Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

Your subscription must support it

When the document tracking site is enabled, by default, it shows information such as the email addresses of the people who attempted to access the protected documents, when these people tried to access them, and their location


Azure Information Protection Premium P1

Azure Information Protection Premium P2

Document tracking and revocation


Check the PowerShell module version you must have at least version
of the AADRM module for PowerShell

Install the module

Install-Module -Name AADRM press yes

Get all the module commands




Or update the module

Update-Module -Name AADRM


(Get-Module aadrm –ListAvailable).Version


First you need to connect to the azure


The check if the tracking is enabled


You can enable it by



For event log monitoring

The client logs user activity to the local Windows event log Applications and Services Logs
> Azure Information Protection. The events include the following information:


Client version, policy ID


IP addresses of the signed in user


File name and location




Set Label: Information ID 101


Set Label (lower): Information ID 101


Set Label (higher): Information ID 101


Remove label: Information ID 104


Recommended tip: Information 105


Apply custom protection: Information ID 201


Remove custom protection: Information ID 202


Sign in (operational): Information ID 902


Download policy (operational): Information ID 901


The event id: 102

I think this is the most important event


Item Name: wordpressv1intro.docx

Item Directory: path

Process Name: WINWORD Action: Set Label Protection

Before Action: Protected

Protection After Action: Unprotected

Owner Before Action:

Label Before Action: Internal Label ID Before Action: labelidnaylabel

Label After Action: Public Label ID After Action: labelidnaylabel

User Justification: teta

Labeled Before Action: Automatically Action Source: Manual

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

%d bloggers like this: