Back to Blog
Azure sentinel7/21/2023 How do we know it’s Audit.General? Well, they are listed here, and there are five in total:Īudit.General holds all general items, including Power Platform audit data. First, a one-liner to call the Office 365 Management Activity API to let it know we’re interested in Audit.General content-type: Invoke-WebRequest -Method Post -Headers $headerParams -Uri "$tenant/activity/feed/subscriptions/start?contentType=Audit.General" Next, we need the actual logic within the PowerShell. This is a bit more than what’s strictly needed, but just to future-proof it, I added Threat Intelligence and Service Health permissions also. The permissions you’ll need to specify for your Azure AD-defined app are: Specific guidance on how to provision the app can be found here. So we’re essentially getting OAuth2-tokens, and specifying which sort of access our solution requires. This is done by creating a new Azure AD-integrated app, which acts as our vehicle for accessing the logs. In order to control who has access to the logs, we need to somehow grant permission for this. So where do we get these? And why do we need a Client ID and a Client Secret, then? You need to replace your own values for the first 3 lines: Client ID, Client Secret, and Tenant name. $body = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body These are taken from the SysKit script directly: $clientID = "REPLACE_ME" The PowerShell script first needs a few variables. It takes a bit longer to achieve, but I’m also learning a great deal from these exercises. I fancy the approach where I use something quickly to validate my proposition, and then build out from there. There are a couple of important bits here, although the script itself is relatively simple. The fine people at SysKit already blogged about this, so I used their PowerShell script mostly as-is, and it just works. In order to retrieve logs automatically, I need to connect to the Office 365 Management Activity API. I started building this solution by using PowerShell to achieve this. I wanted to retrieve all audit logs for the Power Platform automatically. There are certain additional solutions one could use, such as employing Microsoft Cloud App Security, which I think is great – but also requires additional licensing, and ramp up for integrating properly.Īnd here comes the solution! Building the solution using PowerShell Second, it would be nice to do something with the logs. If you have Office 365 E5 license you can also retain the logs for up to 1 year. They are also not stored indefinitely – typically for up to 90 days when using the typical Office 365 E3 license. So, what’s the problem here? We can clearly get audited events from the logs and can have longer lunch breaks now.įirst, the problem is that one has to dig through these logs manually. Note: If you are not seeing anything in the logs, despite having events generated, make sure you’ve turned on the auditing feature. In audit log search, from Activities select all corresponding categories for Power Platform, such as Power Apps and Power Automate (still showing as ‘Flow’) and click Search:Īnd this results in a list of entries in the audit log:Įach item contains plenty of additional details once you click them: You can access the audit logs under Search > Audit log search. You can access the audit logs through Office 365 Security & Protection Center at. The problemīuilding monitoring and governance around the Power Platform typically includes auditing events in Office 365. This image from Microsoft visualizes the platform neatly:Īs part of the presentation I delivered with Thomas Vochten, I built a great demo that I wanted to write more about, as I spent quite a bit of time getting it to work. They are both parts of the Power Platform, which consists of Power BI, Power Apps, Power Automate and Power Virtual Agents. As you probably know, Power Automate used to be called Microsoft Flow. I’m delivering two sessions here, and one of those was on monitoring and managing Power Apps and Power Automate. It’s a 4-day event, with hundreds of sessions, and some very insightful keynotes also. I’m writing this from the beautiful and sunny city of Prague, where I’m attending the European SharePoint, Office 365 and Azure Conference. Thanks for reading my blog! If you have any questions or need a second opinion with anything Microsoft Azure, security or Power Platform related, don't hesitate to contact me.
0 Comments
Read More
Leave a Reply. |