Auditing in Purview

Note

Purview auditing solutions for Business Central is in Preview. Please register any feedback and requests for additional events to be auditable on [aka.ms/bcideas][https://aka.ms/bcideas].

Your Business Central environments automatically emit auditable events to Microsoft Purview auditing solutions. Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. For Business Central, this means that Create, Update, and Delete events that require administrator privileges are emitted to Purview's unified audit log, aiding security, legal, and compliance investigation across all Microsoft services used in your organization.

Tip

Before Business Central online logs authorization attempts to telemetry, a successful authentication (login) must happen against Microsoft Entra ID (formerly Azure Active Directory). With the information in the Microsoft Entra sign-in log, you can figure out what happened if a user sign-in failed. For more information, see Analyze sign-ins with the Microsoft Entra sign-in log.

If you want to track, monitor, or alert on successful and failed login attempts against Microsoft Entra ID, configure integration to Azure Monitor on Microsoft Entra and analyze further with KQL. For more information, see Integrate Microsoft Entra logs with Azure Monitor.

Business Central environments automatically emit all events listed below to Microsoft Purview auditing solutions, and Purview is enabled by default on every tenant. Learn more about enabling or disabling Purview auditing solutions on your tenant here.

Schema

Every event emitted to Purview auditing solutions uses the common schema. Events related to your Business Central environments can be found under the Dynamics365BusinessCentralLog AuditLogRecordType. For events with this AuditLogRecordType, the following fields are added to the common schema to contain details specific to your Business Central environments.

Name Description Mandatory Type
BcEnvironmentName The name of the Business Central environment False Edm.String
BcEnvironmentType The type of the Business Central environment (that is, Production or Sandbox) False Edm.String
BcCompanyName The name of the company in your Business Central environment False Edm.String
BcCustomDimensions Contains dynamic values based on the emitted event, see details for each event below False Edm.ComplexType
BcOperationName The name of the operation for which the log was emitted True Edm.String

Business Central events emitted to Purview are categorized as events and activities; events are high-level and are parents to the more specific activities.

Event name Description
Administered environment Activities that create, update, or delete environments
Configured extension Activities that configure extensions
Administered user Activities that create, update, or delete users
Administered company Activities that create, update, or delete companies
Configured integration Activities that configure integrations
Configured Copilot Activities that configure Copilot
Configured cloud migration Activities that configure cloud migration
Administered report Activities that create, update, or delete reports

Administered environment activities

Activities listed in the table below can be audited by filtering to the Administered environment event.

Activity Custom dimensions Sample value
Created environment ApplicationVersion 24.0.0.0
CountryCode US
Removed environment
Renamed environment NewEnvironmentName EnvironmentName
Copied environment targetEnvironmentType Production
targetEnvironmentName EnvironmentName
Restored environment EnvironmentName RestoredEnvironment
EnvironmentType Production
PointInTime 0001-01-01T00:00:00
SkipInstallingPTEs false
SkipInstallingThirdPartyGlobalApps false
SkipEnvironmentCleanup false
Recovered environment
Scheduled update IgnoreUpdateWindow false
RunOn 0001-01-01T00:00:00
Set Security Group Access Value 00000000-0000-0000-0000-000000000000
Removed Security Group Access
Set Application Insights Connection String
Set Access with Microsoft 365 Licenses Value true
Set AppSource Apps Update Cadence Value DuringMajorMinorUpgrade
Reported Service Outage AppVersion 24.0.0.0
Email email@cronus.com
FirstName John
LastName Doe
OutageQuestionAnswers 1: Yes. 2: All users
OutageType Logon
Phone +1 0000000000
PlatformVersion 24.0.0.0
Set Update Window PreferredEndTime 06:00
PreferredEndTimeUtc 0001-01-01T06:00:00
PreferredStartTime 00:00
PreferredStartTimeUtc 0001-01-01T00:00:00
TimeZoneId Coordinated Universal Time
Exported Environment
Restarted Environment
Cancelled Session sessionId 12345
Requested Environment Transfer DestinationEntraTenantId 00000000-0000-0000-0000-000000000000
RunAt 0001-01-01T00:00:00
Accepted Environment Transfer Request ApplicationFamily BusinessCentral
DestinationEnvironmentName EnvironmentName
SourceEntraTenantId 00000000-0000-0000-0000-000000000000
SourceEnvironmentName EnvironmentName
Cancelled Environment Transfer Request
Link Environment to Power Platform Environment powerPlatformEnvironmentId 00000000-0000-0000-0000-000000000000
applicationFamily BusinessCentral
environmentName EnvironmentName
Unink Environment to Power Platform Environment powerPlatformEnvironmentId 00000000-0000-0000-0000-000000000000
applicationFamily BusinessCentral
environmentName EnvironmentName
Set Support Contact Information Email support@cronus.com
Name SupportContact
Url https://cronus.com/support
Changed tenant permission system table
Changed tenant permission set system table
Changed tenant permission set relation system table
Changed tenant feature key system table
Changed tenant profile setting system table
Changed tenant profile extension system table
Changed data sensitivity system table

Configured extension activities

Activities listed in the table below can be audited by filtering to the Configured extension event.

Activity Custom dimensions Sample value
Installed Global App appId 00000000-0000-0000-0000-000000000000
AllowPreviewVersion true
InstallOrUpdateNeededDependencies true
TargetVersion 24.0.0.0
UseEnvironmentUpdateWindow true
Updated Global App appId 00000000-0000-0000-0000-000000000000
AllowPreviewVersion true
InstallOrUpdateNeededDependencies true
TargetVersion 24.0.0.0
UseEnvironmentUpdateWindow true
Uninstalled Global App appId 00000000-0000-0000-0000-000000000000
DeleteData true
UninstallDependents true
UseEnvironmentUpdateWindow true
Cancelled Global App Update appId 00000000-0000-0000-0000-000000000000
ScheduledOperationId 00000000-0000-0000-0000-000000000000
Published app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Installed app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Upgraded app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Uninstalled app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Unpublished app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Uploaded app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Deployed app tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
user Test User
Changed permission set by extension tenantId tenant01a123456789
appId 00000000-0000-0000-0000-000000000000
appVersion 1.1.1234.0000
permissionSetExtensionObjectId 00000000-0000-0000-0000-000000000000
permissionSetExtensionObjectName Test Permission Set Extension
permissionSetId 00000000-0000-0000-0000-000000000000
permissionSetName Test Permission Set Name
changeSummary Test change summary
isNewPermissionSet True

Administered user activities

You can audit the activities in the table below by filtering to the Administered user event.

Activity Message parameters Sample value
The tenant [TenantPermission] permission for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] has been updated with the value: "[Value]", by the UserSecurityId [UserSecurityId] TenantPermission READ
AppId 00000000-0000-0000-0000-000000000000
Role D365 ACCOUNTANTS
ObjectType Table
ObjectId 18
Value True
UserSecurityId 00000000-0000-0000-0000-000000000000
The Read permission for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] have been granted by the UserSecurityId [UserSecurityId] AppId 00000000-0000-0000-0000-000000000000
Role D365 ACCOUNTANTS
ObjectType Table
ObjectId 18
UserSecurityId 00000000-0000-0000-0000-000000000000
The tenant permissions for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] have been inserted with the following values - Read "[Read]", Insert "[Insert]", Modify "[Modify]", Delete "[Delete]" and Execute "[Execute]" by the UserSecurityId [UserSecurityId] AppId 00000000-0000-0000-0000-000000000000
Role D365 ACCOUNTANTS
ObjectType Table
ObjectId 18
Read True
Insert True
Modify True
Delete True
Execute True
UserSecurityId 00000000-0000-0000-0000-000000000000
The tenant permissions for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] have been updated with the following values - Read "[Read]", Insert "[Insert]", Modify "[Modify]", Delete "[Delete]" and Execute "[Execute]" by the UserSecurityId [UserSecurityId] AppId 00000000-0000-0000-0000-000000000000
Role D365 ACCOUNTANTS
ObjectType Table
ObjectId 18
Read True
Insert True
Modify True
Delete True
UserSecurityId 00000000-0000-0000-0000-000000000000
The permission set [PermissionSet] has been added to the security group [SecurityGroupName] by UserSecurityId [UserSecurityId] PermissionSet D365 READ
SecurityGroupName My security group
UserSecurityId 00000000-0000-0000-0000-000000000000
The license configuration [PlanConfiguration] has been created by the UserSecurityID [UserSecurityId] PlanConfiguration D365 Business Central Basic Financials
UserSecurityId 00000000-0000-0000-0000-000000000000
The license configuration [PlanConfiguration] has been modified by the UserSecurityID [UserSecurityId] PlanConfiguration D365 Business Central Basic Financials
UserSecurityId 00000000-0000-0000-0000-000000000000
The license configuration [PlanConfiguration] has been deleted by the UserSecurityID [UserSecurityId] PlanConfiguration D365 Business Central Basic Financials
UserSecurityId 00000000-0000-0000-0000-000000000000
The plan configuration [PlanConfiguration] has been customized by the UserSecurityID [UserSecurityId] PlanConfiguration D365 Business Central Basic Financials
UserSecurityId 00000000-0000-0000-0000-000000000000
The Update users from Microsoft 365 wizard has been run by the UserSecurityID [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
The user with UserSecurityId [UserSecurityId1] has been disabled by user with UserSecurityID [UserSecurityId2] UserSecurityId1 00000000-0000-0000-0000-000000000000
UserSecurityId2 00000000-0000-0000-0000-000000000000
The permission set [PermissionSet] has been copied by UserSecurityId [UserSecurityId] PermissionSet D365 READ
UserSecurityID 00000000-0000-0000-0000-000000000000
The Effective Permissions page has been opened by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
The user settings (UserSecurityId [UserSecurityId1]) has been updated with the values: Language ID [LanguageId], Locale ID [LocaleId], Company [Company], Time Zone [TimeZone], Profile ID [ProfileId] by UserSecurityId [UserSecurityId2] UserSecurityID1 00000000-0000-0000-0000-000000000000
LanguageId 1033
LocaleId 1033
Company CRONUS USA, Inc.
TimeZone W. Europe Standard Time
ProfileId BUSINESS MANAGER EVALUATION
UserSecurityId2 00000000-0000-0000-0000-000000000000
Changed access control system table
Changed user system table

Administered company activities

You can audit the activities in the table below by filtering to the Administered company event.

Events in the table below are emitted with custom dimensions.

Activity Custom dimensions Sample value
Created new company ompanyName CRONUS USA, Inc.
Copied company fromCompanyName CRONUS USA, Inc.
toCompanyName CRONUS USA, Inc.
Deleted company CompanyName CRONUS USA, Inc.
Changed company system table

Events in the table below are emitted with message parameters.

Activity Message parameters Sample value
The Monitor Field feature has been set up by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Field monitoring has been set for the field [FieldId] in the table [TableId] by UserSecurityId [UserSecurityId] FieldId 1
TableId 18
UserSecurityId 00000000-0000-0000-0000-000000000000
Field monitoring has been modified for the field [FieldId] in the table [TableId] by UserSecurityId [UserSecurityId] FieldId 1
TableId 18
UserSecurityId 00000000-0000-0000-0000-000000000000
Field monitoring has been deleted for the field [FieldId] in the table [TableId] by UserSecurityId [UserSecurityId] FieldId 1
TableId 18
UserSecurityId 00000000-0000-0000-0000-000000000000
The data sensitivity value [DataSensitivityValue] has been set for Company Name [CompanyName], Table No. [TableId], Field No. [FieldId] by UserSecurityId [UserSecurityId] DataSensitivityValue Sensitive
CompanyName CRONUS USA, Inc.
TableId 18
FieldId 1
UserSecurityId 00000000-0000-0000-0000-000000000000
The new retention policy record with Table ID [TableId] is created by the UserSecurityId [UserSecurityId] TableId 18
UserSecurityId 00000000-0000-0000-0000-000000000000
The retention policy defined for table [TableId], [TableName] was applied by the UserSecurityId [UserSecurityId] TableId 18
TableName Customer
UserSecurityId 00000000-0000-0000-0000-000000000000
UserSecurityId [UserSecurityId] set the status of the job queue entry [JobQueueEntryId] to Ready UserSecurityId 00000000-0000-0000-0000-000000000000
JobQueueEntryId 1
The status of the feature key [FeatureKey] has been set to [FeatureStatus] by UserSecurityId [UserSecurityId] FeatureKey ConcurrentWarehousingPosting
FeatureStatus Enabled
UserSecurityId 00000000-0000-0000-0000-000000000000

Configured integration activities

You can audit the activities in the table below by filtering to the Configured integration event.

Events in the table below are emitted with custom dimensions.

Activity Custom dimensions Sample value
Set Authorized Microsoft Entra App to Admin Center API appId 00000000-0000-0000-0000-000000000000
Deleted Authorized Microsoft Entra App from Admin Center API appId 00000000-0000-0000-0000-000000000000
Set Customer Tenant Access to Application Family varTenantId 00000000-0000-0000-0000-000000000000
applicationFamily BusinessCentral
country US
access read
Set Notification Recipient Id 00000000-0000-0000-0000-000000000000
Email recipient@cronus.com
Name John Doe
Removed Notification Recipient Id 00000000-0000-0000-0000-000000000000

Events in the table below are emitted with message parameters.

Activity Message parameters Sample value
Privacy Notice Approval ID [PrivacyApprovalName] provided by UserSecurityId [UserSecurityId] PrivacyApprovalName Azure OpenAI
UserSecurityId 00000000-0000-0000-0000-000000000000
Privacy Notice Approval ID [PrivacyApprovalName] has been reset by UserSecurityId [UserSecurityId] PrivacyApprovalName Azure OpenAI
UserSecurityId 00000000-0000-0000-0000-000000000000
The web service record with Object Type [ObjectType], Service Name [ServiceName] has been created by UserSecurityId [UserSecurityId] ObjectType Page
ServiceName ItemLedgerEntries
UserSecurityId 00000000-0000-0000-0000-000000000000
The new API Setup record Table ID [TableId], Template Code [TemplateCode], Page ID [PageId] is created by the UserSecurityId [UserSecurityId] TableId 18
TemplateCode RESO000001
PageId 32
UserSecurityId 00000000-0000-0000-0000-000000000000
User [UserSecurityId] enabled integration to Dataverse UserSecurityId 00000000-0000-0000-0000-000000000000
User [UserSecurityId] enabled integration to Dynamics 365 Sales UserSecurityId 00000000-0000-0000-0000-000000000000
Email Logging has been set up by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
CDS Connection Setup - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Sales and Inventory Forecast application - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Online Map Setup enabled by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Late Payment Prediction - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Cash Flow Forecast feature, Azure AI - consent provided
Image Analyzer - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Image Analyzer - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
MS PayPal - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
MS Yodlee Bank Service - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
AMC Banking Fundamentals - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
VAT Registration Service enabled by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Curr. Exch. Rate Update Setup - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
Document Exchange Service Setup - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
CFDI - consent provided
NO Elect. VAT Setup - consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000
SII Setup - consent provided
The UK Making Tax Digital consent provided by UserSecurityId [UserSecurityId] UserSecurityId 00000000-0000-0000-0000-000000000000

Configured Copilot activities

You can audit the activities in the table below by filtering to the Configured Copilot event.

Activity Message parameters Sample value
The copilot/AI capability [CopilotCapability], App Id [AppId] has been activated by the UserSecurityId [UserSecurityId] CopilotCapability Sales Line Suggestions
AppId 00000000-0000-0000-0000-000000000000
UserSecurityId 00000000-0000-0000-0000-000000000000

Configured cloud migration activities

Coming soon.

Administered report activities

You can audit the activities in the table below by filtering to the Administered report event.

Activity Custom dimensions Sample value
Created report layout ReportId 1
LayoutName TestReport
LayoutDescription Test Layout Description
LayoutFormat Layout Format
Action New
Deleted report layout ReportId 1
LayoutName TestReport
Action Delete
Modified report layout ReportId 1
OldLayoutName OldTestReport
OldLayoutDescription Old Layout Description
NewLayoutName NewTestReport
NewLayoutDescription New Layout Description
Action Edit

Auditing in Business Central
Auditing changes
Security Auditing in Business Central