allowed share form for copy AllowShareFormForCopyAllowShareFormForCopy 表单所有者创建模板链接以便与其他用户共享表单。当表单所有者通过单击生成模板 URL 时,将记录此事件。Form owner creates a template link to share the form with other users. This event is logged when the form owner clicks to generate template URL.
不允许共享表单以进行复制Disallowed share form for copy DisallowShareFormForCopyDisallowShareFormForCopy 表单所有者删除模板链接。Form owner deletes template link.
已添加表单合著者Added form coauthor AddFormCoauthorAddFormCoauthor 用户使用协作链接来帮助设计/查看响应。当用户使用协作 URL 时(而不是首次生成协作 URL 时),将记录此事件。A user uses a collaboration link to help design for/view responses. This event is logged when a user uses a collab URL (not when collab URL is first generated).
已删除表单合著者Removed form coauthor RemoveFormCoauthorRemoveFormCoauthor 表单所有者删除协作链接。Form owner deletes a collaboration link.
已查看响应页面Viewed response page ViewRuntimeFormViewRuntimeForm 用户已打开响应页面以进行查看。无论用户是否提交响应,都将记录此事件。User has opened a response page to view. This event is logged regardless of whether the user submits a response or not.
已创建响应Created response CreateResponseCreateResponse 类似于接收新响应。用户提交了对表单的响应。Similar to receiving a new response. A user has submitted a response to a form.

属性 ResponseId:string 和属性 ResponderId:string 表示正在查看的结果。Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.

对于匿名响应者,ResponderId 属性将为 NULL。For an anonymous responder, the ResponderId property will be null.
已更新响应Updated response UpdateResponseUpdateResponse 表单所有者更新了测验的批注或分数。Form owner has updated a comment or score on a quiz.

属性 ResponseId:string 和属性 ResponderId:string 表示正在查看的结果。Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.

对于匿名响应者,ResponderId 属性将为 NULL。For an anonymous responder, the ResponderId property will be null.
已删除所有响应Deleted all responses DeleteAllResponsesDeleteAllResponses 表单所有者删除所有响应数据。Form owner deletes all response data.
已删除响应Deleted Response DeleteResponseDeleteResponse 表单所有者删除一个响应。Form owner deletes one response.

属性 ResponseId:string 表示正在删除的响应。Property ResponseId:string indicates the response being deleted.
已查看多个响应Viewed responses ViewResponsesViewResponses 表单所有者查看聚合的响应列表。Form owner views the aggregated list of responses.

属性 ViewType:string 表示表单所有者是在查看详细还是聚合数据Property ViewType:string indicates whether form owner is viewing Detail or Aggregate
已查看单个响应Viewed response ViewResponseViewResponse 表单所有者查看特定响应。Form owner views a particular response.

属性 ResponseId:string 和属性 ResponderId:string 表示正在查看的结果。Property ResponseId:string and Property ResponderId:string indicates which result is being viewed.

对于匿名响应者,ResponderId 属性将为 NULL。For an anonymous responder, the ResponderId property will be null.
已创建摘要链接Created summary link GetSummaryLinkGetSummaryLink 表单所有者创建摘要结果链接以共享结果。Form owner creates summary results link to share results.
已删除摘要链接Deleted summary link DeleteSummaryLinkDeleteSummaryLink 表单所有者删除摘要结果链接。Form owner deletes summary results link.
已更新表单钓鱼状态Updated form phishing status UpdatePhishingStatusUpdatePhishingStatus 无论是否更改了最终安全状态(例如,表单现为“已关闭”或“已打开”状态),只要内部安全状态的详细信息值发生更改,就会记录此事件。这意味着可能会在最终安全状态未更改的情况下看到重复的事件:This event is logged whenever the detailed value for the internal security status was changed, regardless of whether this changed the final security state (for example, form is now Closed or Opened). This means you may see duplicate events without a final security state change. The possible status values for this event are:
- Take Down- Take Down
- Take Down by Admin- Take Down by Admin
- Admin Unblocked- Admin Unblocked
- Auto Blocked- Auto Blocked
- Auto Unblocked- Auto Unblocked
- Customer Reported- Customer Reported
- Reset Customer Reported- Reset Customer Reported
已更新用户钓鱼状态Updated user phishing status UpdateUserPhishingStatusUpdateUserPhishingStatus 每当用户安全状态值更改时,都会记录此事件。用户创建由 Microsoft Online 安全团队删除的网络钓鱼表单时,审核记录中的用户状态值为“确认为钓鱼者”。如果管理员取消阻止用户,则用户状态的值将设置为 重置为普通用户This event is logged whenever the value for the user security status was changed. The value of the user status in the audit record is Confirmed as Phisher when the user created a phishing form that was taken down by the Microsoft Online safety team. If an admin unblocks the user, the value of the user's status is set to Reset as Normal User.
已发送 Forms Pro 邀请Sent Forms Pro invitation ProInvitationProInvitation 用户通过单击激活 Pro 试用版。User clicks to activate a Pro trial.
已更新表单设置Updated form setting UpdateFormSettingUpdateFormSetting 表单所有者更新表单设置。Form owner updates a form setting.

属性 FormSettingName:string 表示设置的名称和新值。Property FormSettingName:string indicates the setting's name and new value.
已更新用户设置Updated user setting UpdateUserSettingUpdateUserSetting 表单所有者更新用户设置。Form owner updates a user setting.

属性 UserSettingName:string 表示设置的名称和新值Property UserSettingName:string indicates the setting's name and new value
已列出表单Listed forms ListFormsListForms 表单所有者正在查看表单列表。Form owner is viewing a list of forms.

属性 ViewType:string 表示表单所有者正在使用的查看视图:“所有表单”、“与我共享”或“组表单”Property ViewType:string indicates which view the form owner is looking at: All Forms, Shared with Me, or Group Forms
已提交响应Submitted response SubmitResponseSubmitResponse 用户提交对表单的响应。A user submits a response to a form.

属性 IsInternalForm:boolean 表示响应者是否与表单所有者位于同一组织中。Property IsInternalForm:boolean indicates if the responder is within the same organization as the form owner.

合著者和匿名响应者执行的 Forms 活动Forms activities performed by coauthors and anonymous responders

Forms 支持在设计表单时和分析响应时进行协作。表单协作者被称为 合著者。Forms 还允许你创建可以匿名响应的表单。这意味着响应者无需登录到组织即可响应表单。Forms supports collaboration when forms are designed and when analyzing responses. A form collaborator is known as a coauthor. Coauthors can do everything a form owner can do, except delete or move a form. Forms also allows you to create a form that can be responded to anonymously. This means the responder doesn't have to be signed into your organization to respond to a form.

下表介绍了合著者和匿名响应者执行的活动的审核记录中的审核活动和信息。The following table describes the auditing activities and information in the audit record for activities performed by coauthors and anonymous responders.

活动类型Activity type 内部或外部用户Internal or external user 记录的用户 IDUser ID that's logged 登录到的组织Organization logged in to Forms 用户类型Forms user type
共同创作活动Coauthoring activities 内部Internal UPNUPN 表单所有者的组织Form owner's org 合著者Coauthor
共同创作活动Coauthoring activities 外部External UPNUPN
合著者的组织Coauthor's org
合著者Coauthor
共同创作活动Coauthoring activities 外部External urn:forms:coauthor#a0b1c2d3@forms.office.com
(ID 的第二部分是哈希,不同用户的哈希有所不同)(The second part of the ID is a hash, which will differ for different users)
表单所有者的组织Form owner's org
合著者Coauthor
响应活动Response activities 外部External UPNUPN
响应者的组织Responder's org
响应者Responder
响应活动Response activities 外部External urn:forms:external#a0b1c2d3@forms.office.com
(用户 ID 的第二部分是哈希,不同用户的哈希有所不同)(The second part of the User ID is a hash, which will differ for different users)
表单所有者的组织Form owner's org 响应者Responder
响应活动Response activities 匿名Anonymous urn:forms:anonymous#a0b1c2d3@forms.office.com
(用户 ID 的第二部分是哈希,不同用户的哈希有所不同)(The second part of the User ID is a hash, which will differ for different users)
表单所有者的组织Form owner's org 响应者Responder

敏感度标签活动Sensitivity label activities

下表列出了因标记 SharePoint Online 和 Teams 网站的活动而产生的事件。The following table lists events that result from labeling activities for SharePoint Online and Teams sites.

友好名称Friendly name 操作Operation 说明Description
已向网站应用敏感度标签Applied sensitivity label to site SensitivityLabelAppliedSensitivityLabelApplied 已向 SharePoint 或 Teams 网站应用敏感度标签。A sensitivity label was applied to a SharePoint or Teams site.
已从网站中删除敏感度标签Removed sensitivity label from site SensitivityLabelRemovedSensitivityLabelRemoved 已从 SharePoint 或 Teams 网站中删除敏感度标签。A sensitivity label was removed from a SharePoint or Teams site.
已向文件应用敏感度标签Applied sensitivity label to file FileSensitivityLabelAppliedFileSensitivityLabelApplied 已使用 Office 网页版或自动标记策略向文档应用敏感度标签。A sensitivity label was applied to a document by using Office on the web or an auto-labeling policy.
已更改应用于文件的敏感度标签Changed sensitivity label applied to file FileSensitivityLabelChangedFileSensitivityLabelChanged 已使用 Office 网页版或自动标记策略向文档应用其他敏感度标签。A different sensitivity label was applied to a document by using Office on the web or an auto-labeling policy.
已从文件除敏感度标签Removed sensitivity label from file FileSensitivityLabelRemovedFileSensitivityLabelRemoved 使用 Office 网页版、自动标记策略或使用 Unlock-SPOSensitivityLabelEncryptedFile cmdlet 从文档中删除敏感度标签。A sensitivity label was removed from a document by using Office on the web, an auto-labeling policy, or by using the Unlock-SPOSensitivityLabelEncryptedFile cmdlet.

保留策略和保留标签活动Retention policy and retention label activities

友好名称Friendly name 操作Operation 说明Description
保留策略的配置设置Configured settings for a retention policy NewRetentionComplianceRuleNewRetentionComplianceRule 管理员已配置新保留策略的保留设置。保留设置包括项目保留时长和保留期到期时对项目执行的操作(例如,删除项目、保留项目,或保留然后将其删除)。此活动还对应于运行 New-RetentionComplianceRule cmdlet。Administrator configured the retention settings for a new retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the New-RetentionComplianceRule cmdlet.
已创建保留标签Created retention label NewComplianceTagNewComplianceTag 管理员已创建新的保留标签。Administrator created a new retention label.
已创建保留策略Created retention policy NewRetentionCompliancePolicyNewRetentionCompliancePolicy 管理员已创建新的保留策略。Administrator created a new retention policy.
已从保留策略中删除设置Deleted settings from a retention policy RemoveRetentionComplianceRuleRemoveRetentionComplianceRule
管理员已删除保留策略的配置设置。当管理员删除保留策略或运行 RetentionComplianceRule cmdlet 时,很可能会记录此活动。Administrator deleted the configuration settings of a retention policy. Most likely, this activity is logged when an administrator deletes a retention policy or runs the Remove-RetentionComplianceRule cmdlet.
已删除保留标签Deleted retention label RemoveComplianceTagRemoveComplianceTag 管理员已删除保留标签。Administrator deleted a retention label.
已删除保留策略Deleted retention policy RemoveRetentionCompliancePolicyRemoveRetentionCompliancePolicy
管理员已删除保留策略。Administrator deleted a retention policy.
已启用保留标签的合规性记录选项Enabled regulatory record option for retention labels
SetRestrictiveRetentionUISetRestrictiveRetentionUI 管理员已运行 RegulatoryComplianceUI cmdlet,以便随后可以选择保留标签的 UI 配置选项,将内容标记为合规性记录。Administrator ran the Set-RegulatoryComplianceUI cmdlet so that an administrator can then select the UI configuration option for a retention label to mark content as a regulatory record.
已更新保留策略的设置Updated settings for a retention policy SetRetentionComplianceRuleSetRetentionComplianceRule 管理员已更改现有保留策略的保留设置。保留设置包括项目保留时长和保留期到期时对项目执行的操作(例如,删除项目、保留项目,或保留然后将其删除)。此活动还对应于运行 Set-RetentionComplianceRule cmdlet。Administrator changed the retention settings for an existing retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the Set-RetentionComplianceRule cmdlet.
已更新保留标签Updated retention label SetComplianceTagSetComplianceTag 管理员已更新现有保留标签。Administrator updated an existing retention label.
已更新保留策略Updated retention policy SetRetentionCompliancePolicySetRetentionCompliancePolicy 管理员已更新现有保留策略。触发此事件的更新包括添加或排除应用该保留策略的内容位置。Administrator updated an existing a retention policy. Updates that trigger this event include adding or excluding content locations that the retention policy is applied to.

Exchange 管理员审核日志Exchange admin audit log

管理员(或已分配有管理权限的用户)在 Exchange Online 组织中做出更改时,Exchange 管理员审核日志记录(Office 365 中默认启用此功能)将在审核日志中记录事件。通过使用 Exchange 管理中心所做的更改或通过运行 Exchange Online PowerShell 中的某个 cmdlet 所做的更改会记录在 Exchange 管理员审核日志中。以动词 Get-Search-Test- 开头的 Cmdlet 未记录在审核日志中。有关 Exchange 中的管理员审核记录,参见 管理员审核日志记录Exchange administrator audit logging (which is enabled by default in Office 365) logs an event in the audit log when an administrator (or a user who has been assigned administrative permissions) makes a change in your Exchange Online organization. Changes made by using the Exchange admin center or by running a cmdlet in Exchange Online PowerShell are logged in the Exchange admin audit log. Cmdlets that begin with the verbs Get-, Search-, or Test- are not logged in the audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.

重要

某些 Exchange Online cmdlet 未记录在 Exchange 管理员审核日志中(或审核日志中)。其中许多 cmdlet 都与维护 Exchange Online 服务有关,并由 Microsoft 数据中心人员或服务帐户运行。未记录这些 cmdlet,因为它们会导致大量“嘈杂”的审核事件。如果存在未经审核的 Exchange Online cmdlet,请向安全与合规用户之声论坛提交建议,并请求进行审核。你还可以向 Microsoft 支持部门提交设计更改请求 (DCR)。Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log (or in the audit log). Many of these cmdlets are related to maintaining the Exchange Online service and are run by Microsoft datacenter personnel or service accounts. These cmdlets aren't logged because they would result in a large number of "noisy" auditing events. If there's an Exchange Online cmdlet that isn't being audited, please submit a suggestion to the Security & Compliance User Voice forum and request that it is enabled for auditing. You can also submit a design change request (DCR) to Microsoft Support.

以下是在搜索审核日志时搜索 Exchange 管理员活动的一些提示:Here are some tips for searching for Exchange admin activities when searching the audit log:

  • 若要返回 Exchange 管理员审核日志中的条目,必须选择“活动”列表中的“显示所有活动的结果 ”。使用日期范围框和“用户”列表缩小由特定 Exchange 管理员在特定日期范围内运行的 cmdlet 的搜索结果范围。 To return entries from the Exchange admin audit log, you have to select Show results for all activities in the Activities list. Use the date range boxes and the Users list to narrow the search results for cmdlets run by a specific Exchange administrator within a specific date range.

  • 若要显示 Exchange 管理员审核日志中的事件,请筛选搜索结果并在“活动”筛选器框中键入 -(破折号)。这将在 Exchange 管理员事件的“活动”列中显示 cmdlet 名称。然后你便可按字母顺序对 cmdlet 名称进行排序。To display events from the Exchange admin audit log, filter the search results and type a - (dash) in the Activity filter box. This displays cmdlet names, which are displayed in the Activity column for Exchange admin events. Then you can sort the cmdlet names in alphabetical order.

    在“活动”框中键入一个破折号以筛选 Exchange 管理事件

  • 若要获取有关已运行的 cmdlet、已使用的参数和参数值以及受影响对象的信息,可以导出搜索结果并选择“下载所有结果”选项。有关详细信息,请参阅 导出、配置和查看审核日志记录To get information about what cmdlet was run, which parameters and parameter values were used, and what objects were affected, you can export the search results by selecting the Download all results option. For more information, see Export, configure, and view audit log records.

  • 你还可以使用 Exchange Online PowerShell 中的 Search-UnifiedAuditLog -RecordType ExchangeAdmin 命令仅从 Exchange 管理员审核日志中返回审核记录。运行 Exchange cmdlet 后,可能需要长达 30 分钟的时间在搜索结果中返回相应的审核日志条目。有关详细信息,请参阅 Search-UnifiedAuditLog。有关将 Search-UnifiedAuditLo cmdlet 返回的搜索结果导出到CSV文件的信息,请参阅 导出、配置和查看审核日志记录中的“导出和查看审核日志提示”一节。You can also use the Search-UnifiedAuditLog -RecordType ExchangeAdmin command in Exchange Online PowerShell to return only audit records from the Exchange admin audit log. It may take up to 30 minutes after an Exchange cmdlet is run for the corresponding audit log entry to be returned in the search results. For more information, see Search-UnifiedAuditLog. For information about exporting the search results returned by the Search-UnifiedAuditLog cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in Export, configure, and view audit log records.

  • 你还可以使用 Exchange 管理中心或在 Exchange Online PowerShell 中运行 Search-AdminAuditLog 来查看 Exchange 管理员审核日志中的事件。这是一种具体搜索由 Exchange Online 管理员执行的活动的好方法。有关说明,请参阅:You can also view events in the Exchange admin audit log by using the Exchange admin center or running the Search-AdminAuditLog in Exchange Online PowerShell. This is a good way to specifically search for activity performed by Exchange Online administrators. For instructions, see:

    请注意,Exchange 管理员审核日志以及审核日志中记录了相同的 Exchange 管理员活动。Keep in mind that the same Exchange admin activities are logged in both the Exchange admin audit log and audit log.

常见问题解答Frequently asked questions

目前审核的各种 Microsoft 365 服务有哪些?What are different Microsoft 365 services that are currently audited?

已审核最常用的服务,例如 Exchange Online、SharePoint Online、OneDrive for Business、Azure Active Directory、Microsoft Teams、Dynamics 365、Defender for Office 365 和 Power BI。有关已审核的服务列表,请参阅本文开头部分The most used services like Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Dynamics 365, Defender for Office 365, and Power BI are audited. See the beginning of this article for a list of services that are audited.

哪些活动由 Office 365 中的审核服务进行审核?What activities are audited by auditing service in Office 365?

有关审核的活动列表和说明,请参阅本文已审核的活动部分。See the Audited activities section in this article for a list and description of the activities that are audited.

审核记录在事件发生后的多长时间内可用?How long does it take for an auditing record to be available after an event has occurred?

发生事件后,大部分审核数据在 30 分钟内可用,但最长可能需要 24 小时才能在搜索结果中显示相应的审核日志条目。请参阅本文搜索审核日志的要求部分中的表,其中显示了各种服务提供事件审核记录所需的时间。Most auditing data is available within 30 minutes but it may take up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. See the table in the Requirements to search the audit log section of this article that shows the time it takes for events in the different services to be available.

审核记录将保留多长时间?How long are the audit records retained for?

正如前面所述,分配了 Office 365 E5 或 Microsoft E5 许可证的用户(或者拥有 Microsoft 365 E5 附加许可证的用户)所执行活动的审核记录将保留一年。对于支持统一审核日志记录的所有其他订阅,审核记录将保留 90 天。As previously explained, audit records for activities performed by users assigned an Office 365 E5 or Microsoft E5 license (or users with a Microsoft 365 E5 add-on license) are retained for one year. For all other subscriptions that support unified audit logging, audit records are retained for 90 days.

我是否可以通过编程方式访问审核数据?Can I access the auditing data programmatically?

是。Office 365 管理活动 API 用于以编程方式获取审核日志。若要开始使用,请参阅 Office 365 管理 API 入门Yes. The Office 365 Management Activity API is used to fetch the audit logs programmatically. To get started, see Get started with Office 365 Management APIs.

除了使用安全与合规中心或 Office 365 管理活动 API 之外,是否还有其他方法可以获取审核日志?Are there other ways to get auditing logs other than using the security and compliance center or the Office 365 Management Activity API?

否。以下是从审核服务获取数据的两种方法。No. These are the only two ways to get data from the auditing service.

是否需要在每个要捕获审核日志的服务中单独启用审核?Do I need to individually enable auditing in each service that I want to capture audit logs for?

在大多数服务中,在首次为组织启用审核后将默认启用审核功能(如本文搜索审核日志的要求部分所述)。In most services, auditing is enabled by default after you initially turn on auditing for your organization (as described in the Requirements to search the audit log section in this article).

审核服务是否支持记录的重复数据删除?Does the auditing service support de-duplication of records?

否。审核服务管道几乎是实时的,因此不能支持重复数据删除。No. The auditing service pipeline is near real time, and therefore can't support de-duplication.

审核数据是否跨地域流动?Does auditing data flow across geographies?

否。我们目前在 NA(北美)、EMEA(欧洲、中东和非洲)和 APAC(亚太地区)进行了审核管道部署。但是,我们可能会使数据跨这些区域流动以实现负载平衡,并且仅在现场出现问题时才会这样做。当我们执行这些活动时,传输中的数据会被加密。No. We currently have auditing pipeline deployments in the NA (North America), EMEA (Europe, Middle East, and Africa) and APAC (Asia Pacific) regions. However, we may flow the data across these regions for load-balancing and only during live-site issues. When we do perform these activities, the data in transit is encrypted.

审核数据是否已加密?Is auditing data encrypted?

审核数据存储在部署统一审核管道的同一区域内的 Exchange 邮箱中(静态数据)。Exchange 不会对邮箱静态数据加密。但是,服务级加密将对所有邮箱数据进行加密,因为 Microsoft 数据中心内的 Exchange 服务器将通过 BitLocker 加密。有关详细信息,请参阅 Skype for Business、OneDrive for Business、SharePoint Online 和 Exchange Online 的 Office 365 加密Auditing data is stored in Exchange mailboxes (data at rest) in the same region where the unified auditing pipeline is deployed. Mailbox data at rest is not encrypted by Exchange. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft datacenters are encrypted via BitLocker. For more information, see Office 365 Encryption for Skype for Business, OneDrive for Business, SharePoint Online, and Exchange Online.

传输中的数据始终是加密的。Mail data in transit is always encrypted.