Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use this information to help you understand how you can use usage logging for the encryption service, Azure Rights Management from Microsoft Purview Information Protection. This encryption service provides additional data protection for your organization's items such as documents and emails, and it can log every request. These requests include:
- When users encrypt items to protect them, and decrypt to read them or remove encryption.
- Actions performed by your administrators to manage the Azure Rights Management service, and actions performed by Microsoft operators to support the service.
You can then use these usage logs to support the following business scenarios:
Analyze for business insights
The logs generated by Azure Rights Management can be imported into a repository of your choice (such as a database, an online analytical processing (OLAP) system, or a map-reduce system) to analyze the information and produce reports. As an example, you could identify who is accessing your encrypted data. You can determine what encrypted data people are accessing, and from what devices and from where. You can find out whether people can successfully read encrypted content. You can also identify which people have read an important document that was encrypted.
Monitor for abuse
Logging information about how the Azure Rights Management service is used is available to you in near-real time, so that you can continuously monitor your company’s use of the service. 99.9% of logs are available within 15 minutes of an initiated action to the service.
For example, you might want to be alerted if there's a sudden increase of people reading encrypted data outside standard working hours, which could indicate that a malicious user is collecting information to sell to competitors. Or, if the same user apparently accesses data from two different IP addresses within a short time frame, which could indicate that a user account has been compromised.
Perform forensic analysis
If you have an information leak, you're likely to be asked who recently accessed specific documents and what information did a suspected person access recently. You can answer these types of questions when you use Azure Rights Management usage logging because people who use encrypted content must always get a Rights Management use license to open items that are encrypted by Azure Rights Management, even if these items are moved by email or copied to USB drives or other storage devices. This means that you can use these logs as a definitive source of information for forensic analysis when you protect your data by using the Azure Rights Management service.
Additional logging options for the Azure Rights Management service:
Logging option | Description |
---|---|
Admin log | Logs administrative tasks for the Azure Rights Management service. For example, if the service is deactivated, when the super user feature is enabled, and when users are delegated admin permissions to the service. For more information, see the PowerShell cmdlet, Get-AipServiceAdminLog. |
Document tracking | Lets users track and revoke their documents that they have encrypted with the Microsoft Purview Information Protection client. Global administrators can also track these documents on behalf of users. For more information, see Track and revoke document access. |
Use the following sections for more information about the usage logging for the Azure Rights Management service.
How to access and use your Azure Rights Management usage logs
Azure Rights Management usage logging is enabled by default for all customers. There's no extra cost for the log storage or for the logging feature functionality.
The Azure Rights Management service writes logs as a series of blobs to an Azure storage account that it automatically creates for your tenant. Each blob contains one or more log records, in W3C extended log format. The blob names are numbers, in the order in which they were created. The How to interpret your Azure Rights Management usage logs section later in this document contains more information about the log contents and their creation.
It can take a while for logs to appear in your storage account after an Azure Rights Management action. Most logs appear within 15 minutes. Usage logs are only available when the "date" field name contains a value of a previous date (in UTC time). Usage logs from the current date aren't available. We recommend that you download the logs to local storage, such as a local folder, a database, or a map-reduce repository.
To download your usage logs, you use the AIPService PowerShell module for Microsoft Purview Information Protection. For installation instructions, see Install the AIPService PowerShell module for the Azure Right Management service.
To download your usage logs by using PowerShell
Start Windows PowerShell with the Run as administrator option and use the Connect-AipService cmdlet to connect to the Azure Rights Management service:
Connect-AipService
Run the following command to download the logs for a specific date:
Get-AipServiceUserLog -Path <location> -fordate <date>
For example, after creating a folder called Logs on your E: drive:
To download logs for a specific date (such as 2/1/2025), run the following command:
Get-AipServiceUserLog -Path E:\Logs -fordate 2/1/2025
To download logs for a date range (such as from 2/1/2025 through 2/14/2025), run the following command:
Get-AipServiceUserLog -Path E:\Logs -fromdate 2/1/2025 –todate 2/14/2025
When you specify the day only, as in our examples, the time is assumed to be 00:00:00 in your local time, and then converted to UTC. When you specify a time with your -fromdate or -todate parameters (for example, -fordate "2/1/2025 15:00:00"), that date and time is converted to UTC. The Get-AipServiceUserLog command then gets the logs for that UTC time period.
You can't specify less than a whole day to download.
By default, this cmdlet uses three threads to download the logs. If you have sufficient network bandwidth and want to decrease the time required to download the logs, use the -NumberOfThreads parameter, which supports a value from 1 through 32. For example, if you run the following command, the cmdlet spawns 10 threads to download the logs: Get-AipServiceUserLog -Path E:\Logs -fromdate 2/1/2025 –todate 2/14/2025 -numberofthreads 10
Tip
You can aggregate all your downloaded log files into a CSV format by using Microsoft’s Log Parser, which is a tool to convert between various well-known log formats. You can also use this tool to convert data to SYSLOG format, or import it into a database. After you have installed the tool, run LogParser.exe /?
for help and information to use this tool.
For example, you might run the following command to import all information into a .log file format: logparser –i:w3c –o:csv "SELECT * INTO AllLogs.csv FROM *.log"
How to interpret your usage logs
Use the following information to help you interpret the Azure Rights Management usage logs.
The log sequence
The Azure Rights Management service writes the logs as a series of blobs.
Each entry in the log has a UTC timestamp. Because the service runs on multiple servers across multiple data centers, sometimes the logs might seem to be out of sequence, even when they're sorted by their timestamp. However, the difference is small and usually within a minute. In most cases, this isn't an issue that would be a problem for log analysis.
The blob format
Each blob is in W3C extended log format. It starts with the following two lines:
#Software: RMS
#Version: 1.1
The first line identifies that these are usage logs from Azure Rights Management. The second line identifies that the rest of the blob follows the version 1.1 specification. We recommend that any applications that parse these logs verify these two lines before continuing to parse the rest of the blob.
The third line enumerates a list of field names that are separated by tabs:
#Fields: date time row-id request-type user-id result correlation-id content-id owner-email issuer template-id file-name date-published c-info c-ip admin-action acting-as-user
Each of the subsequent lines is a log record. The values of the fields are in the same order as the preceding line, and are separated by tabs. Use the following table to interpret the fields.
Field name | W3C data type | Description | Example value |
---|---|---|---|
date | Date | UTC date when the request was served. The source is the local clock on the server that served the request. |
2013-06-25 |
time | Time | UTC time in 24-hour format when the request was served. The source is the local clock on the server that served the request. |
21:59:28 |
row-id | Text | Unique GUID for this log record. If a value isn't present, use the correlation-id value to identify the entry. This value is useful when you aggregate logs or copy logs into another format. |
1c3fe7a9-d9e0-4654-97b7-14fafa72ea63 |
request-type | Name | Name of the RMS API that was requested. | AcquireLicense |
user-id | String | The user who made the request. The value is enclosed in single quotation marks. Calls from an Azure Rights Management tenant key that is managed by you (BYOK) have a value of ", which also applies when the request types are anonymous. |
‘joe@contoso.com’ |
result | String | 'Success' if the request was served successful. The error type in single quotation marks if the request failed. |
'Success' |
correlation-id | Text | GUID that is common between the corresponding client log and server log for a given request. This value can be useful to help troubleshoot client issues. |
cab52088-8925-4371-be34-4b71a3112356 |
content-id | Text | GUID, enclosed in curly braces that identifies the encrypted content (for example, a document). This field has a value only if request-type is AcquireLicense and is blank for all other request types. |
{bb4af47b-cfed-4719-831d-71b98191a4f2} |
owner-email | String | Email address of the owner of the document. This field is blank if the request type is RevokeAccess. |
alice@contoso.com |
issuer | String | Email address of the document issuer. This field is blank if the request type is RevokeAccess. |
alice@contoso.com (or) FederatedEmail.4c1f4d-93bf-00a95fa1e042@contoso.onmicrosoft.com' |
template-id | String | ID of the rights management template used to encrypt the document. This field is blank if the request type is RevokeAccess. |
{6d9371a6-4e2d-4e97-9a38-202233fed26e} |
file-name | String | File name of an encrypted document that is tracked by using the Microsoft Purview Information Protection client. Currently, some files (such as Office documents) display as GUIDs rather than the actual file name. This field is blank if the request type is RevokeAccess. |
TopSecretDocument.docx |
date-published | Date | Date when the document was encrypted. This field is blank if the request type is RevokeAccess. |
2015-10-15T21:37:00 |
c-info | String | Information about the client platform that is making the request. The specific string varies, depending on the application (for example, the operating system or the browser). |
'MSIPC;version=1.0.623.47;AppName=WINWORD.EXE;AppVersion=15.0.4753.1000;AppArch=x86;OSName=Windows;OSVersion=6.1.7601;OSArch=amd64' |
c-ip | Address | IP address of the client that makes the request. | 64.51.202.144 |
admin-action | Bool | Whether an administrator has accessed the document tracking site in Administrator mode. | True |
acting-as-user | String | The email address of the user for whom an administrator is accessing the document tracking site. | 'joe@contoso.com' |
Exceptions for the user-id field
Although the user-id field usually indicates the user who made the request, there are two exceptions where the value doesn't map to a real user:
The value 'microsoftrmsonline@<YourTenantID>.rms.<region>.aadrm.com'.
This indicates a Microsoft 365 service, such as Exchange or SharePoint, is making the request. In the string, <YourTenantID> is the GUID for your tenant and <region> is the region where your tenant is registered. For example, na represents North America, eu represents Europe, and ap represents Asia.
If you're using the Rights Management connector.
Requests from this connector are logged with the service principal name of Aadrm_S-1-7-0, which is automatically generated when you install the Rights Management connector.
Typical request types
There are many request types for the Azure Rights Management service but the following table identifies some of the most typically used request types.
Request type | Description |
---|---|
AcquireLicense | A client from a Windows-based computer is requesting a use license for encrypted content. |
AcquirePreLicense | A client, on behalf of the user, is requesting a use license for encrypted content. |
AcquireTemplates | A call was made to acquire rights management templates based on template IDs |
AcquireTemplateInformation | A call was made to get the IDs of the rights management template from the service. |
AddTemplate | A call is made from an admin portal to add a rights management template. |
AllDocsCsv | A call is made from the document tracking site to download the CSV file from the All Documents page. |
BECreateEndUserLicenseV1 | A call is made from a mobile device to create an end-user license. |
BEGetAllTemplatesV1 | A call is made from a mobile device (back-end) to get all the rights management templates. |
Certify | The client is certifying the user for the consumption and creation of encrypted content. |
FECreateEndUserLicenseV1 | Similar to the AcquireLicense request but from mobile devices. |
FECreatePublishingLicenseV1 | The same as Certify and GetClientLicensorCert combined, from mobile clients. |
FEGetAllTemplates | A call is made, from a mobile device (front-end) to get the rights management templates. |
FindServiceLocationsForUser | A call is made to query for URLs, which is used to call Certify or AcquireLicense. |
GetClientLicensorCert | The client is requesting a publishing certificate (that is later used to encrypt content) from a Windows-based computer. |
GetConfiguration | A PowerShell cmdlet is called to get the configuration of the tenant for the Azure Rights Management service. |
GetConnectorAuthorizations | A call is made from the Rights Management connectors to get their configuration from the cloud. |
GetRecipients | A call is made from the document tracking site to navigate to the list view for a single document. |
GetTenantFunctionalState | An admin portal is checking whether the Azure Rights Management service is activated. |
KeyVaultDecryptRequest | The client is attempting to decrypt the Rights Management encrypted content. Applicable only for a customer-managed tenant key (BYOK) in Azure Key Vault. |
KeyVaultGetKeyInfoRequest | A call is made to verify that the key specified to be used in Azure Key Vault for the Azure Rights Management tenant key is accessible and not already used. |
KeyVaultSignDigest | A call is made when a customer-managed key (BYOK) in Azure Key Vault is used for signing purposes. This is called typically once per AcquireLicence (or FECreateEndUserLicenseV1), Certify, and GetClientLicensorCert (or FECreatePublishingLicenseV1). |
KMSPDecrypt | The client is attempting to decrypt the Rights Management encrypted content. Applicable only for a legacy customer-managed tenant key (BYOK). |
KMSPSignDigest | A call is made when a legacy customer-managed key (BYOK) is used for signing purposes. This is called typically once per AcquireLicence (or FECreateEndUserLicenseV1), Certify, and GetClientLicensorCert (or FECreatePublishingLicenseV1). |
ServerCertify | A call is made from a Rights Management-enabled client (such as SharePoint) to certify the server. |
SetUsageLogFeatureState | A call is made to enable usage logging. |
SetUsageLogStorageAccount | A call is made to specify the location of the Azure Rights Management service logs. |
UpdateTemplate | A call is made from an admin portal to update an existing rights management template. |
Azure Rights Management usage logs and Microsoft Purview auditing
File access and denied events don't include the file name and aren't accessible in the Microsoft Purview unified audit log.
PowerShell reference
After you connect to the Azure Rights Management service, the only PowerShell cmdlet that you need to access your Azure Rights Management usage logging is Get-AipServiceUserLog.
For more information about using PowerShell for the Azure Rights Management service, see Administering the Azure Rights Management service by using PowerShell.