Using auditing within your organization
Learn how you can use auditing with Power BI to monitor and investigate actions taken. You can use the Security and compliance center or use PowerShell.
Knowing who is taking what action on which item in your Power BI tenant can be critical in helping your organization fulfill its requirements, such as meeting regulatory compliance and records management.
You can filter the audit data by date range, user, dashboard, report, dataset and activity type. You can also download the activities in a csv (comma separated value) file to analyze offline.
The auditing feature in Power BI is in preview and is available in all data regions.
Enabling auditing functionality in the Power BI admin portal
You will need to enable auditing for your organization in order to work with the reports. You can do this within the tenant settings of the admin portal.
- Select the gear icon in the upper right.
Select Admin Portal.
Select Tenant Settings.
- Switch on Create audit logs for internal activity auditing and compliance purposes.
- Select Apply.
Power BI will start logging various activities that your users perform in Power BI. The logs take up to 48 hours to show up in the O365 Security & Compliance Center. For more information about what activities are logged, see List of activities audited by Power BI.
Auditing is a Power BI Pro feature and auditing events are only available for Power BI Pro users. Users with Power BI (free) licenses will be displayed as Free User.
For more information on how you can acquire and assign Power BI Pro licenses to users in your organization, see Purchasing Power BI Pro.
For more information on how to restrict free users from signing up, see Enable, or disable, individual user sign up in Azure Active Directory.
To enable auditing for Power BI in your tenant, you need at least one exchange mailbox license in your tenant.
Accessing your audit logs
To audit your Power BI logs, you must visit the O365 Security & Compliance Center.
- Select the gear icon in the upper right.
Select Admin Portal.
- Select Audit Logs.
Select Go to O365 Admin Center.
Alternatively, you can browse to Office 365 | Security & Compliance.
To provide non-administrator accounts with access to the audit log, you will need to assign permissions within the Exchange Online Admin Center. For example, you could assign a user to an existing role group, such as Organization Management, or you could create a new role group with the Audit Logs role. For more information, see Permissions in Exchange Online.
Search only Power BI activities
You can restrict results to only Power BI activities by doing the following.
- On the Audit log search page, select the drop down for Activities under Search.
Select PowerBI activities.
- Select anywhere outside of the selection box to close it.
Your searches will now be filtered to only Power BI activities.
Search the audit logs by date
You can search the logs by date range using the “Start date” and “End date” field. The last seven days are selected by default. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.
If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.
Search the audit logs by users
You can search for audit log entries for activities performed by specific users. To do this, enter one or more user names in the “Users” field. This would be the username that they sign into Power BI with. It looks like an email address. Leave this box blank to return entries for all users (and service accounts) in your organization.
Viewing search results
Once you hit the search button, the search results are loaded and after a few moments they are displayed under Results. When the search is finished, the number of results found is displayed.
A maximum of 1000 events will be displayed; if more than 1000 events meet the search criteria, the newest 1000 events are displayed.
The results contain the following information about each event returned by the search.
|Date||The date and time (in UTC format) when the event occurred.|
|IP address||The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.|
|User||The user (or service account) who performed the action that triggered the event.|
|Activity||The activity performed by the user. This value corresponds to the activities that you selected in the Activitiesdrop down list. For an event from the Exchange admin audit log, the value in this column is an Exchange cmdlet.|
|Item||The object that was created or modified as a result of the corresponding activity. For example, the file that was viewed or modified or the user account that was updated. Not all activities have a value in this column.|
|Detail||Additional detail about an activity. Again, not all activities will have a value.|
Select a column header under Results to sort the results. You can sort the results from A to Z or Z to A. Click the Date header to sort the results from oldest to newest or newest to oldest.
View the details for an event
You can view more details about an event by selecting the event record in the list of search results. A details page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the Office 365 service in which the event occurs. To display additional details, select More information.
The following table provides details on that you may see displayed.
|Id||Unique identifier of an audit record.|
|RecordType||The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.|
|CreationTime||The date and time in Coordinated Universal Time (UTC) when the user performed the activity.|
|Operation||The name of the user or admin activity.|
|OrganizationId||The GUID for your organization's Office 365 service where the event occurred.|
|UserType||The type of user that performed the operation. See the User Type table for details on the types of users.|
|UserKey||The Passport Unique ID of the user who performed the activity.|
|ResultStatus||Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceded, or Failed.|
|ObjectId||For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user.|
|UserId||The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included.|
|ClientIp||The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.|
The following table provides details on events you might see.
|Downloaded Power BI report||This activity is logged everytime a report is downloaded||Report Name, Dataset Name|
|Create report||This activity is logged everytime a new report is created.||Report Name, Dataset Name|
|Edit Report||This activity is logged everytime a report is edited.||Report Name, Dataset Name|
|Create dataset||This activity is logged everytime a dataset is created.||Dataset Name, DataConnectivityMode|
|Delete Dataset||This activity is logged everytime a dataset is deleted.||Dataset Name, DataConnectivityMode|
|Create Power BI app||This acitivity is logged everytime a Power BI app is created||App name, Permissions, Workspace Name|
|Install Power BI app||This activity is logged everytime a Power AI app installed||App name|
|Update Power BI app||This activity is logged everytime a Power app in updated||App name, Permissions, Workspace Name|
|Started Power BI extended trial||This activity is logged everytime an user accepts the extended pro trial that runs until May 31 2018|
|Analyzed Power BI dataset||This activity is logged everytime a Power BI dataset is analyzed in Excel.|
|Created Power BI gateway||This activity is logged everytime a new gateway is created.||Gateway Name, Gateway Type|
|Deleted Power BI gateway||This activity is logged everytime a gateway is deleted.||Gateway Name, Gateway Type|
|Added Data source to Power BI gateway||This activity is logged everytime a data source in added to the gateway||Gateway Name, Gateway Type, Datasource Name, Datasource Type|
|Removed data source from Power BI gateway||This activity is logged everytime a data source is removed from a gateway||Gateway Name, Gateway Type, Datasource Name, Datasource Type|
|Changed Power BI gateway admins||This activity is logged everytime the admins of a gateway are changed (added/removed)||Gateway Name, Users Added, Users Removed|
|Changed Power IB gateway data source users||This activity is logged everytime the users of a gateway are changed (added/removed)||Gateway Name, Users Added, Users Removed|
|SetScheduledRefresh||This activity is logged everytime a new refresh is scheduled for a dataset||Dataset Name, Refresh Frequency (in minutes)|
Using PowerShell to search
You can use PowerShell to access the audit logs based on your login. This is done by accessing Exchange Online. Here is an example of a command to pull Power BI audit log entries.
In order to use the New-PSSession command, your account needs to have an Exchange Online license assigned to it and you need access to the audit log for your tenant.
Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session Search-UnifiedAuditLog -StartDate 9/11/2016 -EndDate 9/15/2016 -RecordType PowerBI -ResultSize 1000 | Format-Table | More
For more information on connecting to Exchange Online, see Connect to Exchange Online PowerShell.
For more information about parameters and usage of the Search-UnifiedAuditLog command, see Search-UnifiedAuditLog.
To see an example of using PowerShell to search the audit log and then assign Power BI Pro licenses based on entries, see Using Power BI audit log and PowerShell to assign Power BI Pro licenses.
Export the Power BI audit log
You can export the Power BI audit log to a csv file.
- Select Export results.
Select either Save loaded results or Download all results.
Record and user types
Audit log entries will have a RecordType and UserType as part of the details for the entry. All Power BI entries will have a RecordType of 20.
For a full listing, see Detailed properties in the Office 365 audit log
List of activities audited by Power BI
|CreateDashboard||This activity is logged every time a new dashboard is created.||- Dashboard name.|
|EditDashboard||This activity is logged every time a dashboard is renamed.||- Dashboard name.|
|DeleteDashboard||This activity is logged every time a dashboard is deleted.||- Dashboard name.|
|PrintDashboard||This event is logged every time that a dashboard is printed.||- Dashboard name.
- Dataset name
|ShareDashboard||This activity is logged every time a dashboard is shared.||- Dashboard name.
- Dataset name.
- Reshare permissions.
|ViewDashboard||This activity is logged every time a dashboard is viewed.||- Dashboard name.|
|ExportTile||This event is logged every time data is exported from a dashboard tile.||- Tile name.
- Dataset name.
|DeleteReport||This activity is logged every time a report is deleted.||- Report name.|
|ExportReport||This event is logged every time data is exported from a report tile.||- Report name.
- Dataset name.
|PrintReport||This event is logged every time that a report is printed.||- Report name.
- Dataset name.
|PublishToWebReport||This event is logged every time that a report is Published To Web.||- Report Name.
- Dataset name.
|ViewReport||This activity is logged every time a report is viewed.||- Report name.|
|ExploreDataset||This event is logged every time you explore a dataset by selected it.||- Dataset name|
|DeleteDataset||This event is logged every time a dataset is deleted.||- Dataset name.|
|CreateOrgApp||This activity is logged every time an organizational content pack is created.||- Organizational Content Pack name.
- Dashbaord names.
- Report names.
- Dataset names.
|CreateGroup||This activity is fired every time a group is created.||- Group name.|
|AddGroupMembers||This activity is logged every time a member is added to a Power BI group workspace.||- Group name.
- Email addresses.
|UpdatedAdminFeatureSwitch||This event is logged every time an admin feature switch is changed.||- Switch name.
- New switch state.
|OptInForProTrial||This event is logged when a user choses to try Power BI Pro within the service.||- email address|
Power BI Admin Portal
Power BI Premium - what is it?
Purchasing Power BI Pro
Permissions in Exchange Online
Connect to Exchange Online PowerShell
Detailed properties in the Office 365 audit log
More questions? Try asking the Power BI Community