In this blog post, we will learn to effectively audit Power Platform activities using Microsoft Purview, ensuring robust monitoring and governance. In this blogpost, learn to audit Power Platform activities using Microsoft Purview. Before we begin, ensure you subscribe to CRM Crate to remain informed about the latest developments in the Power Platform field.
Microsoft Power Platform is a suite of applications, connectors, and a data platform (Dataverse) that provides a quick and easy way to build apps, automate workflows, create chatbots, and analyze data. It’s designed to help businesses and organizations leverage their data, streamline processes, and make more informed decisions. Here’s what’s included in the Power Platform:
- Power BI: A business analytics tool that allows you to visualize your data and share insights across your organization. It connects to hundreds of data sources and simplifies data preparation with the ability to create rich reports and dashboards.
- Power Apps: A suite of apps, services, connectors, and a data platform that provides a rapid development environment to build custom apps for your business needs. With Power Apps, you can create apps with no or minimal code, which can run on any device.
- Power Automate: Previously known as Microsoft Flow, this service helps you create automated workflows between your apps and services to synchronize files, get notifications, collect data, and more. It’s all about automating repetitive tasks and processes.
- Power Virtual Agents / Copilot Studio: This allows you to create powerful AI-driven chatbots that can interact with your customers or employees without the need for coding. These chatbots can answer questions, guide users through processes, or even handle transactions.
- Dataverse: Formerly known as Common Data Service (CDS), Dataverse is a scalable data service and app platform that lets you securely store and manage data used by business applications. Dataverse integrates seamlessly with other Power Platform tools and Microsoft services.
In essence, the Power Platform empowers you to build end-to-end business solutions by combining the capabilities of these individual tools. It’s particularly powerful because it allows users who might not be professional developers to create and deploy complex applications and automations.
Auditing activities in Power Platform with Microsoft Purview
Auditing activities in Microsoft Power Platform provides several key benefits that can significantly enhance your organization’s security, compliance, and operational efficiency. Here are some of the primary advantages:
- Enhanced Security: Auditing helps track who is accessing your data and what actions they are taking. This visibility allows you to detect and respond to unauthorized access or suspicious activities promptly.
- Compliance and Governance: Many industries have strict regulatory requirements for data handling and reporting. Auditing activities ensure that you have a detailed record of data interactions, which is crucial for compliance audits and demonstrating adherence to regulatory standards.
- Improved Data Integrity: By monitoring changes to your data, you can ensure its accuracy and reliability. Auditing helps identify and rectify errors or malicious alterations, maintaining the trustworthiness of your information.
- Operational Insights: Auditing provides valuable insights into how your Power Platform applications are being used. You can analyze usage patterns, identify bottlenecks, and optimize processes based on actual user behavior.
- Accountability and Transparency: Keeping a detailed log of activities promotes accountability among users. When individuals know their actions are being recorded, they are more likely to follow best practices and organizational policies.
- Proactive Issue Resolution: With detailed audit logs, you can quickly troubleshoot and resolve issues. If a problem arises, you can trace back through the logs to understand what happened and take corrective action.
- Historical Record: Audit logs serve as a historical record of all activities within the platform. This can be invaluable for reconstructing past events, conducting investigations, or simply understanding the evolution of your system over time.
By leveraging these benefits, organizations can maintain a secure, compliant, and efficient environment within Microsoft Power Platform, ultimately driving better outcomes and more effective use of their digital tools.
Learn about Microsoft Purview and how to audit different Power Platform activities using it
Microsoft Purview is an all-in-one solution designed to help your organization manage, protect, and oversee data no matter where it’s stored. It offers integrated tools to tackle issues like data fragmentation, limited visibility that affects data protection and governance, and the merging of traditional IT management roles.
Microsoft Purview brings together the old Azure Purview and Microsoft 365 compliance tools into a single platform, helping your organization to:
- Get a clear view of data throughout the organization
- Protect and manage sensitive data throughout its lifecycle, no matter where it’s stored
- Govern data more effectively with new, comprehensive methods
- Handle important data risks and meet regulatory requirements
How to Search for audit data in Microsoft Purview?
Follow these steps to search for audit data in Power Platform using Microsoft Purview.
- Sign in to the Microsoft Purview portal as a tenant admin.
- In the left hand corner, click on ‘Audit‘.
- Now, within the audit search window, you can filter the search results according to your requirements. We will use the Date & Activities filters to query the auditing information for our Power Platform tenant.
- Within the Activity filter, you can easily enter terms such as ‘Power Platform,’ ‘PowerApp,’ or ‘Power Automate’ and select the relevant activity name of your choice.
- Once the filtering configuration is completed, click on ‘Search.’ The auditing information will then be extracted and displayed in the output window as shown below.
Understanding Power Apps activity logging
You can track the audit history of various Power App activities within the Power Platform tenant, such as Power App creation, publishing, and deletion. Logging occurs at the SDK layer, so a single action can trigger multiple logged events. Here are some examples of user events you can audit:
Event | Description |
---|---|
Created app | When the app gets created for the first time by a maker |
Launched app | When the app gets launched |
Marked app as Featured | Every time the app is marked as Featured |
Restored app version | The version of the app when restored |
Edited app | Any updates made to the app by the maker |
Published app | When the app is published and is made available to others in the environment |
Edited app permission | Every time a user’s permissions to the app is changed |
Deleted app | When the app is deleted |
Marked app as Hero | Every time the app is marked as Hero |
Deleted app permission | Every time a user’s permissions to the app is removed |
Removed app as Hero | Every time the app is unset as Hero |
Removed app as Featured | Every time the app is unset as Featured |
Patched app | Every time the app is patched |
Deleted app version | The version of the app when deleted |
Consented to the app’s APIs | When the current user has consented to the application’s APIs |
Imported new canvas app | Every time new canvas app is imported |
Imported existing canvas app | Every time existing canvas app is imported |
Published solution canvas app version | When canvas app version from solution is published |
Added DataLossPreventionEvaluationResult | When DLP evaluation occurs for the App |
Admin restored deleted app | When the deleted app is restored by the admin |
Admin set desired logical name | When the desired logical name of the app is set by the admin |
Admin modified app owner | When the app owner is modified by the admin |
Admin modified app permissions | When the app permissions is modified by admin |
Admin deleted app | When the app is deleted by the admin |
Admin set quarantine state | When the quarantine state of the app is set by the admin |
Admin set conditional access | When the conditional access of the app is set by the admin |
Admin set bypass consent state | When the bypass consent state of the app is set by the admin |
Admin set app as featured | Every time the app is marked as Featured by the admin |
Admin allowed third party apps | When third party apps were allowed by the admin |
The image below illustrates what the Power App creation audit looks like. Here, you can see details such as the user or maker who created the application, the creation timestamp, the outcome, the version, the creator’s email address, and more.
Understanding Power Automate activity logging
You can track the audit history of various Power Automate activities within the Power Platform tenant, such as flow creation, flow deletion & flow permission modification. Here are some examples of user events you can audit:
Category | Event | Description |
---|---|---|
Flows | Created flow | The time when a flow is created. |
Flows | Edited flow | Any updates made to the flow. |
Flows | Deleted flow | When the flow is deleted. |
Flow permissions | Edited permissions | Every time a user’s permissions to a flow changes, for example, when a user is added as co-owner. |
Flow permissions | Deleted permissions | Every time a user’s permissions to the flow is removed. |
Trials | Started a paid trial | When a user starts a paid trial. |
Trials | Renewed a paid trial | When a user renews a paid trial. |
Hosted RPA | Microsoft Entra ID joined | When a hosted RPA bot is joined to the customer’s tenant Microsoft Entra ID. |
Understanding Power Pages activity logging
You can track the audit history of various Power Pages activities within the Power Platform tenant, such as modification in Power BI visualization, modification Power BI embedding service, modification in SharePoint integration. Here are some examples of user events you can audit:
Activity Name | Operation Name | Description |
---|---|---|
Enable Power BI visualization | PowerBIVisualizationEnabled | When Power BI visualization is enabled for the site |
Disable Power BI visualization | PowerBIVisualizationDisabled | When Power BI visualization is disabled for the site |
Enable Power BI embedded service | PowerBIEmbeddedServiceEnabled | When Power BI embedded service is enabled for the site |
Disable Power BI embedded service | PowerBIEmbeddedServiceDisabled | When Power BI embedded service is disabled for the site |
Enable SharePoint integration | SharePointIntegrationEnabled | When SharePoint integration is enabled for the site |
Disable SharePoint integration | SharePointIntegrationDisabled | When SharePoint integration is enabled for the site |
Edit site URL | SiteURLUpdated | When site URL is changed |
Edit site details – Name Update | SiteNameUpdated | When site name is changed |
Edit site details – Website Record Update | WebsiteRecordUpdated | When website record is updated |
Shut down site | SiteShutDown | When site is shut down |
Delete site | SiteDeleted | Site is deleted |
Add custom domain name | CustomDomainConnected | When site is connected to a custom domain |
Remove custom domain name | CustomDomainDeleted | When custom domain is removed from the site |
Change site visibility | SiteVisibilityUpdated | When site visibility is changed (private to public, or public to private) |
Update site visibility permissions | SiteVisibilityPermissionsUpdated | When site visibility permissions (who can change site visibility) are updated |
convert trial to production | ConvertedToProduction | When site is converted from trial to production |
Set up IP Restrictions – Adding IP range | IPRestrictionsAdded | When a new range of IP addresses are added which can access the site |
Set up IP Restrictions – Deleting IP range | IPRestrictionsDeleted | When a new range of IP addresses are deleted which can access the site |
Enable WAF | WAFEnabled | When AFD (Azure Front Door) Web Application Firewall for security is enabled |
Disable WAF | WAFDisabled | When AFD (Azure Front Door) Web Application Firewall for security is disabled |
Restart site | SiteRestarted | When site is restarted |
Update custom certificates | CustomCertificateUpdated | When a custom certificate associated with the site is updated |
Enable maintenance mode | MaintenanceModeEnabled | When site is put in maintenance mode |
Disable maintenance mode | MaintenanceModeDisabled | When site if taken off of maintenance mode |
disableAnonymousAccess exception list changed | AnonymousSettingExceptionListChanged | When anonymous access governance control is changed These operations take time to complete from the point they’re initiated. The audit logs are captured when the action is initiated. It isn’t necessary that the action is successfully completed. |
Understanding Power Platform Connector activity logging
You can track the audit history of various Power Power Platform Connector activities within the Power Platform tenant, such as API creation, API modification, API deletion, connection modification, gateway modification, API permission modification. Here are some examples of user events you can audit:
Connector event | Description |
---|---|
API created | When a custom API is created |
API edited | When a custom API is updated |
API deleted | When a custom API is deleted |
Connection created or edited | When a connection is created or updated |
Connection deleted | When a connection is deleted |
Connection edited | When a connection is updated |
API permission added or edited | When a custom API is shared or the permissions are updated |
API made solution-aware | When a non-solution API is moved to a solution |
API permission removed | When sharing permissions of a custom API are removed |
Connection permission added or edited | When a connection is shared or sharing permissions are updated |
Connection permission removed | When sharing permissions of a connection are removed |
Gateway cluster edited | When a gateway cluster is updated |
Gateway permission added or edited | When a gateway is shared or the sharing permissions are updated |
Gateway permission removed | When sharing permissions of a gateway are removed |
Added ConnectionDlpEvaluationResult | When connection is turned off due to data policies |
Understanding Data Loss Prevention activity logging
You can track the audit history of few DLP policy activities within the Power Platform tenant, such as modification in DLP policy. Here are some examples of user events you can audit:
DLP event | Description |
---|---|
Created DLP Policy | When a new DLP policy is created |
Updated DLP Policy | When an existing DLP policy is updated |
Deleted DLP Policy | When a DLP policy is deleted |
Understanding Power Platform environment lifecycle activity logging
You can track the audit history of various Power Platform environment lifecycle activities within the Power Platform tenant, such as environment creation, environment deletion, environment restoration. Here are some examples of user events you can audit:
Event | Description |
---|---|
Provisioned environment | The environment was created. |
Deleted environment | The environment was deleted. |
Recovered environment | An environment that was deleted within seven days has been recovered. |
Hard-deleted environment | The environment was hard deleted. |
Moved environment | The environment was moved to a different tenant. |
Copied environment | The environment, including specific attributes such as application data, users, customizations, and schemas, were copied. |
Backed up environment | The environment that has been backed up. |
Restored environment | The environment has been restored from a back up. |
Converted environment type | The environment was converted to a different environment type, such as production or sandbox. |
Reset environment | A sandbox environment has been reset. |
Upgraded environment | A component of an environment has been upgraded to a new version. |
CMK-Renewed environment | The customer-managed key (CMK) has been renewed on the environment. |
CMK-Reverted environment | Environment was removed from enterprise policy and encryption was returned to Microsoft-managed key. |
Understanding Power Platform environment property activity logging
You can track the audit history of various Power Platform environment property activities within the Power Platform tenant, such as modification in environment name, modification in domain name & modification in security group. Here are some examples of user events you can audit:
Event | Description |
---|---|
Changed property on environment | Communicates when a property on an environment has changed. In general, properties are metadata (names) that is associated with an environment. Includes changes to: 1. Display name 2. Domain name 3. Security group ID 4. Admin mode 5. Background operations state |
Understanding Power Platform licensing activity logging
You can track the audit history of various Power Platform licensing activities within the Power Platform tenant, such as modification in billing policy, modification in currency & modification in trials. Here are some examples of user events you can audit:
Category | Event | Description |
---|---|---|
Billing Policy | BillingPolicyCreate | Emitted when a new billing policy is created. |
Billing Policy | BillingPolicyDelete | Emitted when a billing policy is deleted. |
Billing Policy | BillingPolicyUpdate | Emitted when the environments linked to a billing policy change (added, removed). |
ISV | IsvContractConsent | Emitted when a tenant admin consents to an ISV contract. |
License Auto-claim | AssignLicenseAutoClaim | Emitted when a license is assigned to a user automatically via an auto-claim policy. |
License Auto-claim | AssignLicenseAutoClaimPolicyCreate | Emitted when a new auto-claim policy is created. |
Currency | CurrencyEnvironmentAllocate | Emitted when currency (add-on) is allocated or deallocated to an environment. |
Trials | TrialConvertToProduction | Emitted when a trial plan is converted to a production plan. |
Trials | TrialEnforce | Emitted when a customer attempts to provision environments beyond the trial limit. |
Trials | TrialProvision | Emitted when a new trial plan is provisioned. |
Trials | TrialSignUpEligibilityCheck | Emitted prior to trial provisioning when a check occurs to determine trial eligibility. |
Trials | TrialViralConsent | Emitted when a tenant changes their consented plan types, and reflects the new state. |
Trials | AssignLicenseToUser | Emitted when a trial license is assigned to a user. |
Environment Lifecycle | EnvironmentDisabledByMiser | Emitted when an environment is automatically disabled due to insufficient database capacity. |
In conclusion, mastering the audit of Power Platform activities using Microsoft Purview is essential for maintaining robust governance and security in your digital environment. By leveraging Purview’s comprehensive monitoring and reporting capabilities, organizations can gain valuable insights into user activities, data flows, and application usage within the Power Platform. This not only helps in identifying potential compliance issues and operational inefficiencies but also enhances the overall security posture by enabling proactive management and remediation. As businesses increasingly rely on Power Platform for critical operations, integrating Purview into your auditing strategy ensures that you can safeguard your digital assets effectively while optimizing performance and compliance.