Issue with gathering audit logs with the HTTP Connector on the GCC

[mrmonto1]

Does this question already exist in our backlog?

• [X] I have checked and confirm this is a new question.

What is your question?

Hello, I am experiencing an issue with the CoE gathering audit logs with the HTTP Connector on the GCC. Our security policy requires Azure PIM admin role activation. I am aware that the CoE documentation does not recommend using PIM, but the CoE appears to be our only option for easily obtaining streamlined Power Platform Connector usage information. I have the Power Platform Admin and Compliance Administrator roles available to active via PIM. The CoE was deployed in July and all the inventory information seems to be working just fine so our hope is that the Audit gathering flows would follow suit.

My Admin | Audit Logs | Sync Audit Logs (V2) flow properties show as running successfully hourly, but no new data is being populated in the Dataverse Audit log table. The only data I have in the Audit log table is from the manual import I ran via the Admin | Audit Logs | Load events from exported Audit Log CSV file Flow when initially deploying the COE.

To eliminate the Admin role variable, I tested the Sync Audit Logs (V2) flow with both my Compliance Admin role and Power Platform Admin roles active on my account that is running the flow. I also verified that I was able to run Audit Searches via the Purview Compliance Portal with my Compliance Administration role active. How can I ensure that my App Reg env variables configs are correct? I received a status code of 200 when running the Admin | Audit Logs | Office 365 Management API Subscription Flow on initial configuration of the Audit Logs and a 400 status code today when re-running the flow. Not sure what else to check. Any advice/help would be greatly appreciated! Thanks!

What solution are you experiencing the issue with?

Audit Log

What solution version are you using?

July 2023

What app or flow are you having the issue with?

Admin | Audit Logs | Sync Audit Logs (V2)

What method are you using to get inventory and telemetry?

Cloud flows

[Jenefer-Monroe]

Hello. With the new technique to fetch audit logs via HTTP instead of Custom Connector, we no longer need the user running the flow to have access to the audit logs, the app registration itself will do that now since it runs as application (no longer delegated).

The thing you need permanent access to is unrelated to audit logs as a result, and to the inventory across the tenant, the Power Platform Admin Role. Hopefully this information lets you argue for permanent access to that role.

[Jenefer-Monroe]

Regarding the audit logs solution not working for you. We did ship July with a bug that blocked GCC from working, its fixed in the August release, please see https://github.com/microsoft/coe-starter-kit/issues/6075

Lastly, for your app registration, here is what you want the permissions to look like when done in order to collect audit logs using an HTTP action

[mrmonto1]

Hello. With the new technique to fetch audit logs via HTTP instead of Custom Connector, we no longer need the user running the flow to have access to the audit logs, the app registration itself will do that now since it runs as application (no longer delegated).

The thing you need permanent access to is unrelated to audit logs as a result, and to the inventory across the tenant, the Power Platform Admin Role. Hopefully this information lets you argue for permanent access to that role.

Ok, good to know and thank you @Jenefer-Monroe! What is curious is that inventory data has been updating in the Power BI reports without my account being PIMd as Power Platform Admin. Maybe it's because my account running all COE flows is the creator and owner of all the environments and their databases besides the default environment? Or maybe it's pure luck? Our Azure Team isn't going to budge on having the Permanent Power Platform Admin role assigned to my account. Is there a way to identify when Inventory related flows fail due to not having the PP Admin role?

[mrmonto1]

Regarding the audit logs solution not working for you. We did ship July with a bug that blocked GCC from working, its fixed in the August release, please see #6075

Lastly, for your app registration, here is what you want the permissions to look like when done in order to collect audit logs using an HTTP action

This is good info! I was missing the Graph API permissions in my App Registration. It wasn't particularly clear to me in the Collect audit logs using an HTTP action configuration instructions (https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-auditlog-http#create-an-azure-ad-app-registration-for-the-office-365-management-api) that I needed both Graph and Office 365 Managment APIs to get the Audit Logs. Thanks!

[Jenefer-Monroe]

Regarding: Is there a way to identify when Inventory related flows fail due to not having the PP Admin role?

Unfortunately not. However if you are sys admin on all the environments in the tenant then thats equivalent to PP Admin Role for the inventory. So as long as you can get yourself added to all new envts like this over time, you'll be able to gather.

[Jenefer-Monroe]

That blocking bug is now resolved! I'll go ahead and close this but dont hesitate to reach out again if you have other issues in the future.

[mrmonto1]

Hi @Jenefer-Monroe, I was able to upgrade to the August CoE release. However, I am getting the following error on the Admin | Audit Logs | Sync Audit Logs (V2) Flow. I am not using a Key Vault at this point and I confirmed my App Registration Secret and Client IDs are correct.

[Jenefer-Monroe]

Please post a separate issue for that, we like to use one issue per bug Note that the error message shown there in flows is just whatever failure it sees first, even if its a caught error (as is the case here if you are using plain text) so findig the bug requires you find the terminating failure