View Power Platform administrative logs using auditing solutions in Microsoft Purview
Administration of Power Platform products and services can affect various capabilities such as environment settings and operations, data policies, and integration-related settings. It's important to audit such actions that help mitigate failures, help contain systems of security constraints, adhere to compliance requirements, and act on security threats.
In this article, you learn about activities that are performed on Power Platform environments by those having administrative access across user experiences and programmable interfaces using Microsoft Purview compliance portal. The activities fall within the following categories:
Important
- Administrative activities for Power Platform environments are enabled by default on all tenants. You can't disable activity collection.
- At least one user with an assigned Microsoft 365 E5 or greater license, as required by Microsoft Purview. More information: Auditing solutions in Microsoft Purview
The audit activities include actions made by global administrators, Power Platform administrators, Dynamics 365 administrators, members of the System Administrator role (for Power Platform environments with Dataverse), the environment creator or owner (for Power Platform environments without Dataverse), and impersonated users that map to any of these roles.
Each activity event consists of a common schema defined at Office 365 Management Activity API schema. The schema defines the payload of metadata that is unique for each activity.
Activity category: Environment lifecycle operations
Each activity event contains a payload of metadata that is specific to the individual event. The following environment lifecycle operation activities are delivered to Microsoft Purview.
| Event | Description |
|---|---|
| Provisioned environment | The environment was created. |
| Deleted environment | The environment was deleted. |
| Recovered environment | An environment that was deleted within seven days has been recovered. |
| Hard-deleted environment | The environment was hard deleted. |
| Moved environment | The environment was moved to a different tenant. |
| Copied environment | The environment, including specific attributes such as application data, users, customizations, and schemas, were copied. |
| Backed up environment | The environment that has been backed up. |
| Restored environment | The environment has been restored from a back up. |
| Converted environment type | The environment was converted to a different environment type, such as production or sandbox. |
| Reset environment | A sandbox environment has been reset. |
| Upgraded environment | A component of an environment has been upgraded to a new version. |
| CMK-Renewed environment | The customer-managed key (CMK) has been renewed on the environment. |
| CMK-Reverted environment | Environment was removed from enterprise policy and encryption was retured to Microsoft-managed key. |
Activity category: Environment property and setting change activities
Each activity event contains a payload of metadata that is specific to the individual event. The following environment property and setting activities are delivered to Microsoft Purview.
| Event | Description |
|---|---|
| Changed property on environment | Communicates when a property on an environment has changed. In general, properties are metadata (names) that is associated with an environment. Includes changes to:
|
Activity category: Business model and licensing
Each activity event contains a payload of metadata that is specific to the individual event. The following business model and licensing activities are delivered to Microsoft Purview.
| Category | Event | Description |
|---|---|---|
| Billing Policy | BillingPolicyCreate | Emitted when a new billing policy is created. |
| Billing Policy | BillingPolicyDelete | Emitted when a billing policy is deleted. |
| Billing Policy | BillingPolicyUpdate | Emitted when the environments linked to a billing policy change (added, removed). |
| ISV | IsvContractConsent | Emitted when a tenant admin consents to an ISV contract. |
| License Auto-claim | AssignLicenseAutoClaim | Emitted when a license is assigned to a user automatically via an auto-claim policy. |
| License Auto-claim | AssignLicenseAutoClaimPolicyCreate | Emitted when a new auto-claim policy is created. |
| Currency | CurrencyEnvironmentAllocate | Emitted when currency (add-on) is allocated or deallocated to an environment. |
| Trials | TrialConvertToProduction | Emitted when a trial plan is converted to a production plan. |
| Trials | TrialEnforce | Emitted when a customer attempts to provision environments beyond the trial limit. |
| Trials | TrialExtend | Emitted when a trial is extended past its original expiration date. |
| Trials | TrialProvision | Emitted when a new trial plan is provisioned. |
| Trials | TrialSignUpEligibilityCheck | Emitted prior to trial provisioning when a check occurs to determine trial eligibility. |
| Trials | TrialViralConsent | Emitted during trial provisioning. Includes a list of which trial plan types the customer has consented to. |
| Trials | AssignLicenseToUser | Emitted when a trial license is assigned to a user. |
| Licensing | DeveloperPlanConsent | Emitted when a tenant admin consents to usage of developer plans. |
| Environment Lifecycle | EnvironmentDisabledByMiser | Emitted when an environment is automatically disabled due to insufficient database capacity. |
Activity category: Admin actions
Each activity event contains a payload of metadata that is specific to the individual event. The following admin activities are delivered to Microsoft Purview.
| Event | Description |
|---|---|
| Apply Admin Role | Emitted when a tenant admin requested the System administrator role in Dataverse in the environment. |
View activities in Microsoft Purview
When audit log search is turned on in the Microsoft Purview compliance portal, admin activity from your organization is recorded in the Microsoft Purview audit log.
You can use several methods to search events in Microsoft Purview.
Use wild card search for contextual information in the Microsoft Purview user experience.
Narrow down search constructs that are specific to individual events.
As you search, individual activities are shown. A common schema is enforced to enable search constructs across activities. The value in the PropertyCollection field is specific to each activity type.
For more information about the Microsoft Purview audit log, data retention policies, and capabilities, see Auditing solutions in Microsoft Purview.
See also
- Auditing solutions in Microsoft Purview
- Office 365 Management Activity API schema
- Detailed properties in the audit log
- Power Apps activity logging
- Power Automate activity logging
- Power Platform connector activity logging (preview)
- Data loss prevention activity logging
- Manage Dataverse auditing
- Dataverse and model-driven apps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for