Enable and use Activity Logging
Protecting data, preserving privacy, and complying with regulations such as the General Data Protection Regulation are certainly some of the highest priorities for your business. It's critical that you audit the entirety of data processing actions taking place to be able to analyze for possible security breaches. This information from Activity Logging can be used when you perform a Data Protection Impact Assessment (DPIA) addressing the use of Office, Power Apps, Microsoft Power Automate, and model-driven apps in Dynamics 365 (such as Dynamics 365 Sales and Dynamics 365 Customer Service).
This topic covers how you can set model-driven apps in Dynamics 365 to audit a broad range of data processing activities and use the Microsoft 365 Security and Compliance Center to review the data in activity reports.
- A Microsoft 365 Enterprise E3 or E5 subscription is required to do Activity Logging.
- Available for production and not sandbox environments.
What events are audited
Logging takes place at the SDK layer which means a single action can trigger multiple events that are logged. The following are a sample of admin and user events you can audit.
|Publishing customizations||An admin publishes a new customization which overrides a change done by the previous one. The action requires auditing for analysis.|
|Attribute deletes||Admin accidentally deletes an attribute. This action also deletes the data.|
|Team, user management||Who was added, who was deleted, what access rights a user/team had is important for analyzing impact.|
|Configure instance||Adding solutions to an instance.|
|Backup and restore||Backup and restore actions at the tenant.|
|Manage applications||New instance added, existing instance deleted, trials converted to paid, etc.|
User and support-related events
|Create, read, update, delete (CRUD)||Logging all CRUD activities essential for understanding the impact of a problem and being compliant with data protection impact assessments (DPIA).|
|Multiple record view||Users of Dynamics view information in bulk, like grid views, Advanced Find search, etc. Critical customer content information is part of these views.|
|Export to Excel||Exporting data to Excel moves the data outside of the secure environment and is vulnerable to threats.|
|SDK calls via surround or custom apps||Actions taken via the core platform or surround apps calling into the SDK to perform an action needs to be logged.|
|All support CRUD activities||Microsoft support engineer activities on customer environment.|
|Admin activities||Admin activities on customer tenant.|
|Backend commands||Microsoft support engineer activities on customer tenant and environment.|
|Report Viewed||Logging when a report is viewed. Critical customer content information might be displayed on the report.|
|Report Viewer Export||Exporting a report to different formats moves the data outside of the secure environment and is vulnerable to threats.|
|Report Viewer Render Image||Logging multimedia assets that are shown when a report is displayed. They might contain critical customer information.|
Schemas define which fields are sent to the Microsoft 365 Security and Compliance Center. Some fields are common to all applications that send audit data to Microsoft 365, while others are specific to model-driven apps in Dynamics 365. The Base schema contains the common fields.
|Date||Edm.Date||No||Date and time of when the log was generated in UTC|
|IP address||Edm.String||No||IP address of the user or corporate gateway|
|Id||Edm.Guid||No||Unique GUID for every row logged|
|Result Status||Edm.String||No||Status of the row logged. Success in most cases|
|Organization Id||Edm.Guid||Yes||Unique identifier of the organization from which the log was generated. You can find this ID under Dynamics Developer Resources.|
|ClientIP||Edm.String||No||IP Address of the user or corporate gateway|
|CorrelationId||Edm.Guid||No||A unique value used to associate related rows (e.g., when a large row is split)|
|CreationTime||Edm.Date||No||Date and time of when the log was generated in UTC|
|Operation||Edm.Date||No||Name of the message called in the SDK|
|UserKey||Edm.String||No||Unique Identifier of the User in AAD. AKA User PUID|
|UserType||Self.UserType||No||The Microsoft 365 audit type (Admin, Regular, System)|
|User||Edm.String||No||UPN of the user|
Model-driven apps in Dynamics 365 schema
The model-driven apps in Dynamics 365 schema contains fields specific to model-driven apps in Dynamics 365 and partner teams.
|User Id||Edm.String||No||Unique identifier of the user GUID in the organization|
|Crm Organization Unique Name||Edm.String||No||Unique name of the organization|
|Instance Url||Edm.String||No||URL to the instance|
|Item Url||Edm.String||No||URL to the record emitting the log|
|Item Type||Edm.String||No||Name of the entity|
|Message||Edm.String||No||Name of the message called in the SDK|
|User Agent||Edm.String||No||Unique identifier of the user GUID in the organization|
|EntityId||Edm.Guid||No||Unique identifier of the entity|
|EntityName||Edm.String||No||Name of the entity in the organization|
|Fields||Edm.String||No||JSON of Key Value pair reflecting the values that were created or updated|
|Id||Edm.String||No||Entity name in model-driven apps in Dynamics 365|
|Query||Edm.String||No||The Filter query parameters used while executing the FetchXML|
|QueryResults||Edm.String||No||One or multiple unique records returned by the Retrieve and Retrieve Multiple SDK message call|
|ServiceContextId||Edm.Guid||No||The unique id associated with service context|
|ServiceContextIdType||Edm.String||No||Application defined token to define context use|
|ServiceName||Edm.String||No||Name of the Service generating the log|
|SystemUserId||Edm.Guid||No||Unique identifier of the user GUID in the organization|
|UserAgent||Edm.Guid||No||Browser used to execute the request|
|UserId||Edm.Guid||No||The unique id of the Dynamics system user associated with this activity|
|UserUpn||Edm.String||No||User principal name of the user associated with this activity|
Choose Settings > Administration > System Settings > Auditing tab.
Under Audit Settings, enable the following check boxes:
- Start Auditing
- Audit user access
- Start Read Auditing (Note: this only appears if you enable Start Auditing.)
Under Enable Auditing in the following areas, enable the check boxes for the areas you want to audit and then choose OK.
Go to Settings > Customizations > Customize the System
Under Components, expand Entities and select an entity to audit, such as Account.
Scroll down and under Data Services enable Auditing.
Under Auditing, enable the following check boxes:
- Single record auditing. Log a record when opened.
- Multiple record auditing. Log all records displayed on an opened page.
Choose Publish to publish the customization.
Repeat steps 5 - 9 for other entities you want to audit.
Turn on audit logging in Office 365. See Turn Office 365 audit log search on or off.
Review your audit data using reports in Microsoft 365 Security and Compliance Center
You can review your audit data in the Microsoft 365 Security and Compliance Center. See Search the audit log for user and admin activity in Office 365.
To use the preconfigured reports, go to https://protection.office.com > Search & investigation > Audit log search and select the Dynamics 365 activities tab.
The following are the preconfigured reports:
|Accessed out-of-box entity||Accessed custom entity||Accessed admin entity|
|Performed bulk actions (such as delete and import)||Accessed other entity type||Accessed Dynamics 365 admin center|
|Accessed internal management tool||Signed in or out||Activated process or plug-in|
You can create your own reports to review your audit data. See Search the audit log in the Office 365 Security & Compliance Center.
For a list of what's logged with Activity Logging, see Microsoft.Crm.Sdk.Messages Namespace.
We log all SDK messages except the following:
How we categorize read and readmultiple
We use the prefix to categorize.
|If the request starts with:||We characterize as:|
Example generated logs
The following are some examples of logs created with Activity Logging.
Example 1 – Logs generated when user reads an Account record
|Date||3/2/2018 11:25:56 PM|
Example 2 – Logs generated when user sees Account records in a Grid (Export to Microsoft Excel logs are like this)
|Date||3/2/2018 11:25:56 PM|
|Query||<filter type="and"><condition column="ownerid" operator="eq-userid" /><condition column="statecode" operator="eq" value="0" /></filter>|
Example 3 – List of messages logged when user converts a lead to opportunity
When audit log search in the Microsoft 365 Security and Compliance Center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might not want to record and retain audit log data. Or you might be using a third-party security information and event management (SIEM) application to access your auditing data. In those cases, a global admin can turn off audit log search in Microsoft 365.
- Office has a 3KB limit for each audit record. Therefore, in some cases a single record from model-driven apps in Dynamics 365 needs to be split into multiple records in Office. The CorrelationId field can be used to retrieve the set of split records for a given source record. Operations that are likely to require splitting include RetrieveMultiple and ExportToExcel.
- Some operations need additional processing to retrieve all relevant data. For example, RetrieveMultiple and ExportToExcel are processed to extract the list of records that are retrieved or exported. However, not all relevant operations are yet processed. For example, ExportToWord is currently logged as single operation with no additional details about what was exported.
- In future releases, logging will disabled for operations that are determined to not be useful based on a review of the logs. For example, some operations result from automated system activity, not user activity.