Review audit logs in Microsoft 365 Lighthouse

Microsoft 365 Lighthouse audit logs record actions that generate a change in Lighthouse or other Microsoft 365 services. Create, edit, delete, assign, and remote actions all create audit events that you can review. By default, auditing is enabled for all customers. It can't be disabled.

Before you begin

To view audit logs, you must have one of the following permissions:

  • Microsoft Entra role - Global Administrator of partner tenant

  • Microsoft Partner Center role - Admin Agent

Review audit logs

  1. In the left navigation pane in Lighthouse, select Audit logs.


    It might take up to 1 hour to see new logs. Go to the respective service to see the most recent changes.

  2. Filter the logs, as needed, by using the following options:

    • Date range - Previous month, week, or day.
    • Tenants - Tenant tags or customer tenant names.
    • Activity - Microsoft 365 activity type that corresponds to the action taken. For more information, see the Activities table.
    • Initiated by - Who initiated the action.
  3. Select a log from the list to see full details, including the Request body.

    To export log data to a comma-separated values (.csv) file, select Export.


The following table lists activities captured within Lighthouse audit logs. The list is subject to change as new actions are created. You can use the activity listed in the audit log to see which action was initiated.

Activity name Area in Lighthouse Action initiated Service impacted
apply or deploy Tenants Apply a deployment plan Microsoft Entra ID, Microsoft Intune
assignTag Tenants Apply a tag from a customer Lighthouse
changeDeploymentStatus or assign Tenants Update action plan status for deployment plan Lighthouse
offboardTenant Tenants Inactivate a customer Lighthouse
resetTenantOnboardingStatus Tenants Reactivate a customer Lighthouse
tenantTags Tenants Create or delete a tag Lighthouse
tenantCustomizedInformation Tenants Create, update, or delete a customer website or contact information Lighthouse
unassignTag Tenants Remove a tag from a customer Lighthouse
validate Tenants Test a deployment plan Microsoft Entra ID
blockUserSignin Users Block sign-in Microsoft Entra ID
confirmUsersCompromised Users Confirm a user is compromised Microsoft Entra ID
dismissUsersRisk Users Dismiss user risk Microsoft Entra ID
resetUserPassword Users Reset password Microsoft Entra ID
setCustomerSecurityDefaultsEnabledStatus Users Enable multifactor authentication (MFA) with security defaults Microsoft Entra ID
restartDevice Devices Restart Microsoft Intune
syncDevice Devices Sync Microsoft Intune
rebootNow Threat management Reboot Microsoft Intune
reprovision Windows 365 Retry provisioning Windows 365
windowsDefenderScanFull Threat management Full scan Microsoft Intune
windowsDefenderScan Threat management Quick scan Microsoft Intune
windowsDefenderUpdateSignatures Threat management Update antivirus Microsoft Intune

Next steps

Use Microsoft Graph API to access more audit events, if needed. For more information, see Overview for multi-tenant management using the Microsoft 365 Lighthouse API.

Overview of the Alerts page (article)
Microsoft 365 Lighthouse FAQ (article)
View your Microsoft Entra roles in Microsoft 365 Lighthouse (article)