The audit logs page provides a set of filters to help you find specific events quickly, even across large volumes of log data. This article explains the available filter options and how to use them.
Filters
Six filters are available in the filter bar at the top of the logs page:
| Filter | Type | Options | Default |
|---|---|---|---|
| Context Type | Single-select dropdown | All Types, Policy, Connection, User, Sync User | All Types |
| Context Name | Text input | Depends on the selected Context Type (see below) | Disabled until a Context Type is selected |
| Actor | Text input | Any email address or partial match (e.g. admin@company.com) |
Empty (all actors) |
| Event | Multi-select dropdown | Sync started, Sync completed, Sync failed, Policy created, Policy updated, Policy deleted, User invited, User created, Logged in, Logged out | All Events |
| Severity | Multi-select dropdown | Information, Warning, Error | All Severities |
| Date Range | Date pickers (from and to) | Custom start and end dates | Last 7 days |
Context Type and Context Name
The Context Type and Context Name filters work together to let you narrow logs to events related to a specific entity:
| Context Type | Context Name field | Example |
|---|---|---|
| Policy | Policy Name — enter the name of a sync policy | General Policy |
| Connection | Connection Name — enter the name of a connection | M365 Production |
| User | User — enter an admin user's email address | admin@company.com |
| Sync User | Sync User — enter a synced user's email address | j.cooper@acme.com |
The Context Name field is disabled until you select a Context Type. Once selected, the field label and placeholder update to reflect the chosen type.
Event selection can auto-set the Context Type
If you select events that all belong to a single context type (e.g. selecting only sync events), the Context Type is automatically set to match. If you select events that span multiple context types, the Context Type and Context Name filters are disabled.
Multi-select filters
The Event and Severity filters support multi-select. Click the dropdown to open a list of checkboxes, then select one or more values. The dropdown shows your selections as a summary — for example, "Sync started, Sync failed" or "Information +1" if more than two values are selected.
Applying filters
Filters are not applied immediately as you change them. After setting your filter values:
- Click the Apply Filters button to apply your selections
- The log table updates to show only matching events
- Active filters appear as removable chips below the filter bar
To remove a single filter, click the × on its chip. To reset all filters at once, click the Clear button.
How filters combine
- Same filter (multi-select) — values combine with OR logic (e.g. Severity: Information OR Error)
- Different filters — combine with AND logic (e.g. Severity: Error AND Event: Sync failed)
Filter examples
| What you want to see | Filters to set |
|---|---|
| All failed sync events | Event: Sync failed |
| All errors across the system | Severity: Error |
| All actions by a specific admin | Actor: admin@company.com |
| Policy changes in the last 24 hours | Event: Policy created, Policy updated, Policy deleted + Date Range: last 24 hours |
| All events for a specific synced user | Context Type: Sync User + Context Name: j.cooper@acme.com |
| Authentication activity | Event: Logged in, Logged out |
| Events related to a specific policy | Context Type: Policy + Context Name: General Policy |
Sorting
Audit logs are always displayed in reverse chronological order (newest first). This cannot be changed — the most recent events are always at the top.
Pagination
| Setting | Options |
|---|---|
| Results per page | 10, 25, 50, or 100 |
| Default | 10 results per page |
| Navigation | Page numbers shown at the bottom with Previous/Next controls |
The total number of results matching your current filters is displayed (e.g. "1–10 of 97 results").