PAX Purview Audit Log Processor v1.11.4

Version 1.11.4 is a small, targeted update. It adds one new column — AgentPromptCount — to the M365 Usage rollup's SessionStats sidecar so dashboards can separate agent-driven prompts from direct Copilot prompts, and it fixes a SharePoint upload failure that prevented larger rollup CSVs (those over 4 MB) from being saved to a SharePoint destination. All other v1.11.3 behavior is preserved, and no switches are added or removed.

What's new in v1.11.4

• New AgentPromptCount column in the M365 SessionStats sidecar. The M365 Usage SessionStats sidecar now includes an AgentPromptCount column alongside its existing prompt, response, and session counts, reporting how many of a user's prompts on a given day and app surface landed on agent-flagged conversations. This lets the Analytics-Hub M365 Usage Analytics dashboard show an agent-versus-direct prompt split without re-querying the underlying data. The column is placed immediately after PromptCount (widening the sidecar from seven to eight columns), so tools that reference columns by name are unaffected; it is produced automatically on every rollup run, carried through -AppendFile merge runs, and written across all three storage tiers (local CSV, SharePoint, Fabric/OneLake). This rolls the embedded M365 rollup processor from v2.6.0 to v2.6.1; the Copilot rollup processor is unchanged.

• SharePoint upload fix for larger files. A bug that caused output files larger than 4 MB — most commonly the CopilotInteraction / M365 rollup CSV on real tenants — to fail their SharePoint upload with a 400 (Bad Request) error is fixed. Smaller artifacts in the same destination folder (such as the run log) were unaffected, which made the failure look like a per-file permission or folder problem when it was neither. Large CSVs now upload to SharePoint reliably.

The attached script is the v1.11.4 release build. See the documentation in the repository for full configuration details.

PAX Purview Audit Log Processor v1.11.3

Version 1.11.3 refreshes the -IncludeM365Usage rollup pipeline around the current Analytics-Hub M365 Usage Analytics dashboard, hardens resume and remote-destination reliability, and broadens managed-identity host support for cross-tenant App Registration runs. Existing v1.11.2 behavior is preserved for runs that do not use -IncludeM365Usage rollups, and no switch surface is added or removed.

What's new in v1.11.3

• Refreshed M365 Usage bundle and rollup processor. The -IncludeM365Usage activity bundle is trimmed from ~100 operations to a curated 22-operation set (Exchange mail access, SharePoint/OneDrive file access, Teams chat/messaging, Teams meeting lifecycle, and Copilot/Connected-AI signals) matching what the Analytics-Hub M365 Usage Analytics dashboard consumes; removed operations remain available via -ActivityTypes. The embedded M365 Bundle Explosion processor is refreshed: the Rollup grows from 9 to 14 columns (ItemsAccessedCount plus AgentId, AgentName, ContextType, IsAgentInteraction), the UserStats sidecar widens from 27 to 66 columns (original 27 retained verbatim; 39 new per-app rolling-window raw counts and Copilot-Engaged-User ranks appended), and a new fourth output — the SessionStats sidecar — surfaces per-user/-date/-app-surface session, prompt, response, and agent-session counts derived from the underlying CopilotInteraction records. UserStats CECopilotPercentile columns are now derived from the SessionStats prompt-count signal, aligning with the AI in One report definition. -AppendFile additively merges the SessionStats sidecar across runs alongside the existing Rollup merge.

• Intake-stage identity filtering and operation canonicalization. Both the M365 and Copilot (CopilotInteraction-only) rollup processors now drop non-human UserId rows at intake (application identities, service-principal GUIDs, compliance-bot signatures) so the Rollups and sidecars carry only human end-user activity. The M365 processor canonicalizes three workload-equivalent operation names in the Rollup (FileViewed → FileAccessed, MeetingParticipantJoined → MeetingParticipantDetail, ConnectedAIAppInteraction → AIAppInteraction) to avoid double-counting. The raw per-activity-type CSV is unchanged — filtering and canonicalization are local to the rollup and sidecars. The redundant DSPM-for-AI informational prompt is auto-suppressed on -IncludeM365Usage runs that do not explicitly request AIAppInteraction.

• Resume, destination, and managed-identity hardening. Two -Resume data-loss conditions are fixed (a date-window off-by-one when resuming on hosts ahead of UTC, and a this-run partition shard that could be dropped from the streaming merge). The Fabric/OneLake destination path now accepts the lakehouse-root URL form and reliably creates nested upload folders. Purview query submission is made culture-invariant (resolving HTTP 500 failures from non-en-US hosts such as Danish and Finnish). SharePoint output no longer creates a duplicate percent-encoded folder when the destination name contains a space. The managed-identity host guard now also accepts -Auth AppRegistration with bound credentials, unblocking Azure-hosted runs that authenticate into a different tenant with explicit App Registration credentials.

The attached script is the v1.11.3 release build. See the documentation in the repository for full configuration details.

Release Notes: v1.11.x

Release Information

• Latest Version: 1.11.2
• Latest Release Date: 2026-05-17
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.11.2: PAX_Purview_Audit_Log_Processor_v1.11.2.ps1
• Documentation v1.11.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.11.x.md

Overview

v1.11.2

Version 1.11.2 redesigns the output destination model around symmetric per-data-type switch pairs, extends cross-run append/merge to every data stream PAX produces, and introduces Microsoft Fabric Lakehouse Delta-table output. Existing v1.11.1 behavior is preserved when none of the new switches are used.

Unified Per-Data-Type Destination Model

A symmetric -OutputPath* / -Append* switch pair is provided for each output stream — Purview audit (-OutputPath / -AppendFile), EntraUsers / MAC licensing (-OutputPathUserInfo / -AppendUserInfo), Microsoft Agent 365 catalog (-OutputPathAgent365Info / -AppendAgent365Info), and run log (-OutputPathLog). Storage tier is inferred from each path's form: drive-rooted absolute paths resolve to Local, https://...sharepoint.com/... URLs resolve to SharePoint, and https://...onelake.dfs.fabric.microsoft.com/...Lakehouse/... URLs resolve to Fabric. UNC paths are rejected on every destination switch, and every destination supplied to a single run must resolve to the same storage tier. The legacy -OutputPathSP and -OutputPathFabric switches are removed — express remote destinations via any -OutputPath* value whose form is a SharePoint or OneLake URL.

Per-Dimension Append and Cross-Run Merge for All Outputs

-AppendFile now works across all rollup modes (-Rollup, -RollupPlusRaw) on all three storage tiers. Two new switches — -AppendUserInfo and -AppendAgent365Info — extend the same union-merge contract to the EntraUsers and Agent 365 catalog outputs respectively. Every append-mode run emits a standard Retained / New / Departed / Union merge tally for each merged stream; the merge is union-only — rows are never dropped from the target. Departed rows are kept in the merged file with In_Latest_Append=FALSE. Three provenance columns (Date_Added, Latest_Append_Date, In_Latest_Append) are appended to any merged file so analysts can see when each row first appeared and whether it was present in the most recent run. The CopilotInteraction rollup Fact CSV additionally gains two raw identity columns (Message_Id_Raw, ThreadId_Raw) so per-run integer surrogate keys remain stable across appends.

Microsoft Fabric Lakehouse Delta-Table Output

When any -OutputPath* value resolves to a Fabric OneLake URL, customer-visible outputs are written as Delta tables under the Lakehouse Tables/ namespace — queryable directly from the Fabric SQL endpoint and consumable by Direct Lake Power BI semantic models. Table names are evergreen (CSV basename with the _YYYYMMDD_HHMMSS run-timestamp stripped), so the same table is overwritten run after run while CSV filenames continue to carry the timestamp suffix. Schema evolution is automatic via schema_mode='merge' so dynamic -ExplodeDeep columns are absorbed as new nullable columns on subsequent appends; mode mismatches across runs into the same target table are rejected at pre-flight. The deltalake>=0.15 Python package is auto-installed on first use, mirroring the existing orjson install pattern. Resume artifacts are mirrored to durable OneLake storage at <Lakehouse>/Files/.pax_resume/<RunTimestamp>/ so resume survives ephemeral container restarts.

Operational Hardening for Noninteractive Hosts

A new noninteractive-host detector and a bootstrap-log infrastructure layer harden PAX for execution inside Azure Container Apps Jobs, Windows services, scheduled tasks, and CI runners. The bootstrap log opens at the first executable line of the script body so pre-flight failures leave a readable log file behind; at log finalization the bootstrap content migrates into the final resolved log path.

Fabric / ACA Deployment Helpers (fabric_resources/)

A new top-level fabric_resources/ folder ships two supported Fabric on-ramps and the shared prereqs script: a top-level overview / path decision guide, a Path A local-run README (laptop, on-prem server, or Azure VM with managed identity), a Path B Dockerfile and ACA Job deploy helper (with the mandatory Azure Files mount for the bootstrap-log volume), a shared scope-grant script, and a compatibility matrix.

Switch Surface Simplification

Alongside the new features above, v1.11.2 includes a focused streamlining pass that retires several optional features whose real-world adoption was narrow but whose code paths added a disproportionate amount of script complexity, test surface, and documentation overhead. Sharpening PAX around the workflows the majority of customers actually run leaves a smaller, more readable codebase and frees subsequent versions to land core improvements faster. Retired feature areas include the DSPM-for-AI activity-set helper, the in-script schema-explosion modes, native Excel workbook output, offline replay mode, the Microsoft Agent 365 catalog enrichment, and the separate remote-destination switches (now folded into a single tier-inferring -OutputPath). See Switch Surface Simplification (v1.11.2) for the per-feature replacement path and rationale. The legacy C:\Temp\ default on -OutputPath is also removed — -OutputPath is required for normal runs and may be omitted only when -OnlyUserInfo is used (in which case -OutputPathUserInfo carries the EntraUsers destination).

v1.11.1

Version 1.11.1 is a large functional release. It introduces three flagship capabilities — the -Rollup / -RollupPlusRaw post-processor, Microsoft Agent 365 catalog enrichment, and remote output destinations (SharePoint and Microsoft Fabric / OneLake) — alongside a new ManagedIdentity auth mode for Azure-hosted unattended runs and major reliability and authentication hardening. Existing Purview audit-log processing behavior is unchanged when none of the new switches are used.

Rollup Post-Processor (-Rollup / -RollupPlusRaw)

The new -Rollup and -RollupPlusRaw switches turn PAX into an end-to-end pipeline: as soon as the audit export succeeds, an embedded Python post-processor runs against the raw CSV(s) and emits rolled-up CSVs shaped specifically for the Microsoft Copilot Growth ROI Advisory Team's Power BI templates published at https://github.com/microsoft/Analytics-Hub. This collapses what was previously a multi-step, manual hand-off (run PAX → locate raw CSV → run a separate Python script → load into Power BI) into a single command line.

Highlights:

• Two switches, one pipeline. -Rollup deletes the raw CSV(s) on processor success (only the rollup output remains); -RollupPlusRaw keeps the raw CSV(s) alongside the rollup output. Mutually exclusive.
• Auto-selected processor based on the audit run's shape.
  • CopilotInteraction-only run → embedded Purview_CopilotInteraction_Processor v3.0.0. -IncludeUserInfo is auto-enabled because this processor consumes both the Purview CSV and the Entra users CSV. Target Analytics-Hub dashboards: AI-in-One and AI Business Value.
  • -IncludeM365Usage run → embedded Purview_M365_Usage_Bundle_Explosion_Processor v2.1.0. -CombineOutput is auto-enabled so a single combined Purview CSV is fed to the processor. Target Analytics-Hub dashboard: M365 Usage Analytics.
• Single-file distribution preserved. Both Python sources are embedded byte-for-byte inside the .ps1. At runtime the selected source is materialized into .pax_incremental\PAX_<Label>_<RunTimestamp>.py, executed, and reaped by the function's finally block plus an end-of-run safety-net sweep. No external Python files to ship or maintain.
• Zero-friction Python bootstrap. PAX auto-detects Python 3.10+ on PATH (python → py -3.13/-3.12/-3.11/-3.10 → python3). If none is found it attempts a per-user silent install of Python 3.13 via winget (Python.Python.3.13), falling back to the python.org offline installer. orjson is installed best-effort for ~5–10× faster JSON parsing; both processors fall back to stdlib json on import failure.
• Best-effort, non-destructive failure semantics. A non-zero processor exit code logs an error and keeps the raw outputs (regardless of -Rollup vs -RollupPlusRaw); the raw CSV(s) already on disk remain the canonical successful artifact. The audit run is never marked failed because of a rollup failure.
• Resume-safe. The checkpoint snapshot persists rollupMode (None / Rollup / RollupPlusRaw) and processorMode (None / CopilotInteraction / M365Bundle). On -Resume, the original rollup intent is restored automatically; if the resume command line passes a rollup switch explicitly, last-write-wins (override logged in yellow).
• Agent 365 companion file is always retained. -Rollup is compatible with -IncludeAgent365Info and never deletes the Agent365_<timestamp>.csv — Analytics-Hub dashboards consume it as a companion input alongside the rollup output.

Scope reminder. The rollup outputs exist solely to feed the Microsoft Copilot Growth ROI Advisory Team's Power BI templates at <https://github.com/microsoft...

Release Notes: v1.11.x

Release Information

• Latest Version: 1.11.1
• Latest Release Date: 2026-05-11
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.11.1: PAX_Purview_Audit_Log_Processor_v1.11.1.ps1
• Documentation v1.11.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.11.x.md

Overview

v1.11.1

Version 1.11.1 is a large functional release. It introduces three flagship capabilities — the -Rollup / -RollupPlusRaw post-processor, Microsoft Agent 365 catalog enrichment, and remote output destinations (SharePoint and Microsoft Fabric / OneLake) — alongside a new ManagedIdentity auth mode for Azure-hosted unattended runs and major reliability and authentication hardening. Existing Purview audit-log processing behavior is unchanged when none of the new switches are used.

🚀 Rollup Post-Processor (-Rollup / -RollupPlusRaw)

The new -Rollup and -RollupPlusRaw switches turn PAX into an end-to-end pipeline: as soon as the audit export succeeds, an embedded Python post-processor runs against the raw CSV(s) and emits rolled-up CSVs shaped specifically for the Microsoft Copilot Growth ROI Advisory Team's Power BI templates published at https://github.com/microsoft/Analytics-Hub. This collapses what was previously a multi-step, manual hand-off (run PAX → locate raw CSV → run a separate Python script → load into Power BI) into a single command line.

Highlights:

• Two switches, one pipeline. -Rollup deletes the raw CSV(s) on processor success (only the rollup output remains); -RollupPlusRaw keeps the raw CSV(s) alongside the rollup output. Mutually exclusive.
• Auto-selected processor based on the audit run's shape.
  • CopilotInteraction-only run → embedded Purview_CopilotInteraction_Processor v3.0.0. -IncludeUserInfo is auto-enabled because this processor consumes both the Purview CSV and the Entra users CSV. Target Analytics-Hub dashboards: AI-in-One and AI Business Value.
  • -IncludeM365Usage run → embedded Purview_M365_Usage_Bundle_Explosion_Processor v2.1.0. -CombineOutput is auto-enabled so a single combined Purview CSV is fed to the processor. Target Analytics-Hub dashboard: M365 Usage Analytics.
• Single-file distribution preserved. Both Python sources are embedded byte-for-byte inside the .ps1. At runtime the selected source is materialized into .pax_incremental\PAX_<Label>_<RunTimestamp>.py, executed, and reaped by the function's finally block plus an end-of-run safety-net sweep. No external Python files to ship or maintain.
• Zero-friction Python bootstrap. PAX auto-detects Python 3.10+ on PATH (python → py -3.13/-3.12/-3.11/-3.10 → python3). If none is found it attempts a per-user silent install of Python 3.13 via winget (Python.Python.3.13), falling back to the python.org offline installer. orjson is installed best-effort for ~5–10× faster JSON parsing; both processors fall back to stdlib json on import failure.
• Best-effort, non-destructive failure semantics. A non-zero processor exit code logs an error and keeps the raw outputs (regardless of -Rollup vs -RollupPlusRaw); the raw CSV(s) already on disk remain the canonical successful artifact. The audit run is never marked failed because of a rollup failure.
• Resume-safe. The checkpoint snapshot persists rollupMode (None / Rollup / RollupPlusRaw) and processorMode (None / CopilotInteraction / M365Bundle). On -Resume, the original rollup intent is restored automatically; if the resume command line passes a rollup switch explicitly, last-write-wins (override logged in yellow).
• Agent 365 companion file is always retained. -Rollup is compatible with -IncludeAgent365Info and never deletes the Agent365_<timestamp>.csv — Analytics-Hub dashboards consume it as a companion input alongside the rollup output.

⚠️ Scope reminder. The rollup outputs exist solely to feed the Microsoft Copilot Growth ROI Advisory Team's Power BI templates at https://github.com/microsoft/Analytics-Hub. Schema, column names, aggregation grain, and join keys are dictated by those data models. For generic analytics exports, run PAX without -Rollup / -RollupPlusRaw and consume the raw CSV directly.

See Rollup Post-Processor: -Rollup / -RollupPlusRaw (v1.11.1) below for the full feature matrix, blocked combinations, and examples.

🆕 Microsoft Agent 365 Catalog Enrichment (-IncludeAgent365Info / -OnlyAgent365Info)

A pair of new switches — -IncludeAgent365Info (audit run + Agent 365 enrichment) and -OnlyAgent365Info (Agent 365 enrichment only) — produce a dedicated Agent365_<timestamp>.csv (or Agents365 Excel tab) whose 28-column schema matches the manual Agent 365 dashboard export. Data is sourced from the Microsoft Graph Agent Package Management API (https://graph.microsoft.com/beta/copilot/admin/catalog/packages). Available to tenants enrolled in the Microsoft Agent 365 Frontier program; signed-in caller must hold AI Administrator (preferred) or Global Administrator.

☁️ Remote Output Destinations — SharePoint & Microsoft Fabric / OneLake (-OutputPathSP / -OutputPathFabric)

Two new mutually-exclusive parameters extend -OutputPath (local directory) with first-class remote destinations so PAX can publish directly into a SharePoint document library or a Microsoft Fabric Lakehouse without an intermediate local copy.

• -OutputPathSP <SharePointFolderUrl> — Uploads every customer-visible artifact (CSV, XLSX, run log, metrics JSON) directly to a SharePoint Online document-library folder via Microsoft Graph (createUploadSession for files >4 MiB, PUT /content for small files). Folder hierarchy is created server-side if missing. Requires Sites.ReadWrite.All + Files.ReadWrite.All on the same identity used for the audit phase.
• -OutputPathFabric <OneLakeUrl> — Uploads to a Fabric Lakehouse / Warehouse Files path via the OneLake DFS REST surface (ADLS Gen2 create → append → flush). Requires Azure RBAC Storage Blob Data Contributor on the workspace plus Fabric portal Contributor membership; for service-principal / managed-identity runs the tenant setting "Service principals can use Fabric APIs" must be enabled.
• Pre-flight probe with classified diagnostics. Reachability and folder creation are validated immediately after authentication, before any audit query is issued. On failure, a single structured Cause / Action banner names the exact missing permission, role, workspace, or URL segment (401 vs 403 vs 404, delegated vs app-only, missing module vs IMDS unreachable for OneLake), and the run aborts cleanly with exit 1 — no partial artifacts, no stack trace.
• Long-run token-refresh infrastructure for OneLake. A new Azure (storage-audience) access-token refresh layer mirrors the existing Graph token-refresh design so multi-hour Fabric runs survive the full audit window. Tokens are proactively refreshed every ~50 minutes (below the 60-minute issuance lifetime) with a transparent single-retry on the rare mid-flight 401.
• Remote-aware path display. Every output file / directory / log-path string emitted to the console and run log resolves to the SharePoint URL or OneLake URL when a remote destination is in effect — the temporary local scratch folder ($env:TEMP\PAX_<RunTimestamp>\) PAX uses internally is never surfaced to the customer.
• Checkpoint and resume are LOCAL. Checkpoint and partial-output files (.pax_checkpoint_<RunTimestamp>.json, *_PARTIAL.csv, .pax_incremental/*.jsonl) are always written to the local scratch folder and are never mirrored remotely. -Resume is a same-host operation — re-run from the same machine that produced the checkpoint. Only customer-visible final artifacts upload at end of run.

📚 Fabric setup, deployment, and unattended-execution details. For detailed guidance on configuring Microsoft Fabric for use with -OutputPathFabric, the Azure Container Apps Job runbook, managed-identity setup, and Fabric RBAC grants, see the fabric_resources folder distributed alongside the script.

🔐 Managed-Identity Authentication for Azure-Hosted Runs (-Auth ManagedIdentity)

New sixth value on the -Auth ValidateSet for Azure-hosted headless execution (Container Apps Jobs, Functions, App Service, VMs). Supports system-assigned and user-assigned identities (the latter via AZURE_CLIENT_ID) and binds both the Microsoft Graph and Azure (storage) contexts to the same identity, so a single managed identity drives both the audit pull and the Fabric upload. Failures (missing identity, missing consent, IMDS unreachable) exit cleanly with no interactive fallback. -IncludeAgent365Info and -OnlyAgent365Info are blocked under ManagedIdentity (no interactive sign-in surface for the Agent 365 delegated-only API).

🛡️ Reliability & Authentication Hardening

• Audit-query poll ceiling extended from 5 minutes to 4 hours with heartbeat status messages and exponential backoff — eliminating premature timeouts on large-tenant queries (especially with -IncludeM365Usage or DSPM bundles).
• AppRegistration authentication and certificate-handling fixes that resolve intermittent token-refresh failures (AADSTS70002, invalid handle) and remove silent ...

Release Notes: v1.10.x

Release Information

• Version: 1.10.x
• Release Date: 2026-04-25
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.10.9: PAX_Purview_Audit_Log_Processor_v1.10.9.ps1
• Documentation v1.10.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.10.x.md

Overview

⚠️ Required Action for v1.10.9 (Microsoft Graph Permissions Enforcement — April 2026): Microsoft introduced a new dedicated permission level for the Microsoft Graph audit query API (/security/auditLog/queries) and began enforcing it across all tenants in April, 2026. Going forward, the audit query endpoint requires the new AuditLogsQuery.Read.All permission (and the granular AuditLogsQuery-*.Read.All workload scopes for optional M365 usage per-service queries); the broader AuditLog.Read.All permission is no longer sufficient on its own. All app registrations and admin-consented delegated scopes used with PAX must be updated to grant AuditLogsQuery.Read.All before running v1.10.9 against the Graph API path. Without it, Microsoft's enforcement causes the endpoint to return 0 records for CopilotInteraction and other workload-agnostic record types. v1.10.9 aligns PAX with Microsoft's new permission model and also adopts least-privilege conditional scopes — see the Microsoft Graph API Permissions Enforcement & Least-Privilege Hardening (v1.10.9) section below for full details. EOM mode (-UseEOM) is unaffected.

Version 1.10.x introduces two major capabilities: the Microsoft 365 Usage Bundle and Checkpoint & Resume for long-running exports.

The Microsoft 365 Usage Bundle (-IncludeM365Usage) is a single-switch activation that captures productivity activity across Outlook, Teams, SharePoint, OneDrive, Word, Excel, PowerPoint, OneNote, Forms, Stream, Planner, and PowerApps alongside Copilot data. This enables organizations to correlate Copilot adoption with broader Microsoft 365 usage patterns for ROI analysis and productivity benchmarking.

Checkpoint & Resume (-Resume) enables recovery from interrupted exports—a critical capability for multi-hour queries spanning large date ranges. PAX automatically saves progress after each partition completes, allowing seamless resumption after token expiry, network interruptions, or system restarts. Combined with intelligent token refresh (silent refresh attempts before prompting, proactive refresh for AppRegistration), this ensures reliable completion of even the longest exports.

Additional enhancements include memory management (-MaxMemoryMB) to prevent out-of-memory crashes on large exports by streaming records through JSONL files instead of accumulating them in memory, parallel explosion processing (-ExplosionThreads) for faster post-retrieval performance on PS7+, automatic 1M record limit detection for Graph API queries (with BlockHours auto-subdivision), new CopilotInteraction control switches, an execution telemetry export option, improved automation support with the -Force parameter, and UX safeguards when many output files or tabs are expected.

What's New

Microsoft Graph API Permissions Enforcement & Least-Privilege Hardening (v1.10.9)

Least-Privilege Conditional Scope Request Set

UX Updates

• Connection banner filtering: The "Successfully connected to Microsoft Graph" banner now displays only scopes present in $RequiredScopes — extra scopes carried by the token from prior Connect-MgGraph sessions or other tooling are no longer printed.
• Query Mode permissions banner: The startup QUERY MODE: Microsoft Graph Security API banner now renders each scope in Yellow when actively requested for the run and DarkGray when not, with a legend at the top. Sub-blocks for M365 usage, Entra directory enrichment, and group expansion show exactly which scopes a given invocation requires.
• 403/Forbidden diagnostics: Recommends GroupMember.Read.All first, with Group.Read.All / Directory.Read.All listed as higher-privilege fallbacks. Authentication failure messages now reference AuditLogsQuery.Read.All throughout.
• Diagnostic logging: A new Graph scopes requested: <list> log line is written on each connect for post-mortem traceability of exactly which scopes were sent.

Customer Impact Summary

• Baseline -StartDate / -EndDate Graph runs now request only AuditLogsQuery.Read.All.
• -OnlyUserInfo runs no longer request audit query scopes they never use.
• -IncludeUserInfo / -OnlyUserInfo users no longer have a silent permission gap on /users (previously needed external consent for User.Read.All).
• -GroupNames users no longer have a silent permission gap on /groups and now request least-privilege GroupMember.Read.All instead of Group.Read.All.
• EOM mode (-UseEOM) is unaffected — uses Exchange Online RBAC, not Graph scopes.

Microsoft 365 Usage Bundle: -IncludeM365Usage

Activity Type Categories

The bundle includes activity types across these categories:

Release Notes: v1.10.x

Release Information

• Version: 1.10.x
• Release Date: 2026-03-09
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.10.8: PAX_Purview_Audit_Log_Processor_v1.10.8.ps1
• Documentation v1.10.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.10.x.md

Overview

Version 1.10.x introduces two major capabilities: the Microsoft 365 Usage Bundle and Checkpoint & Resume for long-running exports.

The Microsoft 365 Usage Bundle (-IncludeM365Usage) is a single-switch activation that captures productivity activity across Outlook, Teams, SharePoint, OneDrive, Word, Excel, PowerPoint, OneNote, Forms, Stream, Planner, and PowerApps alongside Copilot data. This enables organizations to correlate Copilot adoption with broader Microsoft 365 usage patterns for ROI analysis and productivity benchmarking.

Checkpoint & Resume (-Resume) enables recovery from interrupted exports—a critical capability for multi-hour queries spanning large date ranges. PAX automatically saves progress after each partition completes, allowing seamless resumption after token expiry, network interruptions, or system restarts. Combined with intelligent token refresh (silent refresh attempts before prompting, proactive refresh for AppRegistration), this ensures reliable completion of even the longest exports.

Additional enhancements include memory management (-MaxMemoryMB) to prevent out-of-memory crashes on large exports by streaming records through JSONL files instead of accumulating them in memory, parallel explosion processing (-ExplosionThreads) for faster post-retrieval performance on PS7+, automatic 1M record limit detection for Graph API queries (with BlockHours auto-subdivision), new CopilotInteraction control switches, an execution telemetry export option, improved automation support with the -Force parameter, and UX safeguards when many output files or tabs are expected.

What's New

Microsoft 365 Usage Bundle: -IncludeM365Usage

Activity Type Categories

The bundle includes activity types across these categories:

Why it matters

• Copilot ROI Analysis: Compare user productivity patterns before and after Copilot deployment
• Baseline Establishment: Use -IncludeM365Usage -ExcludeCopilotInteraction to capture pre-Copilot baselines
• Single-pass efficiency: Consolidate Copilot and M365 usage data in one execution instead of multiple runs

Example

# Full M365 usage bundle with combined output
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -CombineOutput `
  -OutputPath "C:\Exports\"

# M365 usage WITHOUT Copilot (baseline capture)
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -ExcludeCopilotInteraction `
  -CombineOutput `
  -OutputPath "C:\Exports\"

CopilotInteraction Control Switches

Conflict Resolution: If both switches are specified, the script prompts for resolution (or honors -Force to exclude).

Execution Telemetry Export: -IncludeTelemetry

Example

./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-02 `
  -IncludeTelemetry `
  -OutputPath "C:\Exports\"

Automation Support: -Force Parameter

Checkpoint & Resume: -Resume

PAX automatically saves progress during long-running operations for all authentication modes. This enables resumption after Ctrl+C, network failures, token expiry, or any interruption without losing completed work.

Enhanced Token Refresh

Token refresh behavior has been significantly improved:

When Checkpoints Are Created

Checkpoint Lifecycle

1. Creation: Checkpoint file created at start of Graph API query execution
2. Updates: Saved after each partition completes successfully
3. Location: <OutputPath>\.pax_checkpoint_<timestamp>.json
4. Deletion: Automatically removed on successful run completion

Incremental Data Saves

To prevent data loss during authentication failures, PAX saves completed partition data immediately to disk:

CopilotInteractions Content Audit Log Processor v2.0.0

Release Notes: v1.10.x

Release Information

• Version: 1.10.x
• Release Date: 2026-03-05
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.10.7: PAX_Purview_Audit_Log_Processor_v1.10.7.ps1
• Documentation v1.10.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.10.x.md

Overview

Version 1.10.x introduces two major capabilities: the Microsoft 365 Usage Bundle and Checkpoint & Resume for long-running exports.

The Microsoft 365 Usage Bundle (-IncludeM365Usage) is a single-switch activation that captures productivity activity across Outlook, Teams, SharePoint, OneDrive, Word, Excel, PowerPoint, OneNote, Forms, Stream, Planner, and PowerApps alongside Copilot data. This enables organizations to correlate Copilot adoption with broader Microsoft 365 usage patterns for ROI analysis and productivity benchmarking.

Checkpoint & Resume (-Resume) enables recovery from interrupted exports—a critical capability for multi-hour queries spanning large date ranges. PAX automatically saves progress after each partition completes, allowing seamless resumption after token expiry, network interruptions, or system restarts. Combined with intelligent token refresh (silent refresh attempts before prompting, proactive refresh for AppRegistration), this ensures reliable completion of even the longest exports.

Additional enhancements include memory management (-MaxMemoryMB) to prevent out-of-memory crashes on large exports by streaming records through JSONL files instead of accumulating them in memory, parallel explosion processing (-ExplosionThreads) for faster post-retrieval performance on PS7+, automatic 1M record limit detection for Graph API queries (with BlockHours auto-subdivision), new CopilotInteraction control switches, an execution telemetry export option, improved automation support with the -Force parameter, and UX safeguards when many output files or tabs are expected.

What's New

Microsoft 365 Usage Bundle: -IncludeM365Usage

Activity Type Categories

The bundle includes activity types across these categories:

Why it matters

• Copilot ROI Analysis: Compare user productivity patterns before and after Copilot deployment
• Baseline Establishment: Use -IncludeM365Usage -ExcludeCopilotInteraction to capture pre-Copilot baselines
• Single-pass efficiency: Consolidate Copilot and M365 usage data in one execution instead of multiple runs

Example

# Full M365 usage bundle with combined output
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -CombineOutput `
  -OutputPath "C:\Exports\"

# M365 usage WITHOUT Copilot (baseline capture)
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -ExcludeCopilotInteraction `
  -CombineOutput `
  -OutputPath "C:\Exports\"

CopilotInteraction Control Switches

Conflict Resolution: If both switches are specified, the script prompts for resolution (or honors -Force to exclude).

Execution Telemetry Export: -IncludeTelemetry

Example

./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-02 `
  -IncludeTelemetry `
  -OutputPath "C:\Exports\"

Automation Support: -Force Parameter

Checkpoint & Resume: -Resume

PAX automatically saves progress during long-running operations for all authentication modes. This enables resumption after Ctrl+C, network failures, token expiry, or any interruption without losing completed work.

Enhanced Token Refresh

Token refresh behavior has been significantly improved:

When Checkpoints Are Created

Checkpoint Lifecycle

1. Creation: Checkpoint file created at start of Graph API query execution
2. Updates: Saved after each partition completes successfully
3. Location: <OutputPath>\.pax_checkpoint_<timestamp>.json
4. Deletion: Automatically removed on successful run completion

Incremental Data Saves

To prevent data loss during authentication failures, PAX saves completed partition data immediately to disk:

Release Notes: v1.10.x

Release Information

• Version: 1.10.x
• Release Date: 2026-02-10
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.10.6: PAX_Purview_Audit_Log_Processor_v1.10.6.ps1
• Documentation v1.10.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.10.x.md

Overview

Version 1.10.x introduces two major capabilities: the Microsoft 365 Usage Bundle and Checkpoint & Resume for long-running exports.

The Microsoft 365 Usage Bundle (-IncludeM365Usage) is a single-switch activation that captures productivity activity across Outlook, Teams, SharePoint, OneDrive, Word, Excel, PowerPoint, OneNote, Forms, Stream, Planner, and PowerApps alongside Copilot data. This enables organizations to correlate Copilot adoption with broader Microsoft 365 usage patterns for ROI analysis and productivity benchmarking.

Checkpoint & Resume (-Resume) enables recovery from interrupted exports—a critical capability for multi-hour queries spanning large date ranges. PAX automatically saves progress after each partition completes, allowing seamless resumption after token expiry, network interruptions, or system restarts. Combined with intelligent token refresh (silent refresh attempts before prompting, proactive refresh for AppRegistration), this ensures reliable completion of even the longest exports.

Additional enhancements include memory management (-MaxMemoryMB) to prevent out-of-memory crashes on large exports by streaming records through JSONL files instead of accumulating them in memory, parallel explosion processing (-ExplosionThreads) for faster post-retrieval performance on PS7+, automatic 1M record limit detection for Graph API queries (with BlockHours auto-subdivision), new CopilotInteraction control switches, an execution telemetry export option, improved automation support with the -Force parameter, and UX safeguards when many output files or tabs are expected.

What's New

Microsoft 365 Usage Bundle: -IncludeM365Usage

Activity Type Categories

The bundle includes activity types across these categories:

Why it matters

• Copilot ROI Analysis: Compare user productivity patterns before and after Copilot deployment
• Baseline Establishment: Use -IncludeM365Usage -ExcludeCopilotInteraction to capture pre-Copilot baselines
• Single-pass efficiency: Consolidate Copilot and M365 usage data in one execution instead of multiple runs

Example

# Full M365 usage bundle with combined output
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -CombineOutput `
  -OutputPath "C:\Exports\"

# M365 usage WITHOUT Copilot (baseline capture)
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -ExcludeCopilotInteraction `
  -CombineOutput `
  -OutputPath "C:\Exports\"

CopilotInteraction Control Switches

Conflict Resolution: If both switches are specified, the script prompts for resolution (or honors -Force to exclude).

Execution Telemetry Export: -IncludeTelemetry

Example

./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-02 `
  -IncludeTelemetry `
  -OutputPath "C:\Exports\"

Automation Support: -Force Parameter

Checkpoint & Resume: -Resume

PAX automatically saves progress during long-running operations for all authentication modes. This enables resumption after Ctrl+C, network failures, token expiry, or any interruption without losing completed work.

Enhanced Token Refresh

Token refresh behavior has been significantly improved:

When Checkpoints Are Created

Checkpoint Lifecycle

1. Creation: Checkpoint file created at start of Graph API query execution
2. Updates: Saved after each partition completes successfully
3. Location: <OutputPath>\.pax_checkpoint_<timestamp>.json
4. Deletion: Automatically removed on successful run completion

Incremental Data Saves

To prevent data loss during authentication failures, PAX saves completed partition data immediately to disk:

| Item ...

Release Notes: v1.10.x

Release Information

• Version: 1.10.x
• Release Date: 2026-01-30
• Released By: Microsoft Copilot Growth ROI Advisory Team (copilot-roi-advisory-team-gh@microsoft.com)

Script Download & Support

Download the script below. For questions or issues, refer to the documentation.

• PAX Purview Audit Log Processor Script v1.10.5: PAX_Purview_Audit_Log_Processor_v1.10.5.ps1
• Documentation v1.10.x (Markdown): PAX_Purview_Audit_Log_Processor_Documentation_v1.10.x.md

Overview

Version 1.10.x introduces two major capabilities: the Microsoft 365 Usage Bundle and Checkpoint & Resume for long-running exports.

The Microsoft 365 Usage Bundle (-IncludeM365Usage) is a single-switch activation that captures productivity activity across Outlook, Teams, SharePoint, OneDrive, Word, Excel, PowerPoint, OneNote, Forms, Stream, Planner, and PowerApps alongside Copilot data. This enables organizations to correlate Copilot adoption with broader Microsoft 365 usage patterns for ROI analysis and productivity benchmarking.

Checkpoint & Resume (-Resume) enables recovery from interrupted exports—a critical capability for multi-hour queries spanning large date ranges. PAX automatically saves progress after each partition completes, allowing seamless resumption after token expiry, network interruptions, or system restarts. Combined with intelligent token refresh (silent refresh attempts before prompting, proactive refresh for AppRegistration), this ensures reliable completion of even the longest exports.

Additional enhancements include parallel explosion processing (-ExplosionThreads) for faster post-retrieval performance on PS7+, automatic 1M record limit detection for Graph API queries (with BlockHours auto-subdivision), new CopilotInteraction control switches, an execution telemetry export option, improved automation support with the -Force parameter, and UX safeguards when many output files or tabs are expected.

What's New

Microsoft 365 Usage Bundle: -IncludeM365Usage

Activity Type Categories

The bundle includes activity types across these categories:

Why it matters

• Copilot ROI Analysis: Compare user productivity patterns before and after Copilot deployment
• Baseline Establishment: Use -IncludeM365Usage -ExcludeCopilotInteraction to capture pre-Copilot baselines
• Single-pass efficiency: Consolidate Copilot and M365 usage data in one execution instead of multiple runs

Example

# Full M365 usage bundle with combined output
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -CombineOutput `
  -OutputPath "C:\Exports\"

# M365 usage WITHOUT Copilot (baseline capture)
./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-08 `
  -IncludeM365Usage `
  -ExcludeCopilotInteraction `
  -CombineOutput `
  -OutputPath "C:\Exports\"

CopilotInteraction Control Switches

Conflict Resolution: If both switches are specified, the script prompts for resolution (or honors -Force to exclude).

Execution Telemetry Export: -IncludeTelemetry

Example

./PAX_Purview_Audit_Log_Processor.ps1 `
  -StartDate 2026-01-01 `
  -EndDate 2026-01-02 `
  -IncludeTelemetry `
  -OutputPath "C:\Exports\"

Automation Support: -Force Parameter

Checkpoint & Resume: -Resume

PAX automatically saves progress during long-running operations for all authentication modes. This enables resumption after Ctrl+C, network failures, token expiry, or any interruption without losing completed work.

Enhanced Token Refresh

Token refresh behavior has been significantly improved:

When Checkpoints Are Created

Checkpoint Lifecycle

1. Creation: Checkpoint file created at start of Graph API query execution
2. Updates: Saved after each partition completes successfully
3. Location: <OutputPath>\.pax_checkpoint_<timestamp>.json
4. Deletion: Automatically removed on successful run completion

Incremental Data Saves

To prevent data loss during authentication failures, PAX saves completed partition data immediately to disk: