Labeling Admin Audit Log
Right now you cannot search for administrative Event regarding Unified Labeling in Office 365 Admn portal Audit Log Search.
Brian H commented
While the data is in the O365 Admin Audit Log it is difficult to extract for MIP administrative activities (eg. set-label, set-labelpolicy). There are no such Activities that can be used as a search criteria. It would be desirable for a 'Sensitivity Label Administration' group and actions to be added to the current Audit Log functionality. In the interim, it seems the only solution appears to be to iteratively search the log for each user with a role that allows such administrative activities; it would be much easier if MIP Admin functions could be queried.
These should be available in Log Analytics/Sentinel just as the AIP client logs.
With Unified Labeling Powershell Cmdlets you can get LastModified/Createdby with Get-Label but you cannot see what explicitly changed and if someone deletes a label at all you cannot see anything about this in Powershell
I also think this is a crucial feature and I do not understand why it is not there from day one.
Similar to tracking
Still no possibilities here.... For Unified Labeling (Sensitivity labels) i would assume to find everything in Office 365 Security & Compliance "Audit log search": https://protection.office.com/unifiedauditlog
But there are no entries for admin changes on i.e. sensitivity labels:
Emma Williams commented
Currently Azure RMS Superuser logs are separate from everything else, and there is no simple way to retrieve them. This makes it really difficult for service owners to get reports on and audit activities with the accounts which have the keys to our encryption kingdom and are in use with AIP.
All actions taken by administrators are logged for auditing and reporting purposes