purview-v1.11.3

PAX Purview Audit Log Processor v1.11.3

Version 1.11.3 refreshes the -IncludeM365Usage rollup pipeline around the current Analytics-Hub M365 Usage Analytics dashboard, hardens resume and remote-destination reliability, and broadens managed-identity host support for cross-tenant App Registration runs. Existing v1.11.2 behavior is preserved for runs that do not use -IncludeM365Usage rollups, and no switch surface is added or removed.

What's new in v1.11.3

• Refreshed M365 Usage bundle and rollup processor. The -IncludeM365Usage activity bundle is trimmed from ~100 operations to a curated 22-operation set (Exchange mail access, SharePoint/OneDrive file access, Teams chat/messaging, Teams meeting lifecycle, and Copilot/Connected-AI signals) matching what the Analytics-Hub M365 Usage Analytics dashboard consumes; removed operations remain available via -ActivityTypes. The embedded M365 Bundle Explosion processor is refreshed: the Rollup grows from 9 to 14 columns (ItemsAccessedCount plus AgentId, AgentName, ContextType, IsAgentInteraction), the UserStats sidecar widens from 27 to 66 columns (original 27 retained verbatim; 39 new per-app rolling-window raw counts and Copilot-Engaged-User ranks appended), and a new fourth output — the SessionStats sidecar — surfaces per-user/-date/-app-surface session, prompt, response, and agent-session counts derived from the underlying CopilotInteraction records. UserStats CECopilotPercentile columns are now derived from the SessionStats prompt-count signal, aligning with the AI in One report definition. -AppendFile additively merges the SessionStats sidecar across runs alongside the existing Rollup merge.

• Intake-stage identity filtering and operation canonicalization. Both the M365 and Copilot (CopilotInteraction-only) rollup processors now drop non-human UserId rows at intake (application identities, service-principal GUIDs, compliance-bot signatures) so the Rollups and sidecars carry only human end-user activity. The M365 processor canonicalizes three workload-equivalent operation names in the Rollup (FileViewed → FileAccessed, MeetingParticipantJoined → MeetingParticipantDetail, ConnectedAIAppInteraction → AIAppInteraction) to avoid double-counting. The raw per-activity-type CSV is unchanged — filtering and canonicalization are local to the rollup and sidecars. The redundant DSPM-for-AI informational prompt is auto-suppressed on -IncludeM365Usage runs that do not explicitly request AIAppInteraction.

• Resume, destination, and managed-identity hardening. Two -Resume data-loss conditions are fixed (a date-window off-by-one when resuming on hosts ahead of UTC, and a this-run partition shard that could be dropped from the streaming merge). The Fabric/OneLake destination path now accepts the lakehouse-root URL form and reliably creates nested upload folders. Purview query submission is made culture-invariant (resolving HTTP 500 failures from non-en-US hosts such as Danish and Finnish). SharePoint output no longer creates a duplicate percent-encoded folder when the destination name contains a space. The managed-identity host guard now also accepts -Auth AppRegistration with bound credentials, unblocking Azure-hosted runs that authenticate into a different tenant with explicit App Registration credentials.

---

The attached script is the v1.11.3 release build. See the documentation in the repository for full configuration details.