Get Windows 365 audit logs by using PowerShell

Audit logs for Windows 365 include a record of activities that generate a change in a Cloud PC. Create, update (edit), delete, assign, and remote actions all create audit events that administrators can review for most Cloud PC actions that go through Graph. By default, auditing is enabled for all customers. It can't be disabled.

Who can access the data?

Users with the following permissions can review audit logs:

• Global Administrator
• Intune Service Administrator
• Administrators assigned to an Intune role with Audit data - Read permissions

Use Graph API and PowerShell to retrieve audit events

To get audit log events for up to seven days for your Windows 365 tenant, follow these steps:

Install the SDK

1. In PowerShell, run this command: Install-Module Microsoft.Graph.Beta -Scope CurrentUser -AllowClobber
2. Verify the installation by running this command:Get-InstalledModule Microsoft.Graph.Beta
3. To get all Cloud PC Graph endpoints, run this command: Get-Command -Module Microsoft.Graph* *virtualEndpoint*

Sign in

1. Run either of these two commands:
   • Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
   • Connect-MgGraph -Scopes "CloudPC.Read.All"
2. On the resulting web page, sign in to your tenant with a user account that has the appropriate read and/or write permissions.
3. Switch to the Graph beta environment by using this command: Select-MgProfile -Name "beta"

Get audit data

You can view audit data in multiple ways.

Get entire list of audit events, including the audit actor

To get the entire list of audit events including the actor (person who performed the action), use the following command:

Get-MgBetaDeviceManagementVirtualEndpointAuditEvent | Select-Object -Property Actor,ActivityDateTime,ActivityType,ActivityResult -ExpandProperty Actor | Format-Table UserId, UserPrincipalName, ActivityType, ActivityDateTime, ActivityResult

Get a list of audit events

To get a list of audit events without the audit actor, use the following command:

Get-MgBetaDeviceManagementVirtualEndpointAuditEvent

To get all the events, use the -All parameter: Get-MgBetaDeviceManagementVirtualEndpointAuditEvent -All

To get only the top N events, use the following parameters: Get-MgBetaDeviceManagementVirtualEndpointAuditEvent -All -Top {TopNumber}

Get a single event by event ID

You can use the following command to get a single audit event, where you'll need to provide the {event ID}: Get-MgBetaDeviceManagementVirtualEndpointAuditEvent -CloudPcAuditEventId {event ID}

Next steps

Business continuity and disaster recovery.