Microsoft Purview compliance portal: Upcoming Update to Audit Records for Microsoft Purview Role Group Changes

🚨 The Signal: Microsoft Purview audit logs for role group changes will have clearer messages. This improves visibility into who changed what, enhancing security monitoring and incident response for Purview access.

The Impact

Security teams and automated systems are affected, with a low risk of audit data misinterpretation if parsing logic is not updated.

• Security teams: Enhanced clarity in audit logs for Purview role changes.
• Automation engineers: Risk of broken scripts if audit log parsing is not updated.
• Compliance officers: Better audit trail for access control changes.
• Incident responders: Faster analysis of Purview permission modifications.

The Action

1. Identify all scripts and automation consuming Microsoft Purview audit logs (RecordType 87, operations GrantPermission, DeletePermission).
2. Review the updated PreExecutionMessage and PostExecutionMessage fields once available in your environment.
3. Update parsing logic in scripts and automation to correctly interpret the enhanced message content.
4. Test updated parsing logic against new audit log formats to ensure data integrity.

Domain: Purview · Impact: medium · Workload: Microsoft Purview · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898