[CoE Starter Kit - BUG] GCC Audit Logs running but not writing data

[mzd4fz00]

Describe the issue

our child and parent flows are running without failures, however we are not seeing the app last launched date being populated in the PowerApps App Dataverse table. We see audit log data being pulled in from the custom connector in the flow runs, but it doesn't include data for the power apps that are actively in use.

Our child flow does include this filter: @or(equals(item()?['Operation'], 'LaunchPowerApp'), equals(item()?['Operation'], 'DeletePowerApp'), equals(item()?['Operation'], 'DeleteFlow'), equals(item()?['Operation'], 'PowerAppPermissionEdited'))

We don't see any data in the audit log tables either, but we do see LaunchPowerApp operation in the security logs. we are looking for hints of what we should try to inspect next to uncover why our flows are not able to retrieve any data about when users last launched or deleted a power app.

Expected Behavior

we were expecting data to populate for app last launched into the PowerApps App dataverse table. Data should also be populated into the Audit log dataverse table as well.

What solution are you experiencing the issue with?

Audit Log

What solution version are you using?

2.4

What app or flow are you having the issue with?

[Child] Admin | Sync Logs

Steps To Reproduce

No response

Anything else?

This is something that has never worked properly for us (not an issue where it used to work but then stopped working).

[Jenefer-Monroe]

Hello. Are you a GCC tenant, or otherwise not a normal commercial tenant?

[Jenefer-Monroe]

And have you been through any cycles with support, or us, about this in the past?

[mzd4fz00]

Hi, yes we are in a GCC tenant. We have been working with Alex Rezac and Ernest Ovalles through ticket 2108250040005902 . They recommended starting up this thread as a good next step as we collectively haven't been able to reach a resolution after several weeks of troubleshooting.

[Jenefer-Monroe]

Thanks for that information. When you set up the custom connector, did you set the Resource URL as shown here?

[mzd4fz00]

Hi Jenefer, Mohamed Qureshi checked his notes when he set this up with Ernest and Alex from Microsoft and he has https://manage-gcc-office.com in his notes. If he attempts to edit the existing connection, it doesn't show the current values for some fields such as the Resource URL (ref the screenshot):

Is there another way to see the current value that is in use?

[Jenefer-Monroe]

Unfortunately custom connector settings do not show up after you hit "Update connector". You could likely watch the network traffic to see where it is being sent. However my suggestion is that you just go ahead and reset them, then see if this works.

[mzd4fz00]

Thanks Jenefer, as a status update, we did update the connector today to make sure https://manage-gcc-office.com was there for the Resource URL value, added in the client id and client secret again and selected Update Connector. We next ran the "Admin | Sync Audit Logs" workflow which made 24 successful runs of the child workflow "[Child] Admin | Sync Logs". No data was populated into the PowerApps App table for the "App Last Launched On" column however, which is the same symptom we have been experiencing. Are there other things you recommend we check? Thanks, Preston

[Jenefer-Monroe]

Sorry can you clarify, are the rows being written to the audit log table? And its just the field that isnt updating?

[Label-Maker]

I have the same issue. GCC tenant and correct resource URL. That table has no rows being written to.

[Label-Maker]

ok, I went thru the steps again and this time it is writing to that table. Must have fat fingered something the first time.

[Jenefer-Monroe]

I will hide your comments then @Label-Maker, since they do not seem to be the same issue. Thanks for using CoE

[mzd4fz00]

Hi Jenefer, no rows have been written to the audit log dataverse table (it is empty). In the attached screenshot, we never have data to pass the switch statement to perform the Insert Audit Log record (Current Environment) action where Operation = LaunchPowerApp.

The Parse JSON action above it will sometimes have data for things like an Operation of ExportReport for a workload of PowerBI or an Operation of CreateResponse for a workload of MicrosoftForms, What we aren't seeing are examples of an Operation of LaunchPowerApp.

[mzd4fz00]

Hi Jenefer, were there any additional components you recommend we check?

[Jenefer-Monroe]

I've seen this happen with one GCC customer. They uninstalled the audit logs solution and reinstalled it and it worked. It seemed that there may have been some caching somewhere that we could not clear without delete/reimport.

[mzd4fz00]

Hi Jenefer, that has been done twice now with Microsoft support (Alex Rezac and Ernest Ovalles) but it did not correct the issue unfortunately. Are there some additional measures you would recommend?

[Jenefer-Monroe]

From the setup steps, can you confirm that you confirm that you changed the host on the General tab? We realize that the instructions were a little confusing (say leave it as is, but then show the change needed for gov tenants) and we have changed that slightly for Nov

[Jenefer-Monroe]

Checking back in here to see about this step. Thanks

[mzd4fz00]

Hi Jenefer, we will check this shortly and report our finding, and to be clear you are indicating since we are GCC that we should set our host value on the General tab to be: https://manage.office365.us if it isn't already set that way, correct?

[mzd4fz00]

Hi Jenefer, we did make sure on General tab to make sure the host name is set to manage-gcc.office.com. We are now seeing some entries making it to the Audit Log table which is very encouraging, The last launched date is not yet populating though in the PowerApps App table, Is that normal, and should the child flow for the audit log already be populating it?

[Jenefer-Monroe]

WOOHOO!!!

We shipped with a bug last month in which that field wasnt populating. If you use the Oct version of the toolkit it will be fixed. Please see https://github.com/microsoft/coe-starter-kit/issues/1288

[mzd4fz00]

Hi Jenefer, we upgraded the solutions as recommended. We do see now some data populating in the PowerApps App table for "App Last Launched On", although it isn't much data yet. We see maybe 10 SharePointFormApp apps with a value now and 1 Canvas app (which is the DLP Editor V2 that we were testing on Wednesday), but our tenant has several hundred apps (some model driven, some canvas, and the rest SharePointFormApp) and we are not seeing data flowing in for most yet, just a trickle. there's maybe a couple hundren rows now on the Audit Log. The [Child] Admin | Sync Logs are not failing, averaging maybe 15 minutes a run. We're still grasping for what might be blocking us from seeing a lot more usage data of the Power Apps in our tenant, if you can think of something else we should be checking? Thanks,

[Jenefer-Monroe]

Did your admin email receive an email telling them that the chunk size is too large? We cannot return more results in the event of pagination, but we can detect when there were more pages. So if we are missing launches due to your tenant being too large, that is how we would let you know, by an email.

Then you can follow step 11 in the flow setup.

[mzd4fz00]

Hi Jenefer, you are correct that the admin did seee some chunk size / pagination type emails. we reduced the size down to looking at 10 minute size chunks instead of 60 minute ones and that seems to have gotten them small enough that we don't get paging. However, even with that smaller size, we only see 17 powerapps being detected, 16 of which are SharePointFormApp apps and 1 is a canvas (which is the DLP editor app being detected as in use). It still doesn't pick up other model driven or other canvas apps in the tenant, so we still think something isn't correct yet. Is there something else you think might be related? Thanks,

[Jenefer-Monroe]

Have you validated by actually booting some apps and then looking to see if they show up as launched in the next few days?

[mzd4fz00]

Hi Jenefer, we did try booting a couple of canvas apps and indeed I can see when I do that and run the parent and child workflows that data does come in for Canvas apps at least. Model-driven seems to be the area though were we don't see any activity at all but talking with our model driven app developers they are indicating a number of them are launched everyday. Is there a reason our O365 logs might not contain data for model-driven app launched events?

[Jenefer-Monroe]

Correct, the audit logs only work for Canvas apps, they do not record model driven app activity.

[Jenefer-Monroe]

closing out as no further action for starter kit team