Get Windows 365 audit logs

Audit logs for Windows 365 include a record of activities that generate a change in a Cloud PC. Create, update (edit), delete, assign, and remote actions all create audit events that administrators can review for most Cloud PC actions that go through Graph. By default, auditing is enabled for all customers. It can't be disabled.

Who can access the data?

Users with the following permissions can review audit logs:

• Global Administrator
• Intune Service Administrator
• Administrators assigned to an Intune role with Audit data - Read permissions

Send Windows 365 audit logs to diagnostic settings in Azure Monitor

Azure monitor's diagnostic settings let you export platform logs and metrics to the destination of your choice. You can create up to five different diagnostic settings to send different logs and metrics to independent destinations. For more information, see Diagnostic settings in Azure Monitor.

To create a diagnostic setting for sending logs

1. Make sure you have an Azure account.
2. Sign in to the Microsoft Intune admin center, select Reports > Diagnostic settings (under Azure monitor)> Add Diagnostic settings.
3. Under Logs, select Windows365AuditLogs.
4. Under Destination details, select the destination and provide details.
5. Select Save.

Use Graph API and PowerShell to retrieve audit events

To get audit log events for up to seven days for your Windows 365 tenant, follow these steps:

Install the SDK

1. In PowerShell, run this command: Install-Module Microsoft.Graph.Beta -Scope CurrentUser -AllowClobber
2. Verify the installation by running this command:Get-InstalledModule Microsoft.Graph.Beta
3. To get all Cloud PC Graph endpoints, run this command: Get-Command -Module Microsoft.Graph* *virtualEndpoint*

Sign in

1. Run either of these two commands:
   • Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
   • Connect-MgGraph -Scopes "CloudPC.Read.All"
2. On the resulting web page, sign in to your tenant with a user account that has the appropriate read and/or write permissions.
3. Switch to the Graph beta environment by using this command: Select-MgProfile -Name "beta"

Get audit data

You can view audit data in multiple ways.

Get entire list of audit events, including the audit actor

To get the entire list of audit events including the actor (person who performed the action), use the following command:

Get-MgBetaDeviceManagementVirtualEndpointAuditEvent | Select-Object -Property Actor,ActivityDateTime,ActivityType,ActivityResult -ExpandProperty Actor | Format-Table UserId, UserPrincipalName, ActivityType, ActivityDateTime, ActivityResult

Get a list of audit events

To get a list of audit events without the audit actor, use the following command:

Get-MgBetaDeviceManagementVirtualEndpointAuditEvent

To get all the events, use the -All parameter: Get-MgBetaDeviceManagementVirtualEndpointAuditEvent -All

To get only the top N events, use the following parameters: Get-MgBetaDeviceManagementVirtualEndpointAuditEvent -All -Top {TopNumber}

Get a single event by event ID

You can use the following command to get a single audit event, where you'll need to provide the {event ID}: Get-MgBetaDeviceManagementVirtualEndpointAuditEvent -CloudPcAuditEventId {event ID}

Next steps

Business continuity and disaster recovery.