Audit log

Every action, every approval, every version — captured against a named user, accessible in 30 seconds.

When a regulator, an auditor, or an internal inspector asks "who approved this document, in what role, against which version, on what date?" — the answer is either immediately available from the audit log or the product is failing at its job. docs365.ai takes the first position. Every document has an audit log attached to it, accessible directly from the document's context menu, tied to named Microsoft Entra identities, immutable by design, and comprehensive across every lifecycle event.

Stage 4 · Govern Business: Included Enterprise: Included Premium: Included Diamond: Included

✓

Illustration placeholder

At a glance

What you get

The audit log is the product's evidence engine. Four specific properties make it defensible under the regulatory frameworks that regulated customers actually face — not a feature list, but the qualities that turn the log into legitimate compliance evidence.

Every event captured

Creation, edit, approval, publication, archive, reminder, signature — no lifecycle event escapes the log.

Named-user attribution

Every entry names a specific Entra identity — no "system," no shared accounts, no unattributable activity.

Immutable append-only

Events cannot be edited or deleted by anyone, regardless of permission level — the log's integrity is structural.

Accessible from the document

Open the document, click the three-dot menu, select Audit. Filter by event type, user, date. No admin console required.

How it works

From event to audit evidence

Events are written to the log automatically, as a byproduct of normal lifecycle activity. Creation writes a creation event. Approval writes an approval event. Publication writes a publication event. The author never does anything to produce the evidence — the evidence is produced whether they want it or not.

Events fire automatically

Every significant action — creation, approval, publication, archive — writes an event to the log automatically.

Each entry names the actor

The event captures who (Entra identity), what (event type), when (timestamp), and the document state at that moment.

Log is append-only by design

No one — not admins, not users, not the product owner — can edit or delete entries. The log is structurally immutable.

Retrieval takes seconds

During an audit: open the document, click the menu, view the log. Filter, export, done. No reports to run.

Before / after

What changes when this is on

The failure modes that make document-control audits painful — missing evidence, shared-account attribution, editable logs, archaeology instead of retrieval — are all prevented by the audit log's design. Each before/after pair below is a pattern real customers described before they moved off their prior system.

Without it

With intranet.ai

✗ Audit asks about a document's approval history; answer takes a week of email archaeology

✓ Audit asks; the Quality Manager opens the log, filters by event type, answers in 30 seconds

✗ Activity attributed to "system," "admin," or a shared service account — not defensible under Part 11

✓ Every event attributed to a named Entra identity; attribution is structurally guaranteed

✗ Log is in a separate admin console that most users can't access

✓ Log is on the document's context menu; anyone with document access can view it

✗ Historical entries can be edited or deleted — the log's integrity depends on people behaving

✓ Log is append-only; integrity depends on architecture, not trust

Availability

Plan availability

The complete audit log is included on every DMS plan — it's the baseline evidence layer, not a premium add-on. **Enterprise** and above layer Power BI reporting on top for aggregate analytics; the underlying per-document audit is the same across all plans.

business

enterprise

premium

diamond

✓ Included

The complete audit log is the evidence baseline on every DMS plan. Enterprise and above add the Power BI reporting layer for aggregate analytics across the log.

Keep exploring

Related features

The audit log depends on versioning (which events refer to versions) and feeds Power BI reporting (which aggregates across documents). These three features together form the governance evidence layer.

Stage 4 · Govern

Versioning

Minor versions while drafting, major versions at publication — every state preserved, every version recoverable.

Stage 2 · Approve

Sequential approval

Named approvers, in defined order, with role-based routing — every step logged, every version tied to the approvals that produced it.

Stage 4 · Govern

Power BI reporting

The aggregate view — approvals, expirations, review cadence, and governance discipline in one dashboard.

Deep dive

Read the full narrative

For the buyer who wants the full detail — compliance context, edge cases, adjacent workflows.

Every action, every approval, every version — captured for audit, accessible on demand.

When a regulator, an auditor, or an internal inspector asks “who approved this document, in what role, against which version, on what date?” — the answer is either immediately available from the audit log or the product is failing at its job. docs365.ai takes the first position. Every document has an audit log attached to it, and the log is accessible directly from the document’s context menu.

What’s captured

For every document, the audit log records every significant event:

Creation — when the document was first instantiated, by whom, from which template.
Edit events — who made changes, when, to what. Co-authoring activity, @mentions, resolved comment threads.
Approval events — who approved or rejected, in which role, against which version, with what comments. Each step of a sequential approval flow is a separate event.
Publication events — when the document moved from the editing area to the public area, and the approved version number at that moment.
Archive events — when a document was retired, by whom, superseded by which new version.
Reminder events — when expiration emails were sent, to whom, and the document’s state at that moment.
Signature events (when DocuSign is used) — who signed, under what authentication, with what cryptographic binding.

Each event is tied to a named Microsoft Entra (Azure AD) identity — no “system” or “automated” actor substituting for a real person.

Accessible directly from the document

There’s no separate admin console, no report to run, no query to write. A user with permission opens the document in the library, clicks the three-dot menu, and selects Audit. The log renders. Filter by event type, by user, by date range. Export if needed.

This accessibility matters in practice. During a surveillance audit, the auditor asks about a specific document and the Quality Manager produces the log in thirty seconds — not after a week of archaeology.

What the log is used for

ISO 9001 surveillance. Clause 8.5 (Control of Documented Information) requires evidence that the document-control process has been followed. The audit log is that evidence.

21 CFR Part 11 (for pharma customers). Part 11 requires a “secure, computer-generated, time-stamped audit trail” that records operator entries and actions that create, modify, or delete electronic records. Our audit log provides the capability customers use in their Part 11 compliance program — with validation posture remaining with the customer’s QA team.

HIPAA audit controls (for healthcare). §164.312(b) requires mechanisms that record and examine activity in systems that contain PHI. For the document-management portion of that requirement, the audit log produces the evidence.

GDPR Article 5(2) accountability. Controllers must be able to demonstrate compliance. The audit log produces the demonstration, for the documented-information portion.

SOX Section 404 testing. External auditors reviewing internal-controls documentation use the audit log as evidence that documented controls operated as designed.

Internal audit and management review. Beyond regulatory contexts, the log is the dataset for any management question about document discipline — “how long are our approvals taking?”, “which documents are being modified most often?”, “are we getting the approval evidence we need?”

Immutable-by-design

The log is append-only. Events cannot be edited or deleted by users, regardless of their permission level. The integrity of the log is the integrity of the audit evidence.

Ties to named users, not generic accounts

Every event names a specific Entra (Azure AD) identity — not “admin,” not “system,” not a shared account. For regulatory contexts that require attribution to individuals (21 CFR Part 11, HIPAA, many audit frameworks), this is a prerequisite. Customers who operate with shared accounts for some workflows should be aware: shared-account activity weakens the audit-log’s attribution value.

Power BI reporting on the log

On Enterprise plans and above, a Power BI dashboard visualizes the audit log at aggregate scale — approvals per week, average approval time by document type, rejections as a share of approvals, activity trends. Useful for management reporting and for spotting drift before it becomes a finding.

Sequential approval — every approval event is written to the audit log.
Versioning — the version each event applied to is captured.
Power BI reporting — the aggregate view of audit-log data.
ISO 9001 compliance page — how the audit log supports clause 8.5.

Lifecycle stage: Govern →

Deep dive · Pillar guide

The active document lifecycle on SharePoint Online

Why passive document management fails — and what an explicit four-stage lifecycle looks like in practice inside a Microsoft 365 tenant.

22 min read · 5,200 words

Read the full guide

See this feature running on your documents

Thirty minutes. No cost. No obligation. We'll walk through how audit log fits into your current document-governance practice.

Book a free assessment or see all features