Microsoft Purview is updating audit log messages for role group membership changes to improve clarity. This affects the GrantPermission and DeletePermission operations. The rollout will occur in August 2025. Organizations using these logs programmatically should review and update their scripts accordingly. For more details, visit the provided link.
To improve clarity and transparency, we’re updating the audit log messages for Microsoft Purview role group membership changes. This affects events under the SecurityComplianceRBAC workload (RecordType 87), specifically for the GrantPermission and DeletePermission operations. While the audit schema remains unchanged, the PreExecutionMessage and PostExecutionMessage fields will be refined to more accurately reflect the nature of the changes captured in the logs.
When this will happen:
General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out on early August 2025 and expect to complete by mid-August 2025.
How this will affect your organization:
If your organization consumes these audit log events programmatically (e.g., via scripts or automation tools), the updated message content may affect how these logs are parsed or interpreted. No changes are required if you do not rely on these specific fields.
What you need to do to prepare:
Review any scripts, automation, or monitoring tools that parse the PreExecutionMessage or PostExecutionMessage fields for the affected operations. Update your logic as needed once the refined messages are available in your environment.
For more information about audit logging in Microsoft Purview, visit: Search the audit log.
Compliance considerations: