Exercise - Set up the audit log connector

Completed

The Audit Log Sync flow connects to the Microsoft 365 audit log to gather data such as unique users and launches for apps. The flow uses a custom connector to connect to the audit log. In the following instructions, you set up the custom connector and configure the flow.

Note

The Center of Excellence (CoE) Starter Kit works without this flow, but the usage information in the Power BI dashboard is blank.

Before you use the audit log connector

Before using the audit log connector, you need to meet the following prerequisites:

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

The Office 365 Management APIs use Microsoft Entra ID to provide authentication services that you can use to grant rights for your application to access them.

Create a Microsoft Entra app registration for the Office 365 Management API

Using these steps, you can set up a Microsoft Entra app registration for an HTTP call in a Power Automate flow to connect to the audit log. For more information, see Get started with Office 365 Management APIs.

  1. Sign in to portal.azure.com.

  2. Go to Microsoft Entra ID, and then search for and select App registrations.

    Screenshot of select App registrations in Microsoft Entra ID.

  3. Select New Registration.

  4. Enter a name (such as Microsoft 365 Management), but don't change any other setting. Select Register.

    Screenshot of enter a name and select Register.

  5. Select API permissions > Add a permission.

    Screenshot of select API permissions and + Add a permission.

  6. Select Office 365 Management APIs and then configure permissions as follows:

    a. Select Delegated permissions and then select ActivityFeed.Read.

    Screenshot of select Office 365 Management APIs and configure permissions.

    b. Select Application permissions and then select ActivityFeed.Read and ServiceHealth.Read.

    Screenshot of select Application permissions.

    c. Select Add permissions.

  7. Select Grant admin consent for (your organization).

    The API permissions now reflect delegated ActivityFeed.Read and application ActivityFeed.Read and ServiceHealth.Read permissions, with a status of Granted for (your organization).

    Screenshot of select Grant admin consent.

  8. Select Certificates & secrets.

  9. Select New client secret.

    Screenshot of select New client secret.

  10. Add a description and expiration (in line with your organization's policies), and then select Add.

  11. Copy and paste the secret to a text document in Windows Notepad for now.

  12. Select Overview and then copy and paste the application (client) ID to a text document.

Update environment variables

Environment variables are used to store the Client ID and secret for the app registration. They also store the audience and authority service endpoints depending on your cloud (commercial, GCC, GCC High, DoD) for the HTTP action. Update the environment variables before turning on the flows.

Note

You can store the client secret either in plain text in the Audit Logs - Client Secret environment variable, or you can store the client secret in Azure Key Vault and reference it in the Audit Logs - Client Azure Secret environment variable. These steps outline using a client secret, although Azure Key Vault is the recommended Microsoft method.

  1. Go to Power Apps.

  2. Go to Solutions.

  3. Select to the All tab and select the Center of Excellence - Core Components solution to open it.

  4. Select Apps from the left hand menu and play the CoE Admin Command Center app.

  5. Select Environment Variables from the left hand menu of the app.

    Screenshot of the command center app and the environment variables to update.

  6. Find the Audit Logs - Audience environment variable and make sure the value matches the audience service endpoint for your cloud type.

    You can find the audience values for your cloud type in the table below. If the value doesn't match your cloud type, select the row in the Command Center app and select Edit from the command bar.

  7. Enter the secret value that was copied from the previous section.

  8. Find the Audit Logs - Authority environment variable and make sure the value matches the authority service endpoint for your cloud type.

    You can find the authority values for your cloud type in the table below. If the value doesn't match your cloud type, select the row in the Command Center app and select Edit from the command bar.

  9. Find the Audit Logs - Client ID environment variable and enter the client ID that was copied from the previous section.

    Screenshot of editing the environment variables.

  10. Find the Audit Logs - Client Secret variable and enter the Client Secret that was copied from the previous section.

    Note

    The flow using this environment variable is configured with a condition to expect either the Audit Logs - Client Secret or the Audit Logs - Client Azure Secret environment variable. It is not necessary to edit the flow to work with Azure Key Vault.

Name Description Value
Audit Logs - Audience The audience parameter for the HTTP calls. Commercial (Default): https://manage.office.com
GCC: https://manage-gcc.office.com
GCC High: https://manage.office365.us
DoD: https://manage.protection.apps.mil
Audit Logs - Authority The authority field in the HTTP calls. Commercial (Default): https://login.windows.net
GCC: https://login.windows.net
GCC High: https://login.microsoftonline.us
DoD: https://login.microsoftonline.us
Audit Logs - ClientID App registration Client ID. The application client ID from the Create a Microsoft Entra app registration for the Office 365 Management API step.
Audit Logs - Client Secret App registration client secret in plain text. The application client secret from the Create a Microsoft Entra app registration for the Office 365 Management API step. Leave empty if you're using Azure Key Vault to store your client ID and secret.
Audit Logs - Client Azure Secret Azure Key Vault reference of the App registration client secret. The Azure Key Vault reference for the application client secret from the Create a Microsoft Entra app registration for the Office 365 Management API step. Leave empty if you're storing your client ID in plain text in the Audit Logs - Client Secret environment variable. This variable expects the Azure Key Vault reference, not the secret. Learn more: Use Azure Key Vault secrets in environment variables

Start a subscription to audit log content

  1. Go to PowerApps

  2. Select Solutions from the left hand menu.

  3. Select the All Tab to see all the solutions.

  4. Open the Center of Excellence – Core Components solution.

  5. Turn on the Admin | Audit Logs | Office 365 Management API Subscription flow and run it, enter start as the operation to run.

    Screenshot of Admin Audit Logs Office 365 Management API Subscription.

  6. Open the flow and verify that the action to start the subscription passes.

    Screenshot of the StartSubscription flow with status code highlighted.

Important

If you have previously enabled the subscription, you will see a (400) The subscription is already enabled message. This means the subscription has successfully been enabled in the past. You can ignore this error and continue with the setup. If you don't see the above message or a (200) response, the request may have failed. There could be an error with your setup that's keeping the flow from working. Common issues to check are:

  • Are audit logs enabled, and do you have permission to view the audit logs? Check by seeing if you can search in Microsoft Compliance Manager.
  • Have you enabled the audit log very recently? If so, try again in a few minutes, to give the audit log time to activate.
  • Validate that you correctly followed the steps in Microsoft Entra app registration.

Validate that you correctly updated the environment variables for these flows.

Turn on flows

  1. Go to make.powerapps.com.

  2. Select the All tab to see all the solutions.

  3. Open the Center of Excellence – Core Components solution.

  4. Turn on the Admin | Audit Logs | Sync Audit Logs (V2) flow. This flow runs on an hourly schedule, and collects audit log events into the Audit Log table.