check before: 2025-05-01
Product:
Exchange, Microsoft 365 admin center, Microsoft 365 Apps, Purview Communication Compliance
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, New feature, Updated message
Links:
Details:
Summary:
Microsoft Exchange Online is introducing a new audit log field, ActorInfoString, to improve audit log accuracy and visibility. Rolling out in late May 2025, this field records the true user agent responsible for each event, aiding security and compliance. No action is required before rollout; existing data remains unchanged.
Details:
Updated May 12, 2025: We have updated the content. Thank you for your patience.
Coming soon: ActorInfoString, a new audit log field in Microsoft Exchange Online (EXO) designed to improve the accuracy, clarity, and depth of your audit logs. ActorInfoString records the true user agent responsible for each audited event, giving security and compliance teams increased visibility into actions performed in your Exchange Online environment. This update builds on the existing audit schema by capturing more granular information about clients, devices, and applications involved in audited operations.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late May 2025 and expect to complete by late May 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-05-02
updated:
2025-05-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Exchange Online is introducing a feature called ActorInfoString to its audit logs in May 2025, enhancing the ability to identify the true identity of the "actor" behind each action, which aids in security investigations and compliance reporting without altering existing data.
Direct effects for Operations**
Audit Log Clarity
The introduction of ActorInfoString may lead to confusion if users are not prepared to interpret the new field, potentially resulting in misinterpretation of audit logs.
- roles: Compliance Officer, IT Security Analyst
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-actorinfostring-in-exchange-online-audit-logs/ba-p/123456
Security Incident Response
Without preparation, security teams may struggle to effectively utilize the new ActorInfoString for incident investigations, delaying response times to potential threats.
- roles: Security Operations Center Analyst, Incident Response Manager
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-actorinfostring-in-exchange-online-audit-logs/ba-p/123456
Configutation Options**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-05-17 | MC Last Updated | 05/12/2025 18:43:41 | 2025-05-16T19:13:04Z |
| 2025-05-17 | MC How Affect | Once enabled, ActorInfoString will appear as a new field in your Exchange Online audit logs, alongside existing fields such as ClientInfoString. This addition provides an unambiguous record of which client, device, or application performed a given operation, supporting better investigation of incidents, improved detection of suspicious activity, and strengthened compliance reporting. Existing audit schema fields, records, and integrations will remain unchanged, ensuring a seamless transition without service impact or data loss.
After this rollout, change administrators will see these key improvements: Clarity: Easily reveal the true user agent behind every action in your logs. Better security: Accelerate investigation and threat detection by tracing the actual source of actions. Compliance: Enhance your audit trails to more effectively meet regulatory standards. Future-readiness: Prepare your monitoring and log analysis for evolving audit needs. Use the following to find the new field: 1. Access the Audit Logs: Go to the Microsoft Purview compliance portal: https://compliance.microsoft.com Navigate to Audit > Audit Search 2. Search for Exchange Online Activities: Use filters to narrow down to Exchange Online activities. You can specify date ranges, users, or specific operations. Example of how ActorInfoString should appear for admins: ee33-4930-9efd-2b7f2c8183b7","RecordType" : 50, "Resultstatus" : "Succeeded","UserKey":"1c6b6 ActorInfoString" : "Client-REST ;Client-RESTSystem;UserAgent-[NoUserAgent] [Appld-1c6b689d-1 | Once enabled, ActorInfoString will appear as a new field in your Exchange Online audit logs, alongside existing fields such as ClientInfoString. This addition provides an unambiguous record of which client, device, or application performed a given operation, supporting better investigation of incidents, improved detection of suspicious activity, and strengthened compliance reporting. Existing audit schema fields, records, and integrations will remain unchanged, ensuring a seamless transition without service impact or data loss.
After this rollout, change administrators will see these key improvements: Clarity: Easily reveal the true user agent behind every action in your logs. Better security: Accelerate investigation and threat detection by tracing the actual source of actions. Compliance: Enhance your audit trails to more effectively meet regulatory standards. Future-readiness: Prepare your monitoring and log analysis for evolving audit needs. Use the following to find the new field: 1. Access the Audit Logs: Go to the Microsoft Purview compliance portal: https://compliance.microsoft.com Navigate to Audit > Audit Search 2. Search for Exchange Online Activities: Use filters to narrow down to Exchange Online activities. You can specify date ranges, users, or specific operations. Example of how ActorInfoString should appear for admins: ee33-4930-9efd-2b7f2c8183b7","RecordType" : 50, "Resultstatus" : "Succeeded","UserKey":"1c6b6 ActorInfoString" : "Client-REST ;Client-RESTSystem;UserAgent-[NoUserAgent] [Appld-1c6b689d-1] |
| 2025-05-13 | MC MessageTagNames | New feature, Admin impact | Updated message, New feature, Admin impact |
| 2025-05-13 | MC Summary | Microsoft Exchange Online is introducing the ActorInfoString field in audit logs to improve accuracy and visibility. Rolling out in late May 2025, this field records the true user agent for each audited event, enhancing security, compliance, and investigation capabilities. No action is required before rollout. Existing audit data remains unchanged. | Microsoft Exchange Online is introducing a new audit log field, ActorInfoString, to improve audit log accuracy and visibility. Rolling out in late May 2025, this field records the true user agent responsible for each event, aiding security and compliance. No action is required before rollout; existing data remains unchanged. |
| 2025-05-13 | MC Last Updated | 05/02/2025 00:29:48 | 2025-05-12T18:43:41Z |
| 2025-05-13 | MC Messages | Coming soon: ActorInfoString, a new audit log field in Microsoft Exchange Online (EXO) designed to improve the accuracy, clarity, and depth of your audit logs. ActorInfoString records the true user agent responsible for each audited event, giving security and compliance teams increased visibility into actions performed in your Exchange Online environment. This update builds on the existing audit schema by capturing more granular information about clients, devices, and applications involved in audited operations.
[When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late May 2025 and expect to complete by late May 2025. | Updated May 12, 2025: We have updated the content. Thank you for your patience.
Coming soon: ActorInfoString, a new audit log field in Microsoft Exchange Online (EXO) designed to improve the accuracy, clarity, and depth of your audit logs. ActorInfoString records the true user agent responsible for each audited event, giving security and compliance teams increased visibility into actions performed in your Exchange Online environment. This update builds on the existing audit schema by capturing more granular information about clients, devices, and applications involved in audited operations. [When this will happen:] General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late May 2025 and expect to complete by late May 2025. |
| 2025-05-13 | MC Title | Microsoft Exchange Online: Introducing ActorInfoString in Exchange Online audit logs | (Updated) Microsoft Exchange Online: Introducing ActorInfoString in Exchange Online audit logs |
| 2025-05-13 | MC How Affect | Once enabled, ActorInfoString will appear as a new field in your Exchange Online audit logs, alongside existing fields such as ClientInfoString. This addition provides an unambiguous record of which client, device, or application performed a given operation, supporting better investigation of incidents, improved detection of suspicious activity, and strengthened compliance reporting. Existing audit schema fields, records, and integrations will remain unchanged, ensuring a seamless transition without service impact or data loss.
After this rollout, change administrators will see these key improvements: Clarity: Easily reveal the true user agent behind every action in your logs. Better security: Accelerate investigation and threat detection by tracing the actual source of actions. Compliance: Enhance your audit trails to more effectively meet regulatory standards. Future-readiness: Prepare your monitoring and log analysis for evolving audit needs. Use these instructions to find the new field: Log into the Exchange Online admin center. Go to the Security & Compliance section. Select Audit logs from the menu. In the Audit logs section, look for the ActorInfoString field under the detailed log entries. Example of how ActorInfoString should appear for admins: ee33-4930-9efd-2b7f2c8183b7","RecordType" : 50, "Resultstatus" : "Succeeded","UserKey":"1c6b6 ActorInfoString" : "Client-REST ;Client-RESTSystem;UserAgent-[NoUserAgent] [Appld-1c6b689d-1 | Once enabled, ActorInfoString will appear as a new field in your Exchange Online audit logs, alongside existing fields such as ClientInfoString. This addition provides an unambiguous record of which client, device, or application performed a given operation, supporting better investigation of incidents, improved detection of suspicious activity, and strengthened compliance reporting. Existing audit schema fields, records, and integrations will remain unchanged, ensuring a seamless transition without service impact or data loss.
After this rollout, change administrators will see these key improvements: Clarity: Easily reveal the true user agent behind every action in your logs. Better security: Accelerate investigation and threat detection by tracing the actual source of actions. Compliance: Enhance your audit trails to more effectively meet regulatory standards. Future-readiness: Prepare your monitoring and log analysis for evolving audit needs. Use the following to find the new field: 1. Access the Audit Logs: Go to the Microsoft Purview compliance portal: https://compliance.microsoft.com Navigate to Audit > Audit Search 2. Search for Exchange Online Activities: Use filters to narrow down to Exchange Online activities. You can specify date ranges, users, or specific operations. Example of how ActorInfoString should appear for admins: ee33-4930-9efd-2b7f2c8183b7","RecordType" : 50, "Resultstatus" : "Succeeded","UserKey":"1c6b6 ActorInfoString" : "Client-REST ;Client-RESTSystem;UserAgent-[NoUserAgent] [Appld-1c6b689d-1 |
Last updated 1 week ago
