KPI reference for the Content Pack for Microsoft 365

The following tables list the KPIs used to monitor the health of your servers in the Content Pack for Microsoft 365. All parent and child services report up to the overall M365 service at the highest level. All KPIs in this content pack have a 15-minute schedule and 15-minute lookback time.

M365_App Availability

This service contains the KPIs for the availability of Microsoft 365 Applications.


KPI	Description
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	This status displays when an issue affects the ability for users to access the service. The issue is significant and can be consistently reproduced.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_AzureActiveDirectory

This service contains services and KPIs for Azure Entra ID (formerly Azure Active Directory).

M365_AzureAD_Availability

This service contains KPIs for the availability of Azure Active Directory.


KPI	Description
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_AzureAD_Performance

This service includes services and KPIs for the performance of application, directory, group, login, role and user activity in Azure Active Directory.


Service	KPI	Description
M365_AzureAD_Application Administration Activities	Added credentials to a service principal	Credentials were added to a service principal in Azure Entra ID (formerly Azure AD). A service principle represents an application in the directory.
	Added delegation entry	An authentication permission was created/granted to an application in Azure Entra ID.
	Added service principal	An application was registered in Azure Entra ID. An application is represented by a service principal in the directory.
	Removed a service principal from the directory	An application was deleted/unregistered from Azure Entra ID. An application is represented by a service principal in the directory.
	Removed credentials from a service principal	Credentials were removed from a service principal in Azure Entra ID. A service principle represents an application in the directory.
	Removed delegation entry	An authentication permission was removed from an application in Azure Entra ID.
	Set delegation entry	An authentication permission was updated for an application in Azure Entra ID.
M365_AzureAD_Directory Administration Activities	Added a partner to the directory	Added a partner (delegated administrator) to your organization.
	Added domain to company	Added a domain to your organization.
	Removed a partner from the directory	Removed a partner (delegated administrator) from your organization.
	Removed domain from company	Removed a domain from your organization.
	Set company information	Updated the company information for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about Microsoft 365 services.
	Set domain authentication	Changed the domain authentication setting for your organization.
	Set password policy	Changed the length and character constraints for user passwords in your organization.
	Turned on Azure AD sync	Set the property that enables a directory for Azure AD Sync.
	Updated domain	Updated the settings of a domain in your organization.
	Updated the federation settings for a domain	Changed the federation (external sharing) settings for your organization.
	Verified domain	Verified that your organization is the owner of a domain.
	Verified email verified domain	Used email verification to verify that your organization is the owner of a domain.
M365_AzureAD_Group Administration Activities	Added group	A group was created.
	Added member to group	A member was added to a group.
	Deleted group	A group was deleted.
	Removed member from group	A member was removed from a group.
	Updated group	A property of a group was changed.
M365_AzureAD_Login Activity	Authentication Methods	Authentications methods used to login
	Distinct User Sign-ins	Count of distinct user logins.
	Logins by Region	Logins by Country.
	Logon Errors	Errors occurred when user attempted to login.
	Operation-UserLoggedIn	Shows count of successfully logged in users by IP address.
	Operation-UserLoginFailed	Shows count of users who failed to log in users by IP address.
	Risky Login Event Types	Risk detection types associated with the sign-in.
	Successful Logins from External Users	Successful logins from users outside organization.
	User Agents	User agents of users when logging in.
	User Types	Type of user.
M365_AzureAD_Role Administration Activities	Add member to Role	Added a user to an admin role in Microsoft 365.
	Removed a user from a directory role	Removed a user from an admin role in Microsoft 365.
	Set company contact information	Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.
M365_AzureAD_User Administration Activities	Added user	A user account was created.
	Changed user license	The license assigned to a user changed.
	Changed user password	A user changes their password.
	Deleted user	A user account was deleted.
	Reset user password	Administrator resets the password for a user.
	Set license properties	Administrator modifies the properties of a licensed assigned to a user.
	Set property that forces user to change password	Administrator set the property that forces a user to change their password the next time the user signs in to Office 365.
	Updated user	Administrator changes one or more properties of a user account.

M365_Exchange

This service contains services and KPIs for Microsoft 365 Exchange.


KPI	Description
M365_Exchange Online	Microsoft Exchange status.

M365_Exchange_Availability

This service contains KPIs for the availability of Microsoft 365 Exchange.


KPI	Description
_Advisory	KPI showing Advisory information related to O365 Exchange.
_Incident	KPI showing Incident related to O365 Exchange.
_Plan for Change	Informs users of changes to Microsoft 365 that may require them to avoid disruptions in Exchange service.
_Prevent or Fix Issues	Informs users of known issues affecting the organization, and may require them to take action to avoid disruptions in Exchange service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed	Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 Exchange Roadmap.
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Exchange_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Exchange.


KPI	Description
GT_Exchange_ActiveMailboxes	Count of currently active mailboxes.
GT_Exchange_MailboxLogins	Count of mailbox logins by users.
GT_Exchange_MailboxStorageUsage	Total Mailbox storage used (GB).
GT_Exchange_ReceivedEmailCount	Count of total emails received.
GT_Exchange_TotalMailboxes	Count of mailboxes.
GT_Exchange_TotalUniqueUsers	Total unique users for Exchange.

M365_Exchange_Performance

This service contains KPIs for the performance of Microsoft 365 Exchange.


KPI	Description
Archive Quota	KPI shows the Exchange Archive Quota, subscribers are often limited to 50GB
Archive Warning Quota	KPI shows the Exchange Archive Warning Quota, as you are approaching the limited archive space
Issue Warning Quota	This is the maximum storage limit before a warning is issued to the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning message to the user.
Operations	KPI which aggregates several critical indicators of performance.
Prohibit Send Quota	If the mailbox size reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and displays a descriptive error message.
Prohibit Send Receive Quota	If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and won't deliver any new messages to the mailbox. Any messages sent to the mailbox are returned to the sender with a descriptive error message.
Public Folder Hierarchy Mailbox Count Quota	Count of total public folders in the hierarchy of the mailbox.
Recoverable Items Quota	This is the storage quota for the Recoverable Items folder, not the quota for the entire archive mailbox.
Recoverable Items Warning	For mailboxes that aren't placed on In-Place Hold or Litigation Hold, the Managed Folder Assistant automatically purges items from the Recoverable Items folder when the deleted item retention period expires. If the folder reaches the Recoverable Items warning quota, the assistant automatically purges items in first-in-first-out order.

M365_OneDrive

This service contains services and KPIs for Microsoft OneDrive.

M365_OneDrive_Availability

This service contains KPIs for the availability of Microsoft OneDrive.


KPI	Description
_Advisory	KPI showing Advisory information related to O365 OneDrive.
_Incident	KPI showing Incidents related to O365 OneDrive.
_Plan for Change	Informs users of changes to Microsoft 365 that may require them to avoid disruptions in OneDrive service.
_Prevent or Fix Issues	Informs users of known issues affecting the organization and may require them to take action to avoid disruptions in OneDrive service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed	Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 OneDrive Roadmap.
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state..
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_OneDrive_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft OneDrive.


KPI	Description
GT_OneDrive_ActiveFiles	Total active files from the OneDrive for the last 7 day reporting period.
GT_OneDrive_StorageAllocated	The total storage allocated for OneDrive sites.
GT_OneDrive_StorageUsed	The total storage used for OneDrive sites.
GT_OneDrive_TotalFiles	The latest reported total file count for OneDrive sites.
GT_OneDrive_TotalUniqueUsers	Total unique users for OneDrive.
GT_OneDrive_UsagePercent	Percent of storage usage from the total of storage allocated.

M365_OneDrive_Performance

This service contains KPIs for the performance of Microsoft OneDrive.


KPI	Description
Operations	KPI which aggregates several critical indicators of performance.

M365_PowerBI

This service contains services and KPIs for Microsoft PowerBI.

M365_PowerBI_Availability

This service contains KPIs for the availability of Microsoft PowerBI.


KPI	Description
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_PowerBI_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft PowerBI.


KPI	Description
GT_PowerBI_TotalDashboards	Total number of dashboards in PowerBI.
GT_PowerBI_TotalDatasets	Total of datasets in PowerBI
GT_PowerBI_TotalReports	Total of reports in PowerBI.
GT_PowerBI_TotalUniqueUsers	Total unique users for PowerBI.
GT_PowerBI_TotalWorkspaces	Total number of workspaces in PowerBI.

M365_PowerBI_Performance

This service contains KPIs for the performance of Microsoft PowerBI.


KPI	Description
All Activities	All user activities in PowerBI.
Created PowerBI dashboard	A user created a PowerBI dashboard.
Created PowerBI dataflow	A user created a PowerBI dataflow.
Created PowerBI dataset	A user created a PowerBI dataset.
Created PowerBI report	A user created a PowerBI report.
Deleted PowerBI comment	A user deleted a PowerBI comment.
Deleted PowerBI dashboard	A user deleted a PowerBI dashboard.
Deleted PowerBI dataset	A user deleted a PowerBI dataset.
Deleted PowerBI report	A user deleted a PowerBI report.
Downloaded PowerBI report	A user downloaded a PowerBI report.
Edited PowerBI dataset	A user edited a PowerBI dataset.
Edited PowerBI report	A user edited a PowerBI report.
Exported PowerBI dataflow	A user exported PowerBI report visual data.
Exported PowerBI report visual data	A user exported PowerBI report visual data.
Exported PowerBI tile data	A user exported PowerBI tile data.
Imported file to PowerBI	A user imported a file to PowerBI.
Installed PowerBI app	A user installed the PowerBI app.
Posted PowerBI comment	A user posted PowerBI comment.
Printed PowerBI dashboard	A user printed a PowerBI dashboard.
Printed PowerBI report page	A user printed a PowerBI report page.
Published PowerBI report to web	A user printed a PowerBI report to the web.
Requested PowerBI dataset refresh	A user requested a PowerBI dataset refresh.
Set dataflow storage location for a workspace	A user set a dataflow storage location for a workspace.
Set scheduled refresh on Power BI dataflow	A user set a scheduled refresh on a Power BI dataflow.
Set scheduled refresh on Power BI dataset	A user set a scheduled refresh on a Power BI dataset.
Shared Power BI dashboard	A user shared aPower BI dashboard.
Shared Power BI report	A user shared a Power BI report.
Updated Power BI app	A user updated a Power BI app.
Viewed Power BI dashboard	A user viewed a Power BI dashboard.
Viewed Power BI dataflow	A user viewed aPower BI dataflow.
Viewed Power BI report	A user viewed a Power BI report.

M365_Security

This service contains triggered security alerts from Security & Compliance Center and Cloud App Security.

M365_Cloud App Security

This service contains triggered security alerts from built-in policies in Cloud App Security.


Service	KPI	Description
M365_Cloud Discovery	Cloud Discovery anomaly detection	This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses and services.
M365_Cloud Discovery	Any popular app	Alert on newly discovered apps that are used by more than 1 users.
M365_Threat Detection	Activity from anonymous IP addresses	This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device's IP address, and may be used for malicious intent.
	Activity from infrequent country	This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization. Detecting anomalous locations necessitates an initial learning period of 7 days, during which it does not alert on any new locations.
	Activity from suspicious IP addresses	This policy profiles your environment and triggers alerts when activity is detected from an IP address that has been identified as risky by Microsoft Threat Intelligence. These IP are involved in malicious activities, such as botnets C&C, and may indicate a compromised account.
	Activity performed by terminated user	This policy profiles your environment and alerts when a terminated user performs an activity in a sanctioned corporate application.
	Data exfiltration to unsanctioned apps	This policy is automatically enabled to alert you when a user or IP address is using an app that is not sanctioned to perform an activity that might be an attempt to exfilitrate information from your organization.
	Impossible travel	This policy profiles your environment and triggers alerts when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This could indicate that a different user is using the same credentials.
	Leaked credentials	When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market.
	Malicious OAuth app consent	This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized.
	Malware detection	This detection scans files in your cloud apps and runs suspicious files through Microsoft's threat intelligence engine to determine whether they are associated with known malware.
	Misleading OAuth app name	This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading name is detected. Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app.
	Misleading publisher name for an OAuth app	This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading publisher name is detected.
	Multiple delete VM activities	This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Multiple failed login attempts	This policy profiles your environment and triggers alerts when users perform multiple failed login activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Multiple storage deletion activities	This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Multiple VM creation activities	This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Preview: Investigation Priority Score Increased	Identify malicious insider or compromised user by identifying entities which deviates from their profile baseline.
	Preview: Multiple Power BI report sharing activities	This policy profiles your environment and triggers alerts when users perform multiple share report in Power BI activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Preview: Suspicious change of CloudTrail logging service	This policy profiles your environment and triggers alerts when a user performs suspicious changes to the CloudTrail logging service in a single session, which could indicate an attempted breach.
	Preview: Suspicious Power BI report sharing	This policy profiles your environment and triggers alerts when a user shared a Power BI report that may include sensitive information and may indicate a compromised account. The report was either shared with an external email address, published to the web, a snapshot was delivered to an externally subscribed email address.
	Ransomware activity	This policy profiles your environment and triggers alerts when an activity pattern is detected that is typical of a ransomware attack.
	Risky sign-in	Azure Active Directory (Azure AD) detects suspicious actions that are related to your user accounts.
	Suspicious email deletion activity (by user)	This policy profiles your environment and triggers alerts when a user performs suspicious email deletion activities in a single session, which could indicate an attempted breach.
	Suspicious inbox forwarding	This policy profiles your environment and triggers alerts when suspicious inbox forwarding rules are set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to exfiltrate information from your organization.
	Suspicious inbox manipulation rule	A suspicious inbox rule was set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization.
	Suspicious OAuth app file download activities	This policy scans the OAuth apps connected to your environment and triggers an alert when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is uncommon for the user.
	Unusual addition of credentials to an OAuth app	This detection policy profiles your environment and triggers alerts when users perform unusual addition of credentials to an OAuth app activities, which could indicate an attempted breach.
	Unusual administrative activity (by user)	This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Unusual file deletion activity (by user)	This policy profiles your environment and triggers alerts when users perform multiple file deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Unusual file download (by user)	This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Unusual file share activity (by user)	This policy profiles your environment and triggers alerts when users perform multiple file sharing activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
	Unusual impersonated activity (by user)	This policy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned, which could indicate an attempted breach.

M365_Security and Compliance Alerts

This service contains triggered security alerts from Security & Compliance Center.


Service	KPI	Description
M365_Information governance	Unusual external user file activity	Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization.
	Unusual volume of external file sharing	Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization.
	Unusual volume of file deletion	Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame.
M365_Mail flow	Messages have been delayed	Generates an alert when Microsoft can't deliver email messages to your on-premises organization or a partner server by using a connector.
M365_Permissions	Elevation of Exchange admin privilege	Generates an alert when someone is assigned administrative permissions in your Exchange Online organization.
M365_Threat management	A potentially malicious URL click was detected	Generates an alert when a user protected by Safe Links in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy).
	Admin Submission Result Completed	Generates an alert when an Admin Submission completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission.
	Admin triggered manual investigation of email	Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer.
	Creation of forwarding/redirect rule	Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account.
	eDiscovery search started or exported	Generates an alert when someone uses the Content search tool in the Security and compliance center.
	Email messages containing malicious file removed after delivery	Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization.
	Email messages containing malicious URL removed after delivery	Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization.
	Email messages containing malware removed after delivery	Generates an alert when any messages containing malware are delivered to mailboxes in your organization.
	Email messages containing phish URLs removed after delivery	Generates an alert when any messages containing phish are delivered to mailboxes in your organization.
	Email reported by user as malware or phish	Generates an alert when users in your organization report messages as phishing email using the Report Message add-in.
	Email sending limit exceeded	Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy.
	Failed exact data match upload	Generates an alert when new sensitive information failed to upload.
	Form blocked due to potential phishing attempt	Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.
	Form flagged and confirmed as phishing	Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft.
	Malware campaign detected after delivery	Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization.
	Malware campaign detected and blocked	Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization.
	Malware campaign detected in SharePoint and OneDrive	Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization.
	Malware not zapped because ZAP is disabled	Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.
	MIP AutoLabel simulation completed	Generates an alert when AutoLabel policy simulation has been completed.
	Phish delivered because a user's Junk Mail Folder is disabled	Generates an alert when Microsoft detects a user's Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox.
	Phish delivered due to an ETR override	Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox.
	Phish delivered due to an IP allow policy	Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox.
	Phish not zapped because ZAP is disabled	Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.
	Remediation action taken by admin on emails or URLs or sender	Generates an alert when an admin takes remediation action on the selected entity.
	Successful exact data match upload	Generates an alert when new sensitive information is uploaded and is ready to be protected.
	Suspicious Email Forwarding Activity	Generates an alert when someone in your organization has autoforwarded email to a suspicious external account.
	Suspicious email sending patterns detected	Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email.
	Tenant restricted from sending email	Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.
	Tenant restricted from sending unprovisioned email	Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.
	Unusual increase in email reported as phish	Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail.
	User restricted from sending email	Generates an alert when someone in your organization is restricted from sending outbound mail.
	User restricted from sharing forms and collecting responses	Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.

M365_SharePoint_Online

This service contains services and KPIs for Microsoft SharePoint Online.

M365_SharePoint_Online_Availability

This service contains KPIs for the availability of Microsoft SharePoint Online.


KPI	Description
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_SharePoint_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft SharePoint Online.


Service	KPI	Description
GT_SharePoint_ActiveFiles	Total active files from the SharePoint site for the last 7 day reporting period.
GT_SharePoint_StorageAllocation	The total storage allocated for share point sites.
GT_SharePoint_StorageUsed	The total storage used for share point sites.
GT_SharePoint_TotalFiles	The latest reported total file count for share point sites.
GT_SharePoint_TotalUniqueUsers	Total unique users for SharePoint.
GT_SharePoint_UsagePercent	Percent of storage usage from the total of storage allocated.

M365_SharePoint_Online_Performance

This service contains KPIs for the performance of Microsoft SharePoint Online.


Service	KPI	Description
M365_SharePoint_Online_File and Page Activities	Accessed file	User or system accessed a file.
	Changed record status to locked	The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
	Changed record status to unlocked	The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.
	Changed retention label for a file	A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.
	Checked in file	User checked in a document that they checked out from a document library.
	Checked out file	User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them
	Copied file	User copied a document from a site. The copied file can be saved to another folder on the site.
	Deleted file	User deletes a document from a site.
	Deleted file from recycle bin	User deleted a file from the recycle bin of a site.
	Deleted file from second-stage recycle bin	User deleted a file from the second-stage recycle bin of a site.
	Deleted file marked as a record	A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.
	Deleted document sensitivity mismatch	User uploaded a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site.
	Detected malware in file	SharePoint anti-virus engine detected malware in a file.
	Discarded file checkout	User discarded (or undid) a checked out file. That means any changes they made to the file when it was checked out are discarded and not saved to the version of the document in the document library.
	Downloaded file	User downloaded a document from a site.
	Modified file	User or system account modified the content or the properties of a document on a site.
	Moved file	User moved a document from its current location on a site to a new location.
	Page View Count	Number of page views.
	Performed search query	User or system account performed a search in SharePoint.
	Recycled all minor versions of file	User deleted all minor versions from the version history of a file.
	Recycled all versions of file	User deleted all versions from the version history of a file.
	Recycled version of file	User deleted a version from the version history of a file.
	Renamed file	User renamed a document on a site.
	Restored file	User restored a document from the recycle bin of a site.
	Uploaded file	User uploaded a document to a folder on a site.
	Users that Accessed File Detected with Malware	Users that accessed file detected with malware.
	View signaled by client	A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user.
M365_SharePoint_Online_Site Administration Activities	Added allowed data location	A SharePoint or global administrator added an allowed data location in a multi-geo environment.
	Added exempt user agent	A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.
	Added geo location admin	A SharePoint or global administrator added a user as a geo admin of a location.
	Added user to create groups	Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
	Canceled site geo move	A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move.
	Changed a sharing policy	A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin portal, SharePoint admin portal, or SharePoint Online Management Shell.
	Changed device access policy	A SharePoint or global administrator changed the unmanaged devices policy for your organization.
	Changed exempt user agents	A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center.
	Changed network access policy	A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell
	Changed site geo move	A site geo move that was scheduled by a global administrator in your organization was successfully completed.
	Created Sent To connection	A SharePoint or global administrator creates a new Send To connection on the Records management page in the SharePoint admin center.
	Created site collection	A SharePoint or global administrator creates a site collection in your SharePoint Online organization or a user provisions their OneDrive for Business site.
	Deleted orphaned hub site	A SharePoint or global administrator deleted an orphan hub site, which is a hub site that doesn't have any sites associated with it.
	Deleted Sent To connection	A SharePoint or global administrator deleted a Sent To connection on the Records management page in the SharePoint admin center.
	Deleted site	Site administrator deleted a site.
	Enabled document preview	Site administrator enabled document preview for a site.
	Enabled legacy workflow	Site administrator or owner added the SharePoint 2013 Workflow Task content type to the site.
	Enabled Office on Demand	Site administrator enabled Office on Demand, which lets users access the latest version of Office desktop applications.
	Enabled result source for People Searches	Site administrator created the result source for People Searches for a site.
	Enabled RSS feeds	Site administrator or owner enabled RSS feeds for a site.
	Joined site to hub site	A site owner associated their site with a hub site.
	Registered hub site	A SharePoint or global administrator created a hub site.
	Removed allowed data location	A SharePoint or global administrator removed an allowed data location in a multi-geo environment.
	Removed geo location admin	A SharePoint or global administrator removed a user as a geo admin of a location.
	Renamed site	Site administrator or owner renamed a site.
	Scheduled site to geo move	A SharePoint or global administrator successfully scheduled a SharePoint site geo move.
	Set host site	A SharePoint or global administrator changed the designated site to host personal.
	Set storage quote for geo location	A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.
	Unjoined site from hub site	A site owner disassociated their site from a hub site.
	Unregistered hub site	A SharePoint or global administrator unregistered a site as a hub site.
M365_SharePoint_Online_Sharing and Request Activities	Accepted access request	An access request to a site, folder, or document was accepted and the requesting user has been granted access.
	Accepted sharing invitation	User (member or guest) accepted a sharing invitation and was granted access to a resource.
	Added permission level to site collection	A permission level was added to a site collection.
	Blocked sharing invitation	A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user
	Created a company shareable link	User created a company-wide link to a resource.
	Created access request	User requests access to a site, folder, or document they don't have permissions to access.
	Created an anonymous link	User created an anonymous link to a resource.
	Created secure link	A secure sharing link was created to this item.
	Created sharing invitation	User shared a resource in SharePoint Online with a user who isn't in your organization's directory.
	Deleted secure link	A secure sharing link was deleted.
	Denied access request	An access request to a site, folder, or document was denied.
	Removed a company shareable link	User removed a company-wide link to a resource. The link can no longer be used to access the resource.
	Removed an anonymous link	User removed an anonymous link to a resource. The link can no longer be used to access the resource.
	Shared file, folder, or site	User (member or guest) shared a file, folder, or site in SharePoint with a user in your organization's directory.
	Unshared file, folder, or site	User (member or guest) unshared a file, folder, or site that was previously shared with another user.
	Updated access request	An access request to an item was updated.
	Updated an anonymous link	User updated an anonymous link to a resource.
	Updated sharing invitation	An external sharing invitation was updated.
	Used a company shareable link	User accessed a resource by using a company-wide link.
	Used an anonymous link	An anonymous user accessed a resource by using an anonymous link.
	Used secure link	A user used a secure link.
	User added to secure link	A user was added to the list of entities who can use a secure sharing link.
	User removed from secure link	A user was removed from the list of entities who can use a secure sharing link.
	Withdrew sharing invitation	User withdrew a sharing invitation to a resource.
M365_SharePoint_Online_Site Permissions	Added site collection admin	Total number of files active in OneDrive.
	Added user or group to SharePoint group	User added a member or guest to a SharePoint group
	Broke permission level inheritance	An item was changed so that it no longer inherits permission levels from its parent.
	Broke sharing inheritance	An item was changed so that it no longer inherits sharing permissions from its parent.
	Created group	Site administrator or owner creates a group for a site, or performs a task that results in a group being created.
	Deleted group	User deletes a group from a site.
	Modified 'Members Can Share' setting	The Members Can Share setting was modified on a site.
	Modified access request setting	The access request settings were modified on a site.
	Modified permission level on a site collection	A permission level was changed on a site collection.
	Modified site permissions	Site administrator or owner (or system account) changes the permission level that is assigned to a group on a site.
	Removed permission level from site collection	A permission level was removed from a site collection.
	Removed site collection admin	Site collection administrator or owner removes a person as a site collection administrator for a site.
	Removed user or group from SharePoint group	User removed a member or guest from a SharePoint group.
	Requested site admin permissions	User requests to be added as a site collection administrator for a site collection.
	Restored sharing inheritance	A change was made so that an item inherits sharing permissions from its parent.
	Updated group	Site administrator or owner changes the settings of a group for a site.
M365_SharePoint_Usage Details	% Free Storage	% of free storage available.
	Active File Count	A file is considered active if it has been saved, synced, modified or share.
	Page View Count	Count of page views.
	Total File Count	Total number of files.

M365_Teams

This service contains services and KPIs for Microsoft Teams.

M365_Teams_Availability

This service contains KPIs for the availability of Microsoft Teams.


KPI	Description
_Advisory	KPI showing Advisory information related to O365 Teams.
_Incident	KPI showing Incident related to O365 Teams.
_Plan for Change	Informs users of changes to Microsoft 365 that may require them to avoid disruptions in Teams service.
_Prevent or Fix Issues	Informs users of known issues affecting the organization and may require them to take action to avoid disruptions in Teams service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed	Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 Teams Roadmap.
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Teams_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Teams.


KPI	Description
GT_Teams_SessionsStarted	Number of Teams sessions started.
GT_Teams_TeamsCreated	Count of new teams created.
GT_Teams_TeamsDeleted	Count of teams that were deleted.
GT_Teams_TotalUniqueUsers	Total count of unique users for Teams.
GT_Teams_UniqueTeams	Total count of unique teams.

M365_Teams_Performance

This service contains KPIs for the performance of Microsoft Teams.


KPI	Description
Operations	KPI which aggregates several critical indicators of performance.

M365_Yammer

This service contains services and KPIs for Microsoft Yammer.

M365_Yammer_Availability

This service contains KPIs for the availability of Microsoft Yammer.


KPI	Description
_Advisory	KPI showing Advisory information related to O365 Yammer.
_Incident	KPI showing Incidents related to O365 Yammer.
_Plan for Change	Informs users of changes to Microsoft 365 that may require them to avoid disruptions in Yammer service.
_Prevent or Fix Issues	Informs users of known issues affecting the organization and may require them to take action to avoid disruptions in Yammer service. Prevent or fix issues are different from Service health messages because they prompt users to be proactive to avoid issues.
_Stay Informed	Informs users about new or updated features which are turning on in the organization. The features are usually announced first in the Microsoft 365 Yammer Roadmap.
Extended recovery	This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if Microsoft has made a temporary fix to reduce impact while waiting to apply a permanent fix.
False positive	After a detailed investigation, Microsoft has confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service.
Investigating	Microsoft is aware of a potential issue and is gathering more information about what's going on and the scope of impact.
Investigation suspended	Microsoft's investigation of a potential issue has resulted in a request for additional information to allow for further investigation.
Normal service	Service is up and running.
Restoring service	Microsoft has identified the cause of the issue. Microsoft has identified appropriate corrective action and is in the process of bringing the service back to a healthy state.
Service degradation	Microsoft has determined that an issue affects the ability of users to access the service. The issue is significant and can be consistently reproduced.
Service interruption	You'll see this status Microsoft determines that an issue affects the ability for users to access the service. In this case, the issue is significant and can be reproduced consistently.
Service Restored	Microsoft has confirmed that corrective action has resolved the underlying problem, and the service has been restored to a healthy state.

M365_Yammer_GTKPIs

This service contains KPIs that are used in the glass table for Microsoft Yammer.


KPI	Description
GT_Yammer_ActiveGroups	The total active Yammer groups reported in the last 7 days.
GT_Yammer_PostedMessageCount	The total posted message count from the Yammer tenant in the last seven day reporting period.
GT_Yammer_TotalGroups	The latest reported total number Yammer groups.
GT_Yammer_TotalUniqueUsers	Total unique users for Yammer.

M365_Yammer_Performance

This service contains KPIs for the performance of Microsoft Yammer.


KPI	Description
Operations	KPI which aggregates several critical indicators of performance.

Documentation