SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Admin Action and Audit Trail Review
description: Review privileged admin actions in the Microsoft Purview audit log to detect unauthorised role changes, policy edits, and agent activity.
---
# Admin Action and Audit Trail Review
> **TL;DR:** This skill reads privileged admin events from the Microsoft Purview audit log, flags role assignments, policy changes, and agent create or delete actions that look unauthorised or anomalous, and produces a ranked review table so you can confirm every sensitive change was approved.
## What the Microsoft Purview audit log records about admin activity
The Microsoft Purview audit log captures administrative operations across Microsoft 365, including Microsoft Entra role assignments, Conditional Access and DLP policy changes, and the creation or deletion of Microsoft 365 Copilot agents. Each event records the actor, target, timestamp, client IP, and workload, giving you a tamper-evident trail of who changed what. This skill inspects that trail to surface privileged change that may bypass your normal approval process.
## When should you run this skill?
- "Show me every Global Administrator or Privileged Role Administrator change in the last 30 days."
- "Did anyone alter a Conditional Access or DLP policy outside a change window?"
- "Who created or deleted a Copilot agent this week, and was it approved?"
- "Investigate suspicious admin activity from an unfamiliar IP address."
- "Prepare an audit pack of privileged changes for our monthly security review."
- "Check whether a recently offboarded admin made any last-minute changes."
- "Find role assignments that were granted and then quickly removed."
## How this skill works, step by step
1. Confirm you hold a read-only audit role (for example Audit Reader) so the review touches no configuration.
2. Define the review window and the privileged operations to inspect, such as role assignment, policy modification, and agent lifecycle events.
3. Query the Microsoft Purview audit log for those operations across Microsoft Entra, security, and Copilot workloads.
4. Normalise each event into actor, action, target, timestamp, client IP, and workload fields.
5. Cross-check each actor against your expected administrator roster and approved change records.
6. Analyse each event for anomaly signals: unusual IP, out-of-hours timing, rapid grant-then-revoke, or actor not on the approved list.
7. Derive a risk score by weighting sensitivity of the action, anomaly signals, and whether approval evidence exists.
8. Rank events from highest to lowest risk and group repeated patterns by actor.
9. Produce the review table and summary, noting events that need follow-up confirmation.
## Output format
The output is a ranked table of privileged admin events followed by a short summary.
| Timestamp (UTC) | Actor | Action | Target | Client IP | Risk |
| --- | --- | --- | --- | --- | --- |
| 2026-05-28 02:14 | `admin.priya@contoso` | Add member to role | Global Administrator | 203.0.113.7 | High |
| 2026-05-29 10:41 | `admin.sam@contoso` | Modify DLP policy | Finance-PII-Policy | 198.51.100.22 | Medium |
| 2026-05-30 16:05 | `svc.copilot@contoso` | Delete agent | HR-Onboarding-Agent | 192.0.2.51 | Low |
Summary highlights:
- Total privileged events reviewed and the count flagged High or Medium risk.
- Actors involved and any not on the approved administrator roster.
- Events lacking matching approval evidence that require follow-up.
## Scope and safety
This skill is read-only by default and makes no changes to roles, policies, agents, or audit configuration. It only inspects existing audit log records.
This skill does NOT:
- Modify, revoke, or reassign any Microsoft Entra role or permission.
- Change Conditional Access, DLP, or any other policy.
- Create, delete, or alter Microsoft 365 Copilot agents.
- Edit, purge, or disable audit log retention or settings.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Microsoft Purview standard audit log search | Microsoft 365 E3 (or Office 365 E3) |
| Long-term audit retention and high-value crucial events | Microsoft 365 E5 or the Microsoft Purview Audit (Premium) add-on |
### Least-privilege roles
- Audit Reader (read-only access to search the audit log in the Microsoft Purview portal)
- Global Reader (read-only visibility across the tenant) where broader context is needed
### Microsoft Graph permissions (read-only)
This skill is run through the Microsoft Purview portal audit search or PowerShell (Search-UnifiedAuditLog), not Microsoft Graph, so no Graph scopes are required. If you instead pull the same admin events programmatically through the directory audit logs, use:
- `AuditLog.Read.All` — reads Microsoft Entra directory audit events such as role assignments and policy changes
## Sources and compliance
- [Audit log activities](https://learn.microsoft.com/en-us/purview/audit-log-activities)
- [Microsoft Purview Audit solutions overview](https://learn.microsoft.com/en-us/purview/audit-solutions-overview)
- Supports Essential Eight mitigation strategies for restricting administrative privileges and monitoring privileged access, aligned with ISM controls for event logging and review of privileged operations.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Admin Action and Audit Trail Review
TL;DR: This skill reads privileged admin events from the Microsoft Purview audit log, flags role assignments, policy changes, and agent create or delete actions that look unauthorised or anomalous, and produces a ranked review table so you can confirm every sensitive change was approved.
What the Microsoft Purview audit log records about admin activity
The Microsoft Purview audit log captures administrative operations across Microsoft 365, including Microsoft Entra role assignments, Conditional Access and DLP policy changes, and the creation or deletion of Microsoft 365 Copilot agents. Each event records the actor, target, timestamp, client IP, and workload, giving you a tamper-evident trail of who changed what. This skill inspects that trail to surface privileged change that may bypass your normal approval process.
When should you run this skill?
- “Show me every Global Administrator or Privileged Role Administrator change in the last 30 days.”
- “Did anyone alter a Conditional Access or DLP policy outside a change window?”
- “Who created or deleted a Copilot agent this week, and was it approved?”
- “Investigate suspicious admin activity from an unfamiliar IP address.”
- “Prepare an audit pack of privileged changes for our monthly security review.”
- “Check whether a recently offboarded admin made any last-minute changes.”
- “Find role assignments that were granted and then quickly removed.”
How this skill works, step by step
- Confirm you hold a read-only audit role (for example Audit Reader) so the review touches no configuration.
- Define the review window and the privileged operations to inspect, such as role assignment, policy modification, and agent lifecycle events.
- Query the Microsoft Purview audit log for those operations across Microsoft Entra, security, and Copilot workloads.
- Normalise each event into actor, action, target, timestamp, client IP, and workload fields.
- Cross-check each actor against your expected administrator roster and approved change records.
- Analyse each event for anomaly signals: unusual IP, out-of-hours timing, rapid grant-then-revoke, or actor not on the approved list.
- Derive a risk score by weighting sensitivity of the action, anomaly signals, and whether approval evidence exists.
- Rank events from highest to lowest risk and group repeated patterns by actor.
- Produce the review table and summary, noting events that need follow-up confirmation.
Output format
The output is a ranked table of privileged admin events followed by a short summary.
| Timestamp (UTC) | Actor | Action | Target | Client IP | Risk |
|---|---|---|---|---|---|
| 2026-05-28 02:14 | admin.priya@contoso | Add member to role | Global Administrator | 203.0.113.7 | High |
| 2026-05-29 10:41 | admin.sam@contoso | Modify DLP policy | Finance-PII-Policy | 198.51.100.22 | Medium |
| 2026-05-30 16:05 | svc.copilot@contoso | Delete agent | HR-Onboarding-Agent | 192.0.2.51 | Low |
Summary highlights:
- Total privileged events reviewed and the count flagged High or Medium risk.
- Actors involved and any not on the approved administrator roster.
- Events lacking matching approval evidence that require follow-up.
Scope and safety
This skill is read-only by default and makes no changes to roles, policies, agents, or audit configuration. It only inspects existing audit log records.
This skill does NOT:
- Modify, revoke, or reassign any Microsoft Entra role or permission.
- Change Conditional Access, DLP, or any other policy.
- Create, delete, or alter Microsoft 365 Copilot agents.
- Edit, purge, or disable audit log retention or settings.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Microsoft Purview standard audit log search | Microsoft 365 E3 (or Office 365 E3) |
| Long-term audit retention and high-value crucial events | Microsoft 365 E5 or the Microsoft Purview Audit (Premium) add-on |
Least-privilege roles
- Audit Reader (read-only access to search the audit log in the Microsoft Purview portal)
- Global Reader (read-only visibility across the tenant) where broader context is needed
Microsoft Graph permissions (read-only)
This skill is run through the Microsoft Purview portal audit search or PowerShell (Search-UnifiedAuditLog), not Microsoft Graph, so no Graph scopes are required. If you instead pull the same admin events programmatically through the directory audit logs, use:
AuditLog.Read.All— reads Microsoft Entra directory audit events such as role assignments and policy changes
Sources and compliance
- Audit log activities
- Microsoft Purview Audit solutions overview
- Supports Essential Eight mitigation strategies for restricting administrative privileges and monitoring privileged access, aligned with ISM controls for event logging and review of privileged operations.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on