Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Agent 365 CLI
Manage CLI diagnostic logs. The logs command exports redacted copies of CLI log files that are safe to share with Microsoft support. Use the logs export subcommand to redact and copy CLI log files. The exported files are safe to attach to a support ticket without leaking emails, GUIDs, or tokens.
Minimum role required: None. The command reads and rewrites local log files only.
Syntax
a365 logs [command] [options]
logs export
Export a redacted copy of a CLI diagnostic log file that's safe to share with Microsoft support. Redacts JWT tokens, email addresses, GUIDs, and OS-path usernames, and replaces identical values with consistent aliases so that log correlation is preserved.
a365 logs export [<command>] [options]
The CLI writes a diagnostic log file for each top-level command into your local logs directory (for example, %LOCALAPPDATA%\Microsoft.Agents.A365.DevTools.Cli\logs\ on Windows). logs export reads one or all of those files, removes sensitive content, and writes the redacted copies to your chosen output directory.
What gets redacted
| Pattern | Replacement |
|---|---|
| JWT bearer tokens (header.payload.signature) | <JWT-TOKEN> |
| Email addresses | <email-1>, <email-2>, ... (consistent aliases per email) |
| GUIDs (8-4-4-4-12) — see What's preserved for exceptions | <id-1>, <id-2>, ... (consistent aliases per GUID) |
OS-path usernames (C:\Users\<name>, /Users/<name>, /home/<name>) |
<username-1>, <username-2>, ... |
Identical values keep the same alias across the file, so cross-references in the log remain useful for diagnosing issues. The redacted file includes a header that records the source path (with the same redactions applied) and counts of each pattern that was replaced.
What's preserved
The redactor intentionally keeps the following content verbatim so the redacted log is still useful for debugging and for Microsoft support escalation:
| Preserved | Why it's safe |
|---|---|
| Timestamps, log levels, scope names, error codes, file paths (with usernames substituted), HTTP status codes, JSON shapes | None of these identify a tenant or user. |
TraceId: <guid> and CorrelationId: <guid> values |
Session-local random identifiers generated by the CLI. They aren't sensitive and they're what pairs the log against server-side traces. |
request-id and client-request-id values inside Microsoft Graph error bodies |
Server-generated per call. Microsoft support uses these to look up the exact request in service logs when you escalate. |
| Public, well-known Microsoft and Agent 365 resource application IDs: • Microsoft Graph ( 00000003-0000-0000-c000-000000000000)• Agent 365 Messaging Bot API • Agent 365 Observability API • Power Platform API (Connectivity) • Agent 365 Tools (MCP audience, production) |
These are documented public constants — they reveal nothing about your tenant. Preserving them means a line like Validated permission AgentIdentityBlueprint.ReadWrite.All against 00000003-0000-0000-c000-000000000000 stays readable instead of becoming ... against <id-4>. |
Tenant-specific service principal object IDs and any other GUIDs that don't match the patterns above are still redacted through the consistent-alias mechanism.
Important
The redaction patterns are designed to remove the most common sensitive content. If your logs contain custom secrets (for example, secrets logged by code outside this CLI, or values pasted into stack traces) in formats this redactor doesn't recognize, remove them manually before sharing.
How to verify before sharing
Open the redacted file in a text editor and scan for anything that looks tenant-specific:
# Spot-check what was preserved vs aliased
Select-String -Path .\a365.setup.redacted.log -Pattern "CorrelationId|TraceId|request-id" | Select-Object -First 10
Select-String -Path .\a365.setup.redacted.log -Pattern "<id-|<email-|<JWT-TOKEN>|<username-" | Measure-Object
The exported file's header line summarises the counts. If you see a higher count of <id-N> aliases than you expect, the alias map is doing its job — each tenant-specific GUID gets exactly one alias.
export options
| Option | Description |
|---|---|
<command> |
Name of the command whose log you want to export (such as setup or cleanup). Omit this argument to export every available log file in one run. |
-o, --output <output> |
Directory to write the redacted log file or files to. Defaults to the current directory. |
-?, -h, --help |
Show help and usage information. |
Examples
Export the setup log to the current directory:
a365 logs export setup
Export every available log to a specific folder:
a365 logs export --output ./support-bundle
Export the cleanup log to a specific folder:
a365 logs export cleanup --output ./support-bundle
Output file naming
The exported file is written as a365.<command>.redacted.log. When you omit <command>, the CLI exports each available log into its own redacted file with the same naming pattern.
Important
Review the redacted file before sharing it. The redaction patterns cover JWT tokens, emails, GUIDs, and OS-path usernames, but they don't cover every possible secret. If your log contains custom secrets or sensitive identifiers in other formats, remove them manually before sharing.
Note
logs export doesn't delete or modify the original log files. The original logs remain in your local logs directory. The command writes only redacted copies to the output directory.