Jenefer-Monroe
commented
1 year ago Hmm might be some cache issue or something in the browser. Can you try to create the connection in this other interface?
Closed CDSSYW closed 1 year ago
Jenefer-Monroe
commented
1 year ago Hmm might be some cache issue or something in the browser. Can you try to create the connection in this other interface?
CDSSYW
commented
1 year ago Hi Jenefer, Through connection portal , my connection isn't authorized and got message: No reply address is registered for the application. Any clue to fix this ? Is it related to redirect-url for the o365 management api app registration? (we have someone at org who set that up, so I cannot check it directly..)https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-auditlog#update-azure-ad-app-registration-with-the-redirect-url
Jenefer-Monroe
commented
1 year ago Do you have permission to view the audit log in the UX? https://compliance.microsoft.com/auditlogsearch?viewid=Async%20Search
CDSSYW
commented
1 year ago I'm able to land on the page but does not see the content
Jenefer-Monroe
commented
1 year ago You will need to perform a search to see results.
For example, search for app launches for a day
When you hit Search, you will see the search in the run list
Then click completed, when done, can you see some launches?
CDSSYW
commented
1 year ago Hi Jennifer, thanks for reply, unfortunately I'm not able to search on the UX, it's all grayed out, does this lacking of particular permission (and what is the required permission to operate searching at audit ?) related to authentication to the O365 management API custom connector?
Jenefer-Monroe
commented
1 year ago Sorry I should have specified that you should try this as the user whose identity runs the flows. Meaning its their connector running the flows. If thats you, then yes, that means you likely did not get the permissions needed.
Here are the things to check before you can use the audit log connector:
In particular, I think you are missing this part from Before you search the audit log
CDSSYW
commented
1 year ago Hello Jenefer,
Thanks for the advice, I'm on the process requesting the permission to my organization, in order to use the audit log solution, Do I need to request for this service account to have access to the mailbox audit logs of any mailbox (on-prem + cloud) ?
As mailbox audit logs contain subjects of emails and Outlook folder names. The organization is wondering 'Who will see this information in the end and what will this information be used for ?'
I assume this information will only be seen by PowerPlatform CoE admins who have access to this service account and the information will be used to give a clear view to facilitate the governance of Power Platform environments and it's components?
And what are the audit log data that the service account need to access to ? would it be only the fields from Audit log table of CoEBIV1 dashboard ?
Jenefer-Monroe
commented
1 year ago The audit logs table that you have circled there is our own audit log table. In it we only store the power apps launch activity; we do not store any other activities. So anyone you grant access to view that table will see the launch information of apps across the tenant. Similarly they can view all the apps across the tenant.
The programmatic audit logs service does not allow filtering, so the way it works is that we have a flow that pulls in all logs, filters to app launches there in flow, and then save to our table (the one you have circled). We ignore all other logs in that flow.
Regarding what you can see when you pull all audit logs (or browse to https://compliance.microsoft.com/auditlogsearch) I'm afraid I cannot advice on how all things are stored or permission that means wrt mailbox auditing. I can just say that the least privaledged that will still allow querying is listed here, from Before you search the audit log
I hope this is helpful
CDSSYW
commented
1 year ago Hi Jenefer,
Thank you, it clarified some doubts, you mentioned 'so the way it works is that we have a flow that pulls in all logs', could you please refer me which flow from CoE kit pulls all logs?
Another question is, if the org can only grant the audit log access to this service account which deploy the CoE kit, then I use the service account to setup audit log connector , and use an admin account (normal user account) publish the BI reporting to a shared BI workspace, would it work to show all the telemetry? Does it require to have the same identity to have access the audit log (to setup audit log connector ) and to publish the BI reporting?
Thanks a lot for your time and reply!
Jenefer-Monroe
commented
1 year ago The flows that do this are the two flows in the Audit Log solution, in particular the child flow list here.
It calls the custom connector (the green globe actions) which queries the office audit logs backend, filters to launches and deletes (we really only use the launches), and then proccesses that filtered list.
Jenefer-Monroe
commented
1 year ago The same identity that has the permission to the office audit logs needs to run the flow so that the custom connector runs as them.
Once the flow writes the launch into the dataverse, then anyone that can view the dataverse can see that launch.
We have these Security Roles you can use for that. Giving someone permissions to view the data, and then sharing them the PBI will let them view the apps and all their details including launches, makers, shared with, etc
Hope that all helps
CDSSYW
commented
1 year ago Hi Jenefer,
Thanks for these clear explanation, though org still feel concerned about what the account can see when pulling all audit logs especially it's including the mailbox activity information, apart from using it in CoE kit, it can be viewed from https://compliance.microsoft.com/ and request through powershell..
I'll check with MSFT for the security part and see whether there is more secured way to operate this audit log access, please close this ticket , many thanks!
Jenefer-Monroe
commented
1 year ago You are correct, the account will have full access to the compliance.microsoft.com audit logs. As unfortunately that service does not have any ability to permission access roles. If you do find some other answer to that please let me know but we've never found one.
There is good news here, if you cannot get these permissions. We are working on integrating with the new product inventory and telemetry features Self Service Analytics (aka BYODL or Bring your Own Datalake). In this case the power apps and power automate logs run and launch information will be natively gathered and stored near the objects themselves, we wont have to fish in the microsoft audit logs for them anymore.
We believe we will be able to have a preview of the kit built on this feature in another few months. You can explore this ahead of time if you would like
CDSSYW
commented
1 year ago Thank you Jenefer ! I'll check and log the information you provided!
Jenefer-Monroe
commented
1 year ago closing out as no further action for starter kit team
What is your question?
Hi CoE CAT team,
I followed this setup process https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-auditlog#set-up-the-custom-connector
however at this step: https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-auditlog#start-a-subscription-to-audit-log-content
I'm blocked while trying to create new connection, the when I click + connection , there is no authentication process pop-up ..and I'm not able to establish a connection for testing
Any insights to solve it? Thanks in advance!
What solution are you experiencing the issue with?
None
What solution version are you using?
No response
What app or flow are you having the issue with?
No response