Edit

Share via

Collect audit logs using an HTTP action

  • Article

The audit log sync flows connect to the Office 365 Management Activity API reference to gather telemetry data, such as unique users and launches for apps. The flows use an HTTP action to access the API. In this article, you set up the app registration for the HTTP action and the environment variables needed to run the flows.

Note

The Center of Excellence (CoE) Starter Kit works without these flows, but the usage information, such as app launches and unique users, in the Power BI dashboard is blank.

Prerequisites

  1. Complete the Before setting up the CoE Starter Kit and Set up inventory components articles.
  2. Set up your environment.
  3. Sign in with the correct identity.

Tip

Set up the audit log flows only if you chose cloud flows as the mechanism for inventory and telemetry.

Before you set up the audit log flows

  1. Microsoft 365 audit log search must be turned on for the audit log connector to work. For more information, see Turn audit log search on or off.
  2. Your tenant must have a subscription that supports unified audit logging. For more information, see Security & Compliance Center availability for business and enterprise plans.
  3. A global admin is required to configure the Microsoft Entra app registration.

Note

The Office 365 Management APIs use Microsoft Entra ID to provide authentication services that you can use to grant rights for your application to access them.

Create a Microsoft Entra app registration for the Office 365 Management API

Using these steps, you can set up a Microsoft Entra app registration for an HTTP call in a Power Automate flow to connect to the audit log. For more information, see Get started with Office 365 Management APIs.

  1. Sign in to the Azure portal.

  2. Go to Microsoft Entra ID > App registrations. Screenshot showing the location of the App registrations Azure service.

  3. Select + New Registration.

  4. Enter a name, such as Microsoft 365 Management, but don't change any other setting, and then select Register.

  5. Select API Permissions > + Add a permission. Screenshot showing the location of the +Add a permission button of the API permissions menu.

  6. Select Office 365 Management API and configure permissions as follows:

    1. Select Application permissions, and then select ActivityFeed.Read. Screenshot that shows the ActivityFeed.Read setting on the Request API permissions page of the API permissions menu.

    2. Select Add permissions.

  7. Select Grant Admin Consent for (your organization). To set up admin content, see Grant tenant-wide admin consent to an application.

    The API permissions now reflect delegated ActivityFeed.Read with a status of Granted for (your organization).

  8. Select Certificates and secrets.

  9. Select + New client secret. Screenshot that shows the location of the +New client secret button on the Certificates & secrets menu.

  10. Add a description and expiration in line with your organization's policies, and then select Add.

  11. Copy and paste the application (client) ID to a text document such as Notepad.

  12. Select Overview and copy and paste the application (client) ID and directory (tenant) ID values to the same text document. Be sure to make a note of which GUID is for which value. You need these values when you configure the custom connector.

Update environment variables

Environment variables are used to store the client ID and secret for the app registration. Variables are also used to store audience and authority service endpoints, depending on your cloud (commercial, GCC, GCC High, DoD) for the HTTP action. Update the environment variables before turning on the flows.

You can store the client secret either in plain text in the Audit Logs - Client Secret environment variable, which isn't recommended. Instead, we recommend you create and store the client secret in the Azure Key Vault and reference it in the Audit Logs - Client Azure Secret environment variable.

Note

The flow using this environment variable is configured with a condition to expect either the Audit Logs - Client Secret or the Audit Logs - Client Azure Secret environment variable. However, you don't need to edit the flow to work with Azure Key Vault.

Name Description Values
Audit Logs - Audience The audience parameter for the HTTP calls Commercial (Default): https://manage.office.com

GCC: https://manage-gcc.office.com

GCC High: https://manage.office365.us

DoD: https://manage.protection.apps.mil
Audit Logs - Authority The authority field in the HTTP calls Commercial (Default): https://login.windows.net

GCC: https://login.windows.net

GCC High: https://login.microsoftonline.us

DoD: https://login.microsoftonline.us
Audit Logs - ClientID App registration Client ID The application client ID is from the Create a Microsoft Entra app registration for the Office 365 Management API step.
Audit Logs - Client Secret App registration client secret (not the secret ID but the actual value) in plain text The application client secret is from the Create a Microsoft Entra app registration for the Office 365 Management API step. Leave empty if you're using Azure Key Vault to store your client ID and secret.
Audit Logs - Client Azure Secret Azure Key Vault reference of the App registration client secret The Azure Key Vault reference for the application client secret is from the Create a Microsoft Entra app registration for the Office 365 Management API step. Leave empty if you're storing your client ID in plain text in the Audit Logs - Client Secret environment variable. This variable expects the Azure Key Vault reference, not the secret. For more information, see Use Azure Key Vault secrets in environment variables.

Start a subscription to audit log content

  1. Go to make.powerapps.com.
  2. Select Solutions.
  3. Open the Center of Excellence – Core Components solution.
  4. Turn on the Admin | Audit Logs | Office 365 Management API Subscription flow and run it, enter start as the operation to run. Screenshot that shows the location of the Run button in the navigation bar and the start operation in the Run flow pane.
  5. Open the flow and verify that the action to start the subscription is passed. Screenshot that shows the Status code of 200 in the StartSubscription window.

Important

If you previously enabled the subscription, you see a (400) The subscription is already enabled message. This means the subscription successfully enabled in the past. You can ignore this message and continue with the setup. If you don't see the above message or a (200) response, the request likely failed. There might be an error with your setup that's keeping the flow from working. Common issues to check are:

  • Are audit logs enabled, and do you have permission to view the audit logs? Test if the logs are enabled by searching in Microsoft Compliance Manager.
  • Did you enable the audit log recently? If so, try again in a few minutes, to give the audit log time to activate.
  • Validate that you correctly followed the steps in Microsoft Entra app registration.
  • Validate that you correctly updated the environment variables for these flows.

Turn on flows

  1. Go to make.powerapps.com.
  2. Select Solutions.
  3. Open the Center of Excellence – Core Components solution.
  4. Turn on the Admin | Audit Logs | Update Data (V2) flow. This flow updates the PowerApps table with last launch information and adds metadata to the audit logs records.
  5. Turn on the Admin | Audit Logs | Sync Audit Logs (V2) flow. This flow runs on an hourly schedule and collects audit log events into the audit log table.

How to get older data

This solution collects app launches after being configured, but isn't set up to collect historic app launches. Depending on your Microsoft 365 license, historic data is available for up to one year using the audit log in Microsoft Purview.

You can load historic data into the CoE Starter Kit tables manually, using one of the flows in the solution.

Note

The user retrieving audit logs needs permission to access them. For more information, see Before you search the audit logs.

  1. Browse to the Audit Log search.

  2. Search for the Launched app activity in the date range available to you. Screenshot that highlights the date range and launched app activity for a search in the Audit page of Microsoft Purview.

  3. Once the search runs, select Export to download the results. Screenshot that highlights the Completed Job status and Export button after an audit search.

  4. Browse to this flow in the core solution: Admin | Audit Logs | Load events from exported Audit Log CSV file.

  5. Turn on the flow and run it, selecting the downloaded file for the Audit Log CSV parameter. Screenshot that shows the Audit Log CSV import field and Run flow button of the Run flow pane.

    Note

    If you don't see the file loading after selecting Import, it might exceed the allowed content size for this trigger. Try breaking up the file into smaller files (50,000 rows per file) and run the flow once per file. The flow can be run simultaneously for multiple files.

  6. When complete, these logs are included in your telemetry. The last launched list for the apps is updated if more recent launches are found.

Troubleshooting

API permissions

Go to your app registration and validate that you have the correct API permissions. Your app registration requires application permissions not delegated. Validate that the status is Granted. Screenshot that highlights the Application type and Granted for status of a configured permission.

Secret environment variable - Azure secret

If you're using Azure Key value to store the app registration secret, validate that the Azure Key Vault permissions are correct. A user needs to be in the Key Vault Secret User role to read and in the Key Vault Contributor role to update. Screenshot that shows the Key Vault Contributor and Key Vault Secrets User roles.

If you have other issues with Azure Key Vault regarding a firewall, static IPs for Dataverse Environment, or other such feature issues, contact product support to resolve them.

Secret Environment Variable - plain text

If you're using plain text to store the app registration secret, validate that you entered the secret value itself and not the secret ID. The secret value is a longer string with a larger character set than a GUID, for example the string might have tilde characters.

I found a bug with the CoE Starter Kit. Where should I go?

To file a bug against the solution, go to aka.ms/coe-starter-kit-issues.