AzureFeeds

How ActorInfoString Elevates Security and Transparency 

We’re excited to introduce ActorInfoString, a significant new feature in the Exchange Online (EXO) audit schema that enhances the depth and accuracy of your audit logs. While ClientInfoString provides valuable client application information, the addition of ActorInfoString offers even more detail by capturing the True UserAgent, supporting greater clarity when tracking the origin of actions within your Exchange Online environment. 

ActorInfoString solves this by recording the exact user agent responsible for each audited event. This improvement means that, once enabled, audit logs will present an unambiguous record of which client, device, or application performed a given operation. Security analysts and compliance teams can more easily identify access patterns, trace suspicious activity, and meet regulatory requirements with confidence. 

Currently, ActorInfoString exists in production but is not yet enabled by default. This phased approach allows for careful testing and integration with your log management tools. Once live, you’ll see ActorInfoString alongside existing fields such as ClientInfoString, helping you distinguish between generalized client data and the actual source acting in your tenants. 

Key Benefits: 

• Clarity: Reveals the true user agent behind every action. 

• Better Security: Makes it easier to investigate incidents and threats. 

• Compliance: Strengthens audit trials for regulatory standards. 

• Future-Readiness: Prepares your monitoring for evolving audit needs. 

Example (simplified log entry): 

• Date: 2025-04-24T14:25:59Z 

• User: john.doe@yourdomain.com 

• Operation: MailItemAccessed 

• ClientInfoString: “Client=Rest;Client=RESTSystem;; 

• ActorInfoString: “Client=REST;Client=RESTSystem;Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) Powershell/5.1.22621.3958 Invoke-MgGraphRequest[AppId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx 

What to expect  

Customers can expect to see the effects of ActorInfoString in their audit logs by the end of May 2025. There’s no action required to prepare—this update introduces a single, non-disruptive field addition, like how DeviceId was incorporated previously. Existing audit schema fields, records, and integrations remain untouched, ensuring a seamless transition as you gain richer insights without any service impact or data loss. 

As we prepare to enable ActorInfoString for all customers, now is the ideal time to review your log collection and analysis tools to ensure a smooth transition. Stay tuned for official documentation and release notes, and get ready for a more transparent, secure, and insightful Exchange Online experience.