Skip to content

Releases: microsoft/PAX

purview-v1.11.14

Choose a tag to compare

@Rance9 Rance9 released this 06 Jul 15:54

v1.11.14

Version 1.11.14 is a reliability release that fixes two remote-output delivery defects. Both fixes restore intended behavior — there are no new switches, no output-schema changes, and no change to how any run is invoked; runs that do not use the affected remote-output paths behave exactly as in v1.11.13. The first fix ensures the Microsoft Agent 365 catalog CSV is actually delivered to a SharePoint or Microsoft Fabric / OneLake destination (previously it could be generated but not uploaded). The second ensures a custom-named per-stream output file is delivered to its own per-stream destination rather than the primary output location.

Microsoft Agent 365 Catalog CSV Delivered to Remote Destinations

On a remote-output run (SharePoint or Microsoft Fabric / OneLake) that included the Microsoft Agent 365 catalog, the catalog CSV could be generated but not uploaded to the destination, even though the other artifacts (audit CSV, Entra Users, run log) uploaded normally. The catalog CSV is now registered with the end-of-run upload step in every remote-output mode, so it is delivered in the same final upload as every other artifact; a genuine upload failure now also preserves the local copy for retry. There are no new switches and no change to how the Agent 365 export is run.

Custom-Named Per-Stream Output Delivered to Its Own Destination

On a remote-output run that sent a per-stream output (for example the Agent 365 catalog or the Entra Users file) to a per-stream destination using a custom file name, the file could be delivered to the primary output location rather than the per-stream destination that was specified. Each file is now identified by the stream that produced it, so a custom-named per-stream file is delivered to its own destination; files with standard names resolve to exactly the same destination as before.

Looking Ahead

PAX is working toward support for the AI Solutions Intelligence Dashboard (AISID), a future capability that will enrich the Purview and Entra dataset with Microsoft Defender signals about how AI solutions are used across the organization. It is not available in this version: selecting -Dashboard AISID exits immediately with a notice and does nothing, and the related -OutputPathDefenderUsage / -AppendDefenderUsage options have no effect. Full AISID functionality is planned for an upcoming release. No action is needed today.

purview-v1.11.13

Choose a tag to compare

@Rance9 Rance9 released this 06 Jul 09:42

v1.11.13

Version 1.11.13 is a reliability release that fixes two field-reported defects. Both fixes restore intended behavior — there are no new switches, no output-schema changes, and no change to how any run is invoked; runs that do not use the affected paths behave exactly as in v1.11.12. The first fix restores Microsoft Agent 365 catalog enrichment under app-only authentication, which could previously produce an Agent 365 export with no rows. The second restores cross-run -AppendFile reconciliation of the rolled-up interactions file when the remote append target is named with a custom (non-standard) filename.

Microsoft Agent 365 Catalog Enrichment Restored (App-Only Runs)

Under app-only authentication, the Agent 365 catalog enrichment step could fail for every catalog entry, producing an export with no rows even when the catalog listed hundreds of packages. Enrichment now completes normally so catalog rows are written, with a defensive fallback that logs a clear warning and continues with blank date-created / created-by values rather than dropping rows if enrichment data is ever unavailable. There are no new switches and no change to how the Agent 365 export is run.

Cross-Run Append Restored for Custom-Named Remote Rollup Targets (-AppendFile)

When appending a rolled-up interactions run (-Rollup with -AppendFile) to a target on SharePoint or Microsoft Fabric / OneLake whose filename did not follow the standard rolled-up naming, the run could add zero new rows and mark every existing row as departed — even though fresh interactions were retrieved. The run now always processes its own fresh export (never the downloaded copy of the target) regardless of the target's filename, so the append reconciles correctly: overlapping rows de-duplicate, new rows are added, and existing rows are preserved. A note is now logged when a rollup append target uses a non-standard name. The existing append data-safety protections are unchanged.

purview-v1.11.12

Choose a tag to compare

@Rance9 Rance9 released this 03 Jul 13:23

v1.11.12

Version 1.11.12 fixes a cross-run -AppendFile reconciliation problem in the rolled-up interactions file, adds a supporting identity column to the AI-in-One (AIO) rolled-up interactions file, and improves the reliability of the Microsoft Agent 365 catalog export. Runs that do not append rolled-up interactions and do not use Agent 365 behave as in v1.11.11, with one additive exception: the AIO rolled-up interactions file now carries one extra identity column (described below). A one-time re-baseline applies to interaction append files created before v1.11.12.

Fan-Out-Safe Cross-Run Append & One-Time Re-Baseline (-AppendFile)

A single interaction (message) can produce several rolled-up rows — one per distinct combination of the analytical grain (for example, per accessed resource). v1.11.11 reconciled an appended rollup on the message identity alone, which treated all of a message's rows as one and could drop the extra rows when a later run re-emitted only some of them. v1.11.12 reconciles on the full grain together with the message identity, so every row is matched independently: overlapping rows de-duplicate, new rows are added, and existing-only rows are preserved — an exact union with nothing dropped or double-counted. To protect your data, PAX does not silently merge onto an append file that predates this change or that lacks any column the new reconciliation needs (for example an older AIO file created before the new identity column existed). Instead it leaves the old file untouched, writes this run's output to a new timestamped file, and prints re-baseline guidance. The practical effect is a one-time re-baseline — generate a fresh file once with v1.11.12 and append onto that from then on — with no data lost in the transition.

Stable User Identity on the AI-in-One Rolled-Up Interactions File

The AIO rolled-up interactions file now carries a stable, normalized user-identity column (User_Id_Normalized), matching the equivalent column the AI Business Value (AIBV) rollup already provides. It is additive — every existing column is unchanged — and it anchors the cross-run reconciliation above on a stable identity rather than a per-run surrogate. When -Deidentify is used, this column is anonymized with the same irreversible, format-preserving token as every other identity in the output, so it never exposes a raw user identity.

Microsoft Agent 365 Catalog — Reliability

The Microsoft Agent 365 catalog export is more resilient to Microsoft Graph throttling: catalog reads now retry automatically on rate-limit (HTTP 429) and transient server responses, honoring the service's Retry-After timing when provided. An internal variable-naming issue in the package-details path that could interfere with per-package processing is also corrected. There are no new switches and no change to how you run the Agent 365 export.

purview-v1.11.11

Choose a tag to compare

@Rance9 Rance9 released this 02 Jul 10:25
  • Reliable cross-run append + one-time re-baseline (-AppendFile). Rollup append now reconciles on each interaction's stable message identity — overlaps de-duplicate, new records are added, existing-only records are preserved (exact union, nothing dropped or double-counted). Append files created before v1.11.11 are not silently merged: the old file is left untouched, this run's output is written to a new timestamped file, and PAX prints re-baseline guidance. Older append files need a one-time re-baseline; no data is lost.
  • Rolled-up Users dimension uploads in every append combination. The Users dimension now uploads exactly once in all four combinations of interactions-append and Users destination (-OutputPathUserInfo / -AppendUserInfo, appending or not), closing a gap that previously left it un-uploaded in one specific rollup + append combination.
  • Bring your own user directory (-UserInfoFile). Supply the user/organization directory from a CSV you provide (local, SharePoint, or Microsoft Fabric / OneLake) instead of pulling it live from Entra. It drives enrichment, org / manager hierarchy, the rolled-up Users dimension, de-identification, and upload end to end. Only UserPrincipalName is required; header names are alias-aware and case-insensitive. Mutually exclusive with -GroupNames. License handling is a per-user hybrid — provided values are used as-is and blanks are resolved online by UPN, so a run is fully offline only when every row supplies a license value (a single blank triggers a tenant license lookup requiring User.Read.All + Organization.Read.All).
  • Microsoft Agent 365 catalog — app-only authentication (opt-in / pre-GA). The catalog export now works with app-only auth — AppRegistration (certificate), AppRegistration (client secret), or ManagedIdentity — in addition to interactive sign-in, reusing the run's own mode with no new switch and no separate prompt. Requires the service principal's application permissions CopilotPackages.Read.All + Application.Read.All (admin-consented), uses the Microsoft Graph beta catalog endpoint, and still requires a Microsoft Agent 365 license. Delegated behavior is unchanged.
  • Local run files kept when an upload fails (remote-output runs). In SharePoint or Microsoft Fabric / OneLake runs, if one or more files fail to upload, PAX now keeps the local run files instead of deleting them — the same protection that already applied when a run is interrupted with Ctrl+C or ends unexpectedly — and shows a clear message that the files were preserved because an upload didn't complete, and where to find them. Upload retry behavior and size thresholds are unchanged; only what happens to the local copy afterward is affected.
  • Correct processor version shown in logs. The rollup processor version PAX reports in its own run log and rollup banner now reads v4.2.0, matching the processor that actually runs; earlier builds displayed a stale v4.1.0 label in those messages. This is a display-only correction with no change to processing behavior or output.

purview-v1.11.10

Choose a tag to compare

@Rance9 Rance9 released this 29 Jun 09:46

PAX Purview Audit Log Processor v1.11.10

Version 1.11.10 re-enables the Microsoft Agent 365 export switches (-IncludeAgent365Info, -OnlyAgent365Info, -OutputPathAgent365Info, -AppendAgent365Info), which were temporarily disabled in v1.11.2 while a Microsoft admin center issue was resolved. It also adds an optional startup version check, clearer Agent 365 messaging, and a fix that prevents an append from ever shrinking the target file. Runs that use none of the affected switches are unchanged from v1.11.9.

What's new in v1.11.10

  • Microsoft Agent 365 export re-enabled — produce an Agent 365 catalog (Agent365_<timestamp>.csv) alongside a normal run (-IncludeAgent365Info) or on its own (-OnlyAgent365Info), to Local / SharePoint / Fabric, with rollup, -Deidentify, append, and resume. Requires an interactive AI Administrator / Global Administrator sign-in and a Microsoft Agent 365 license; not supported with managed identity.
  • Startup version check (-SkipVersionCheck) — a brief, informational check reports whether a newer version is available (no prompts, no auto-update; ~5s timeout; includes the GitHub link). Add -SkipVersionCheck to disable.

Fixed

  • Append no longer risks replacing the target with only the current run's rows. The rollup append matched on a column the published file doesn't carry, which could drop the entire seed; it now matches on the correct column, and every append refuses to overwrite a non-empty target with a smaller/empty result — no data loss.

See the release notes and documentation for full details.

purview-v1.11.9

Choose a tag to compare

@Rance9 Rance9 released this 25 Jun 15:29

PAX Purview Audit Log Processor v1.11.9

Version 1.11.9 is a resume-only reliability release that fixes a regression in which several run settings were silently not restored when an interrupted run was continued with -Resume. The affected settings were read back from the checkpoint with a presence check that does not work against the checkpoint's in-memory form, so on resume they reverted to their defaults. Most visibly, a -Resumed -AppendFile run stopped appending and wrote separate new output files instead of merging into the existing target; the same root cause also dropped -Deidentify (a resumed anonymized run could write raw, identifiable data), -FillerLabel / -FillerLabelText, and the per-stream -AppendUserInfo / -AppendAgent365Info and -OutputPathUserInfo / -OutputPathAgent365Info / -OutputPathLog destinations. It adds no parameters, changes no switch semantics, and makes no output-schema changes; any run that does not use -Resume — and any run that uses none of the affected switches — is byte-identical to v1.11.8.

Fixed in v1.11.9

  • -Resume now restores append, deidentify, filler-label, and per-stream destination settings. On -Resume, PAX loads the checkpoint as an in-memory hashtable, but the v1.11.8 restore logic tested for each of the newer settings with a presence check that, against that hashtable form, enumerates the type's own members instead of the stored keys — so the check was always false and the value silently reverted to its default. Each affected check now uses the dictionary-correct key test, so a resumed run reproduces the original run's settings exactly: it union-merges into the existing append target on all tiers (Local, SharePoint, Fabric), re-applies anonymization (-Deidentify) and the hierarchy level-filler (-FillerLabel / -FillerLabelText), and routes each stream to its original -OutputPathUserInfo / -OutputPathAgent365Info / -OutputPathLog destination. The standard (non-streaming) export path used for small datasets is additionally redirected to the restored -AppendFile seed. The change is resume-only — fresh (non-resume) runs are byte-for-byte unchanged — and checkpoints written by older versions resume exactly as before.
  • Resume console/log reporting now matches what the resumed run actually does. The post-interruption parameter snapshot now reports the restored -Deidentify / -FillerLabel / -FillerLabelText state (it previously printed the pre-restore defaults even though both were applied to the output), and the graceful-exit "To resume later" hint now reflects the credential kind the original App Registration run used — a certificate thumbprint or PFX path rather than always -ClientSecret, and nothing beyond -Resume for interactive and managed-identity runs. Both are display-only corrections and change no output data.

See the release notes and documentation for full details.

purview-v1.11.8

Choose a tag to compare

@Rance9 Rance9 released this 24 Jun 11:51

PAX Purview Audit Log Processor v1.11.8

Version 1.11.8 is a major capability release built around a new -Deidentify switch — an opt-in, one-way anonymization mode that replaces every personally- and company-identifying value across PAX's outputs with deterministic, format-preserving tokens, so anonymized data can be shared for reporting without exposing identities. Because the rollup (Python) and raw (PowerShell) engines share one salt and algorithm, the same person always resolves to the same token across every raw and rolled-up file, and anonymization preserves all relationships — the manager / org hierarchy, the user-to-activity joins, and distinct-resource counts — so anonymized data still drives the same dashboards and produces the same aggregate numbers as the identified data. -Deidentify is OFF by default; when it is not supplied, every output is byte-identical to v1.11.7.

Version 1.11.8 also adds a built-in org / manager hierarchy to the AI-in-One (AIO) and AI Business Value (AIBV) rollups, derived automatically from the Entra data PAX already collects and emitted as ready-to-model columns on the Users output, accompanied by a new optional -FillerLabel switch.

What's new in v1.11.8

  • Anonymous-style reporting with the new -Deidentify switch. Identifying values — UPNs and email addresses, display names, Entra and mailbox GUIDs, SIDs, resource URLs, file and document names, proxy addresses, IP addresses, and session / token identifiers — are replaced with deterministic salted hashes (HMAC-SHA256) rendered as format-preserving tokens (a UPN stays UPN-shaped, a GUID stays GUID-shaped). The mapping is irreversible — no decode map is ever written. Organizational and analytical attributes (job title, department, division, cost centre, country, company, license status, agent and application names) are intentionally kept so anonymized data remains analytically useful.
  • Relationships and manager hierarchy preserved under deidentification. Because the hash is deterministic and normalization-stable, the same identity always maps to the same token everywhere it appears — including manager-link columns — so the org hierarchy, the fact-to-Users UserKey join, cross-run append history, and distinct-resource counts all stay correct. An anonymized dataset yields the same dashboard structure and the same aggregate totals as the identified one.
  • Full-fidelity raw audit data under deidentification. The nested AuditData / CopilotEventData JSON is anonymized in place rather than redacted: only the personal leaves (decided by each field's JSON key path, not by guessing from the value) are replaced with the same tokens used everywhere else. Timestamps are preserved exactly, IP addresses are tokenized to valid-shaped addresses, and any blob that cannot be parsed is fully redacted as a safety net.
  • Safe-by-default integration with resume, append, and existing switches. The setting is shown in the run's parameter snapshot (terminal, log, and checkpoint), persisted in the checkpoint and restored on -Resume so an interrupted anonymized run stays anonymized, and a guard hard-stops any append (-AppendFile / -AppendUserInfo) that would mix anonymized and identified data into one file or re-hash already-anonymized rows.
  • Built-in org / manager hierarchy for the AIO and AIBV rollups. The Users output now includes each person's level, top-to-them management chain, manager, and team-size measures (direct reports and the total number of people beneath them) — exactly what a Power BI model needs to roll metrics up by team, department, or management chain and to build leader and drill-down views. It is produced on every AIO/AIBV rollup with no extra switch and adds only new columns (all existing rollup, fact, raw audit, and EntraUsers columns are unchanged; the M365 Usage dashboard is unaffected), and it is fully compatible with -Deidentify and with incremental -AppendUserInfo runs. A new optional -FillerLabel switch controls how the hierarchy's unused deeper levels are displayed (left blank by default).

The attached script is the v1.11.8 release build. See the documentation in the repository for full configuration details.

purview-v1.11.7

Choose a tag to compare

@Rance9 Rance9 released this 19 Jun 11:01

PAX Purview Audit Log Processor v1.11.7

Version 1.11.7 is a single-change follow-up to the v1.11.6 SharePoint upload work. It raises the simple-upload size cap from 100 MB to 250 MB — Microsoft Graph''s documented maximum for a single-request upload — so larger rollup CSVs take the same one-request path that already works in locked-down libraries instead of crossing over to the resumable upload-session API at 100 MB. It adds no parameters, changes no switch semantics, and makes no output-schema changes; behavior changes only for files between 100 MB and 250 MB.

What''s new in v1.11.7

  • Larger SharePoint uploads use Graph''s simple-upload ceiling. The SharePoint simple-upload size cap is raised from 100 MB to 250 MB, the documented maximum for a single-request PUT .../content. Files at or below 250 MB now use the single-request path that already works for small and moderate artifacts in locked-down destination libraries, rather than crossing to the resumable upload-session API at 100 MB. On tenants whose document library or egress proxy rejects the upload-session API, this resolves uploads of rollup CSVs between 100 MB and 250 MB that previously failed with createUploadSession … 400 (Bad Request). Files above 250 MB still require the chunked upload-session path (there is no single-request option above that size), which the destination library and network must permit.

The attached script is the v1.11.7 release build. See the documentation in the repository for full configuration details.

purview-v1.11.6

Choose a tag to compare

@Rance9 Rance9 released this 16 Jun 11:07

PAX Purview Audit Log Processor v1.11.6

Version 1.11.6 is a targeted reliability release that resolves four independent customer-reported issues in the remote-output and authentication paths. It adds no parameters, changes no switch semantics, and makes no output-schema changes — each fix is scoped to the Microsoft Fabric / OneLake destination handling, certificate logon, or SharePoint upload plumbing. Existing commands are unchanged.

What's new in v1.11.6

  • Microsoft Fabric OneLake GUID URL support. A Fabric / OneLake destination may now be addressed by GUID — https://onelake.dfs.fabric.microsoft.com/<workspaceId>/<itemId> with no .Lakehouse suffix, the form the Fabric portal exposes in the item URL — in addition to the existing name form (<workspace>/<item>.Lakehouse). Previously a pasted GUID URL was rejected at the command-line destination gate. Both forms now work end-to-end across upload, Delta-write, download, and resume, and regional OneLake aliases are accepted for both.

  • Delta tables from a Lakehouse root destination. Pointing -OutputPath (or a per-data-type -OutputPath*) at a Lakehouse root URL — name- or GUID-addressed — now writes the customer-visible tables as Delta tables under Tables/, with operational artifacts (run log, metrics, checkpoint) under Files/, matching the documented behavior. Previously a bare root URL uploaded the CSVs as plain files under Files/. An explicit /Files/... destination — even one whose trailing segment looks like a GUID — is correctly left as a file upload, and the automatic Files/-upload fallback on a Delta-write failure is retained.

  • Certificate logon searches both certificate stores. App-registration certificate logon (-Auth AppRegistration with -ClientCertificateThumbprint) now searches both the CurrentUser\My and LocalMachine\My certificate stores, so a certificate installed machine-wide on a server is found even on a run that defaults to CurrentUser. The supplied thumbprint is normalized, the resolved certificate is pinned for the run and reused on token refresh, and a clearer error is emitted when only the public certificate — without an accessible private key — is installed. -ClientCertificateStoreLocation now selects the preferred (first-searched) store.

  • Reliable SharePoint upload of larger files. Larger output files now upload more reliably to SharePoint, and any upload failure now reports the underlying Microsoft Graph error reason instead of an opaque BadRequest. Files up to a conservative size cap use Graph's single-request simple upload (the same path that already works for small artifacts), so moderate rollup CSVs no longer depend on the resumable upload-session API that some locked-down libraries or egress proxies reject; genuinely large files continue to use the chunked upload-session path.


The attached script is the v1.11.6 release build. See the documentation in the repository for full configuration details.

purview-v1.11.5

Choose a tag to compare

@Rance9 Rance9 released this 12 Jun 11:21

PAX Purview Audit Log Processor v1.11.5

Version 1.11.5 adds support for the new AI Business Value (AIBV) Power BI dashboard and fixes a large-tenant reliability problem in the Entra user directory export. The headline change lets a single CopilotInteraction rollup run target either the existing AI-in-One (AIO) dashboard or the new AIBV dashboard from the same audit + Entra/MAC licensing data, selected by a new -Dashboard parameter. Existing rollup commands are unchanged — the default is AIO and produces byte-identical output to v1.11.4. Everything else is a reliability fix and its supporting tweaks; no existing switch is removed.

What's new in v1.11.5

  • AI Business Value (AIBV) dashboard support. PAX now produces rollup input for two Copilot Power BI dashboards from the same CopilotInteraction run: the existing AI-in-One (AIO) dashboard and the new AI Business Value (AIBV) dashboard. A new -Dashboard <AIO|AIBV|M365> parameter (default AIO) chooses the target. AIO and AIBV both run the embedded CopilotInteraction processor — upgraded from v3.1.0 to v4.0.0 — with the appropriate output profile, while M365 continues to route to the existing M365 Usage Bundle processor. The data PAX collects is identical for AIO and AIBV; only the shape of the rolled-up output differs, so no other switch or collection behavior changes. Smart defaulting keeps the command line minimal: omitting -Dashboard reproduces today's behavior exactly (AIO for a CopilotInteraction rollup, M365 when -IncludeM365Usage is present), -Dashboard M365 auto-enables -IncludeM365Usage, and supplying -Dashboard without a rollup switch auto-enables -Rollup. Cross-run append (-AppendFile / -AppendUserInfo) is supported for both the AIO and AIBV paths, and the selected dashboard is persisted in the checkpoint so a resumed AIBV run stays AIBV.

  • Reliable Entra user directory export on very large tenants. A failure that silently dropped the EntraUsers / MAC licensing file on tenants with very large directories (hundreds of thousands of users) is fixed. Previously the directory fetch aborted partway through with an internal paging-safety stop, the error was swallowed as a warning, and the run still printed === Enterprise Export Complete === while no EntraUsers file was written — making total data loss look like a clean success. The directory fetch now scales to large tenants, reports a failed or partial fetch loudly (in the end-of-run summary and via a new non-zero exit code), and still emits whatever was collected when a fetch stops early. Manager / org-hierarchy columns are unaffected.


The attached script is the v1.11.5 release build. See the documentation in the repository for full configuration details.