Microsoft Exchange Online is quietly stepping up its audit game—and for good reason. As threats grow more sophisticated and compliance requirements more demanding, clarity in audit logs is no longer a luxury. It’s a necessity.
Later this month, Microsoft will begin rolling out a new field—ActorInfoString—to Exchange Online audit logs. While it may sound like just another addition to the schema, this field addresses a long-standing gap in visibility and accuracy around user agents.
Let’s unpack what this means and how you can prepare to get the most value from it.
What is ActorInfoString?
ActorInfoString is a new audit log field designed to capture the true source of an action in Exchange Online. Whether it’s a device, application, client, or automated process—this field tells you exactly what initiated a logged event.
Think of it as a truth serum for audit trails.
While existing fields like ClientInfoString provide helpful context, they often blur when dealing with intermediary services or app identities. ActorInfoString sharpens the picture—giving security and compliance teams a clearer, more accurate lens into the environment.
The rollout of ActorInfoString is set to begin in late May 2025, with completion expected within the same timeframe, and will be available worldwide—including GCC, GCC High, and DoD environments.
Advantages of ActorInfoString
- Improved Incident Clarity: Security teams often struggle with vague or generalized client data. ActorInfoString closes that gap by surfacing the actual actor behind each action, aiding in forensic investigations.
- Faster Threat Detection: By accurately identifying the origin of a suspicious activity—whether it’s a rogue script, a misconfigured app, or an unfamiliar endpoint—you can respond faster and more decisively.
- Audit Readiness: For regulated industries, audit logs need to reflect not just what happened, but who or what did it. This field enhances your ability to meet compliance standards without retroactive guesswork.
- Seamless Integration: No schema-breaking changes. No migration headaches. ActorInfoString integrates smoothly into the existing audit pipeline. Your current log ingestion, retention, and visualization tools will continue to function as before
How to Find the ActorInfoString in Exchange Online Audit Logs?
To find the ActorInfoString in Exchange Online,
-
Visit the Microsoft Purview compliance portal: https://compliance.microsoft.com
-
Go to Audit > Audit Search
-
Apply filters to focus on Exchange Online activities.
-
Specify parameters such as date ranges, users, or specific operations.
Audit logs are only as powerful as the insight they offer. With ActorInfoString, Microsoft Exchange Online takes a meaningful step toward more transparent, accurate, and actionable audit data.
If you’re managing cloud security, regulatory audits, or proactive threat detection—this small change could have a big impact on your day-to-day.
