blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

Delegate365-Read audit logs

Whenever a user or the synchronization makes a change in Delegate365, this is logged. Logging is a collection of changed properties of an object. Since many different things can happen, logging depends on the action. See more here.

Delegate365 protocols the changed object properties or assignments to an object. Through the service-oriented architecture, it can take up to 5 minutes till actions are visible in the audit logs. Logs are available for users who have permission to the corresponding Logs modules. For scope admins, usually the Quick Audit OU´s menu is available to see changes of their own objects as follows.

image

In that module, the log goes back 7 days. For older logs, Delegate365 provides the Log Access module to directly connect to the log storage, see below.

I think, the best way to explain the changes is to look at a sample. Here, an admin has changed the user object biancap. The latest changes are on top, the oldest at the bottom of the list. You can filter the list for the UPN or other text parts on top of the list. So, here are 3 actions concerning biancap.

image

We start the reading from the bottom up.

  • action 1: First, biancap has been changed. We see, there were no changes in the user fields (the user properties). But the licenses are empty - there are 0 items shown in the Array [0] entry. This means, previously assigned licenses have been removed.
  • action 2: The second action shows that 5 fields of biancap have been changed: fields Array [5]. fieldName: "Department" has an "oldValueIfAny" property set to "Sales". The "currentValue" shows "Sales Seattle". This is the new and current value of that user property. We also see that fieldName: "StateOrProvince" has been changed from "WA" to "". The fieldName: "UserPrincipalName" is protocolled, but has not been changed, there´s the same value in both properties. Such entries can be existent. In that case, the value has not been changed, but is essential for the operation and is protocolled. This depends on the action and the response of Office 365. No other properties or assignments have been changed in action 2.
  • action 3: The last action on top shows that the licenses have been changed: licenses: Array [1], 0: Object, name: "OFFICE 365 ENTERPRISE E5". This log entry indicates that this license has been assigned to that user. If plans are enabled or disabled within the plan, their values are protocolled in the sub-fields. No other actions happened in that operation.

If possible, Delegate365 protocols the old values, how it works with user properties. If the action was an assignment, as licenses, the old license array is not protocolled, but the new license assignments are logged.

Group operations are logged in the group log, not per user. If a user was added or removed from a group, the membersAdded and membersRemoved keys are containing the users. Here, the admin added biancap as member to the Office 365 group Retail.

image


The same happens vice versa if a user is removed from a group. Here, the admin removed biancap as member from the Office 365 group Retail.

image

The logging protocols actions as JSON entry with that key/value schema that can be used from Power BI or other systems for further processing. The action above is stored as here.

{ "fields": [],  
"userMembershipChanges":
{ "distributionGroupAdded": "",   
"distributionGroupRemoved": "",   
"securityGroupsAdded": [],   
"securityGroupsRemoved": [],   
"sharedMailboxAdded": "",   
"sharedMailboxRemoved": ""
}, 
"licenses": [], 
"membersAdded": [], 
"membersRemoved": [ "BiancaP@M365x836814.onmicrosoft.com" ]
}

This format allows a flexible storing of actions. You can connect to the storage with the credentials in the "Log Access" module and use tools as Microsoft Storage Explorer as in the the following screenshot.

image

For older logs, you need to export the logs or use Power BI connected to the storage. Please see Delegate365-Working with Audit Logs and Delegate365-Working with Audit Logs and Power-BI.

All actions executed in Delegate365 are logged, whether it's a manual action or an automated process. Portal Administrators get access to all the audit data of Delegate365. Scope Admins usually have the Quick Audit OU´s module for checking their latest actions. There are several ways to get all audit data easily for further usage in other tools. We hope these features help to understand actions in your Delegat365 environment. See more about getting data from Microsoft 365 and Delegate365 at Delegate365 Reports.

Loading