Collect audit logs using a custom connector (deprecated)
Using the dedicated Center of Excellence - Audit Log solution and the Office 365 Management custom connector to collect audit log events are deprecated. The solution and custom connector will be removed from the CoE Starter Kit in August 2023.
We have a new flow that collects audit log events, which is part of the Center of Excellence - Core Components solution. This new flow uses an HTTP connector. Learn more: Collect audit logs using an HTTP action
The Audit Log Sync flow connects to the Microsoft 365 audit log to gather telemetry data (unique users, launches) for apps. The flow uses a custom connector to connect to the Audit Log. In the following instructions, you set up the custom connector and configure the flow.
The Center of Excellence (CoE) Starter Kit works without this flow, but the usage information (app launches, unique users) in the Power BI dashboard will be blank.
Complete the instructions in Before setting up the CoE Starter Kit and Set up inventory components before continuing with the setup in this article. This article assumes you have your environment set up and are signed in with the correct identity.
Only set up the Audit Log solution if you've chosen cloud flows as the mechanism for inventory and telemetry.
Watch a walk-through on how to set up the audit log connector.
Before you use the audit log connector
Microsoft 365 audit log search must be turned on for the audit log connector to work. More information: Turn audit log search on or off
The user identity running the flow must have permission to the audit logs. Minimum permissions for this are described here: Before you search the audit logs
Your tenant must have a subscription that supports unified audit logging. More information: Security & Compliance Center availability for business and enterprise plans
A Global Admin is required to configure the Azure Active Directory (Azure AD) app registration.
The Office 365 Management APIs use Azure AD to provide authentication services that you can use to grant rights for your application to access them.
Create an Azure AD app registration for the Office 365 Management API
Using these steps, you set up an Azure AD app registration that is used in a custom connector and Power Automate flow to connect to the audit log. More information: Get started with Office 365 Management APIs
Sign in to portal.azure.com.
Go to Azure Active Directory > App registrations.
Select + New Registration.
Enter a name (for example, Microsoft 365 Management), don't change any other setting, and then select Register.
Select API permissions > + Add a permission.
Select Office 365 Management API, and configure permissions as follows:
Select Delegated permissions, and then select ActivityFeed.Read.
Select Add permissions.
Select Grant Admin Consent for (your organization). Prerequisites: Grant tenant-wide admin consent to an application
The API permissions now reflect delegated ActivityFeed.Read with a status of Granted for (your organization).
Select Certificates and secrets.
Select + New client secret.
Add a description and expiration (in line with your organization's policies), and then select Add.
Copy and paste the Secret to a text document in Notepad for the time being.
Select Overview, and copy and paste the application (client) ID and directory (tenant) ID values to the same text document; be sure to make a note of which GUID is for which value. You'll need these values in the next step as you configure the custom connector.
Leave the Azure portal open, because you'll need to make some configuration updates after you set up the custom connector.
Set up the custom connector
Now you'll configure and set up a custom connector that uses the Office 365 Management APIs.
Go to Power Apps > Dataverse > Custom Connectors. The Office 365 Management API custom connector is listed here; it has been imported with the core components solution.
If your tenant is a commercial tenant, leave the General page as is.
- If your tenant is a GCC tenant, change the host to manage-gcc.office.com.
- If your tenant is a GCC High tenant, change the host to manage.office365.us.
- If your tenant is a DoD tenant, change the host to manage.protection.apps.mil.
More information: Activity API operations
Select Edit at the bottom of the OAuth 2.0 area to edit the authentication parameters.
Change the Identity Provider to Azure Active Directory.
Paste the application (client) ID you copied from the app registration into Client Id.
Paste the client secret you copied from the app registration into Client secret.
Don't change the Tenant ID.
Leave the Login URL as is for commercial and GCC tenants, and change it to https://login.microsoftonline.us/ for a GCC High or DoD tenant.
Set the Resource URL to https://manage.office.com for a commercial tenant, https://manage-gcc.office.com for a GCC tenant, https://manage.office365.us for a GCC High tenant, and https://manage.protection.apps.mil for a DoD tenant.
Select Update Connector.
Copy the Redirect URL into your text document in Notepad.
If you have a data loss prevention (DLP) policy configured for your CoE Starter Kit environment, you'll need to add this connector to the business data–only group of this policy.
Update Azure AD app registration with the redirect URL
Go to the Azure portal and your app registrations.
Under Overview, select Add a Redirect URI.
Select + Add a platform > Web.
Enter the URL you copied from the Redirect URL section of the custom connector.
Start a subscription to audit log content
Go back to the custom connector to set up a connection to the custom connector and start a subscription to the audit log content, as described in the following steps.
You must complete these steps for subsequent steps to work. If you don't create a new connection and test the connector here, setting up the flow and child flow in later steps will fail.
On the Custom Connector page, select Test.
Select + New connection, and then sign in with your account.
Under Operations, select StartSubscription.
Paste the directory (tenant) ID—copied earlier from the App Registration overview page in Azure AD—into the Tenant field.
Paste the directory (tenant) ID into PublisherIdentifier.
Select Test Operation.
You should see a (200) status returned, which means the query was successful.
If you have previously enabled the subscription, you will see a (400) The subscription is already enabled message. This means the subscription has successfully been enabled in the past. You can ignore this error and continue with the setup.
If you don't see the above message or a (200) response, the request may have failed. There could be an error with your setup that's keeping the flow from working. Common issues to check are:
- Validate that the identity provider on the Security tab is set to Azure Active Directory.
- Are audit logs enabled, and do you have permission to view the audit logs? Check by seeing if you can search in the Microsoft Compliance Manager.
- If you don't have permissions, see Before you search the audit log.
- Have you enabled the audit log very recently? If so, try again in a few minutes, to give the audit log time to activate.
- Have you pasted in the correct tenant ID from your Azure AD app registration?
- Have you pasted in the correct resource URL, with no added spaces or characters at the end?
- Validate that you correctly followed the steps in Azure AD app registration.
- Validate that you correctly updated the security settings of the custom connector, as described in step 6 of the custom connector setup procedure earlier in this article.
If you are still seeing failures, your connection may be in a bad state. Learn more: Step-by-step instructions to repair Audit Log connection
Set up the Power Automate flow
A Power Automate flow uses the custom connector, queries the audit log daily, and writes the Power Apps launch events to a Microsoft Dataverse table. This table is then used in the Power BI dashboard to report on sessions and unique users of an app.
Follow the instructions in Set up core components to download the solution.
Go to make.powerapps.com.
Import the Center of Excellence audit logs solution (CenterofExcellenceAuditLogs_x_x_x_xxx_managed.zip).
Establish connections to activate your solution. If you create a new connection, you must select Refresh. You won't lose your import progress.
Open the Center of Excellence – Audit Log solution.
Remove the unmanaged layer from the [Child] Admin | Sync Logs.
Select the [Child] Admin | Sync Logs.
Edit the Run only users settings.
For the Office 365 Management API custom connector, change the value to Use this connection (userPrincipalName@company.com). If there's no connection for any of the connectors, go to Dataverse > Connections, and create one for the connector.
For the Microsoft Dataverse connector, leave the run-only permission value blank and confirm that the connection reference for the CoE Audit Logs - Dataverse connection is configured correctly. If the connection is showing an error, update the connection reference for the CoE Audit Logs - Dataverse connection reference.
Select Save, and then close the Flow details tab.
(Optional) Edit the TimeInterval-Unit and TimeInterval-Interval environment variables to gather smaller chunks of time. The default value is to chunk 1 day into 1 hour segments. You receive an alert from this solution if the Audit Log fails to collect all data with your configured time interval.
Name Description StartTime-Interval Must be a whole number to represent the start time for how far back to fetch.
Default value: 1 (for one day back)
StartTime-Unit Determines units for how far back in time to go to fetch data.
Must be a value from accepted as an input parameter to Add to Time.
Example legal values: Minute, Hour, Day
Default value: Day
TimeInterval-Unit Determines units for chunking the time since start.
Must be a value from accepted as an input parameter to Add to Time.
Example legal values: Minute, Hour, Day
Default value: Hour
TimeInterval-Interval Must be a whole number to represent the number of chunks of type unit (above).
Default value: 1 (for 1 hour chunks)
TimeSegment-CountLimit Must be a whole number to represent the limit on the number of chunks that can be created.
Default value: 60
The default values provided work in a medium-sized tenant. You may have to adjust the values multiple times for this to work for your tenant size.
Learn how to update environment variables: Update Environment Variables
Back in the solution, turn on both the [Child] Admin | Sync Logs flow and the Admin | Sync Audit Logs flow.
Example configurations for environment variables
Here are example configurations for these values:
|1||day||1||hour||60||Will create 24 child flows, which is within the limit of 60.
Each child flow does the work to pull back 1 hour of logs from the past 24 hours
|2||day||1||hour||60||Will create 48 child flows, which is within the limit of 60.
Each child flow does the work to pull back 1 hour of logs from the past 48 hours
|1||day||5||minute||300||Will create 288 child flows, which is within the limit of 300.
Each child flow does the work to pull back 5 minutes of logs from the past 24 hours
|1||day||15||minute||100||Will create 96 child flows, which is within the limit of 100.
Each child flow does the work to pull back 15 minutes of logs from the past 24 hours
How to get older data
This solution collects app launches from the moment it's configured, and isn't set up to collect historic app launches. Depending on your Microsoft 365 license, historic data will be available for up to a year using the audit log in Microsoft Purview.
You can load historic data into the CoE Starter Kit tables manually. Learn more: How to import old Audit Logs
I found a bug with the CoE Starter Kit; where should I go?
To file a bug against the solution, go to aka.ms/coe-starter-kit-issues.