View Power Platform administrative logs using auditing solutions in Microsoft Purview

Administration of Power Platform products and services can affect various capabilities such as environment settings and operations, data policies, and integration-related settings. It's important to audit such actions that help mitigate failures, help contain systems of security constraints, adhere to compliance requirements, and act on security threats.

In this article, you learn about activities that are performed on Power Platform environments by those having administrative access across user experiences and programmable interfaces using Microsoft Purview compliance portal. The activities fall within the following categories:

Important

  • Administrative activities for Power Platform environments are enabled by default on all tenants. You can't disable activity collection.
  • At least one user with an assigned Microsoft 365 E5 or greater license, as required by Microsoft Purview. More information: Auditing solutions in Microsoft Purview

The audit activities include actions made by Power Platform administrators, Dynamics 365 administrators, members of the System Administrator role (for Power Platform environments with Dataverse), the environment creator or owner (for Power Platform environments without Dataverse), and impersonated users that map to any of these roles.

Each activity event consists of a common schema defined at Office 365 Management Activity API schema. The schema defines the payload of metadata that is unique for each activity.

Activity category: Environment lifecycle operations

Each activity event contains a payload of metadata that is specific to the individual event. The following environment lifecycle operation activities are delivered to Microsoft Purview.

Event Description
Provisioned environment The environment was created.
Deleted environment The environment was deleted.
Recovered environment An environment that was deleted within seven days has been recovered.
Hard-deleted environment The environment was hard deleted.
Moved environment The environment was moved to a different tenant.
Copied environment The environment, including specific attributes such as application data, users, customizations, and schemas, were copied.
Backed up environment The environment that has been backed up.
Restored environment The environment has been restored from a back up.
Converted environment type The environment was converted to a different environment type, such as production or sandbox.
Reset environment A sandbox environment has been reset.
Upgraded environment A component of an environment has been upgraded to a new version.
CMK-Renewed environment The customer-managed key (CMK) has been renewed on the environment.
CMK-Reverted environment Environment was removed from enterprise policy and encryption was returned to Microsoft-managed key.

Activity category: Environment property and setting change activities

Each activity event contains a payload of metadata that is specific to the individual event. The following environment property and setting activities are delivered to Microsoft Purview.

Event Description
Changed property on environment Communicates when a property on an environment has changed. In general, properties are metadata (names) that is associated with an environment. Includes changes to:
  • Display name
  • Domain name
  • Security group ID
  • Admin mode
  • Background operations state

Activity category: Business model and licensing

Each activity event contains a payload of metadata that is specific to the individual event. The following business model and licensing activities are delivered to Microsoft Purview.

Category Event Description
Billing Policy BillingPolicyCreate Emitted when a new billing policy is created.
Billing Policy BillingPolicyDelete Emitted when a billing policy is deleted.
Billing Policy BillingPolicyUpdate Emitted when the environments linked to a billing policy change (added, removed).
ISV IsvContractConsent Emitted when a tenant admin consents to an ISV contract.
License Auto-claim AssignLicenseAutoClaim Emitted when a license is assigned to a user automatically via an auto-claim policy.
License Auto-claim AssignLicenseAutoClaimPolicyCreate Emitted when a new auto-claim policy is created.
Currency CurrencyEnvironmentAllocate Emitted when currency (add-on) is allocated or deallocated to an environment.
Trials TrialConvertToProduction Emitted when a trial plan is converted to a production plan.
Trials TrialEnforce Emitted when a customer attempts to provision environments beyond the trial limit.
Trials TrialProvision Emitted when a new trial plan is provisioned.
Trials TrialSignUpEligibilityCheck Emitted prior to trial provisioning when a check occurs to determine trial eligibility.
Trials TrialViralConsent Emitted when a tenant changes their consented plan types, and reflects the new state.
Trials AssignLicenseToUser Emitted when a trial license is assigned to a user.
Environment Lifecycle EnvironmentDisabledByMiser Emitted when an environment is automatically disabled due to insufficient database capacity.

Activity category: Admin actions

Each activity event contains a payload of metadata that is specific to the individual event. The following admin activities are delivered to Microsoft Purview.

Event Description
Apply Admin Role Emitted when a tenant admin requested the System administrator role in Dataverse in the environment.

Activity category: Lockbox operations

All the lockbox activities are under the activity LockboxRequestOperation. Each activity event contains a payload of metadata with the following properties when the lockbox request is created or updated:

  • Lockbox request ID
  • Lockbox request state
  • Lockbox support ticket ID
  • Lockbox request expiration time.
  • Lockbox data access duration
  • Environment ID
  • User who performed the operation(when the lockbox request is created)
The following events are delivered to Microsoft Purview.

Category Event Description
Create lockbox request LockboxRequestOperation Emitted when a new lockbox request is created.
Update Lockbox request LockboxRequestOperation Emitted when a lockbox request is approved or denied.
Lockbox request access ended LockboxRequestOperation Emitted when a lockbox request expired or access ended.

Here's an example of the payload of metadata that can be expected from one of the events listed in the table.

[
    {
        "Name": "powerplatform.analytics.resource.tenant.lockbox.data_access.duration",
        "Value": "8"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.lockbox.support_ticket.id",
        "Value": "MSFT initiated"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.lockbox.request.state",
        "Value": "Created"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.lockbox.request.expiration_time",
        "Value": "6/1/2024 11:59:15 PM +00:00"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.lockbox.request.id",
        "Value": "dfdead68-3263-4c05-9e8a-5b61ddb5878c"
    },
    {
        "Name": "version",
        "Value": "1.0"
    },
    {
        "Name": "type",
        "Value": "PowerPlatformAdministratorActivityRecord"
    },
    {
        "Name": "powerplatform.analytics.activity.name",
        "Value": "LockboxRequestOperation"
    },
    {
        "Name": "powerplatform.analytics.activity.id",
        "Value": "cb18351c-fa1c-4f34-a6d9-f8cb91636009"
    },
    {
        "Name": "powerplatform.analytics.resource.environment.id",
        "Value": "ed92c80e-89ef-e0c8-a9eb-98559ca07809"
    },
    {
        "Name": "enduser.id",
        "Value": ""
    },
    {
        "Name": "enduser.principal_name",
        "Value": "Test user"
    },
    {
        "Name": "enduser.role",
        "Value": "Admin"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.id",
        "Value": "3a568f62-11ff-4e89-bee8-4d47041b0003"
    }
]

Activity category: Data policy events

Note

Activity logging for data policies is not currently available in sovereign clouds.

Note

Currently users with an E5 license can view these audit events.

All the data policy events show up under GovernanceApiPolicyOperation activity. Each activity event contains a property collection, which emits the following properties:

  • Operation Name
  • Policy ID
  • Policy display name
  • Additional Resources(if applicable)
The following data policy events are delivered to Microsoft Purview.

Category Description
Create DLP Policy Emitted when a new data policy is created.
Update DLP Policy Emitted when a data policy is updated.
Delete DLP Policy Emitted when a data policy is deleted.
Create Custom Connector Patterns Emitted when a new custom connector URL pattern is created.
Update Custom Connector Patterns Emitted when a custom connector URL pattern is updated.
Delete Custom Connector Patterns Emitted when a custom connector URL pattern is deleted.
Create Connector Configurations Emitted when a connector configuration is created for the data policy.
Update Connector Configurations Emitted when a connector configuration is updated for the data policy.
Delete Connector Configurations Emitted when a connector configuration is deleted for the data policy.
Create Policy Scope Emitted when a new policy scope is created.
Update Policy Scope Emitted when a policy scope is updated.
Delete Policy Scope Emitted when a policy scope is deleted.
Create Exempt Resources Emitted when an exempt resources list is created for the data policy.
Update Exempt Resources Emitted when an exempt resources list is updated for the data policy.
Delete Exempt Resources Emitted when an exempt resources list is deleted for the data policy.
Create connector blocking policy Emitted when a new connector blocking policy is created.
Update connector blocking policy Emitted when connector blocking policy is updated.
Delete connector blocking policy Emitted when connector blocking policy is deleted.

Here's an example payload of metadata that can be expected from one of the events in the table.

[
    {
        "Name": "powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources",
        "Value": "<<json>>"
    },
    {
        "Name": "powerplatform.analytics.resource.display_name",
        "Value": "ConnectorBlockingPolicy"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.governance.api_policy.operation_result",
        "Value": "True"
    },
    {
        "Name": "powerplatform.analytics.resource.id",
        "Value": "ConnectorBlockingPolicy"
    },
    {
        "Name": "powerplatform.analytics.resource.type",
        "Value": "ApiPolicy"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.governance.api_policy.operation_name",
        "Value": "DeleteDlpPolicy"
    },
    {
        "Name": "version",
        "Value": "1.0"
    },
    {
        "Name": "type",
        "Value": "PowerPlatformAdministratorActivityRecord"
    },
    {
        "Name": "powerplatform.analytics.activity.name",
        "Value": "GovernanceApiPolicyOperation"
    },
    {
        "Name": "powerplatform.analytics.activity.id",
        "Value": "99ac5d50-a0f4-4878-8ff4-e02b7da3a510"
    },
    {
        "Name": "enduser.id",
        "Value": "888c1bf5-3127-4c8c-84ee-b6a9c684e315"
    },
    {
        "Name": "enduser.principal_name",
        "Value": admin@contosotest.onmicrosoft.com
    },
    {
        "Name": "enduser.role",
        "Value": "Admin"
    },
    {
        "Name": "powerplatform.analytics.resource.tenant.id",
        "Value": "ce65293a-e07d-4638-9dfa-79483fcd5136"
    }
]

View activities in Microsoft Purview

When audit log search is turned on in the Microsoft Purview compliance portal, admin activity from your organization is recorded in the Microsoft Purview audit log.

You can use several methods to search events in Microsoft Purview.

Microsoft Purview search audit page

Use wild card search for contextual information in the Microsoft Purview user experience.

Narrow down search constructs that are specific to individual events.

Filter record types in Microsoft Purview audit search

As you search, individual activities are shown. A common schema is enforced to enable search constructs across activities. The value in the PropertyCollection field is specific to each activity type.

For more information about the Microsoft Purview audit log, data retention policies, and capabilities, see Auditing solutions in Microsoft Purview.

See also