Quantcast
Channel: blog.atwork.at
Viewing all articles
Browse latest Browse all 1136

Delegate365-Working with Audit Logs

$
0
0

Delegate365 protocols all modifications of users, licenses and groups within the solution. This is essential to comprehend actions accomplished by Delegate365 administrators or by automated tasks. See how to work with that audited data here.

So, all actions are logged to the Delegate365 Audit Log. In the current versions, the audit logs are saved to an Azure Storage Account. There are three ways of working with the audit data:

  1. See audit data within Delegate365
  2. Access the data directly with Microsoft Storage Explorer
  3. Connect to the data with tools as Microsoft Excel or Power BI

All methods are available for Portal Admins in the administration / audit menu and are described here.

Important: The audit logs can grow very fast since all actions of all administrators and of the sync operations are logged. Depending on the number of objects that were changed, there can be a log of ten thousands of lines at each sync. Delegate365 provides various methods for accessing that data and for handling large amounts of data.

1. Seeing audit data within Delegate365

The auditing menu shows the latest audit data for quick lookups. This list can be filtered by Date range and by a simple search expression, like a AdminName or OU column. Depending on the changed being made, the Details column shows all changed properties or assignments. Auditing currently shows the last data up to 6 months (depending on the size of the log and the Office 365 tenant, so this can vary in your environment).

image

Since the data is logged in a variable data format, the admin can navigate through the details by opening the tree objects as shown here. For example, this user has been changed by the SyncOp automatically and some licenses have been added, so that there are now 27 active plans assigned .

image

This list can be browsed with the Previous and Next buttons at the end of each page.

Important: If the auditing log gets too extensive no data will be shown (the auditing list stays empty then). This happened at some Delegate365 tenants in the past. We are currently developing a workaround for that scenario in future. With the next update, the log will be divided into smaller parts per day to enable access in the Auditing module in all scenarios. This will be described here soon. If this happens in your tenant now, pls. follow the alternative steps as described below.

2. Working with the Microsoft Storage Explorer

The second method to work with audit data is to access it directly from the Delegate365 storage. Here, the amount of data is better to handle and the audit data can be exported for further use, for example for custom reporting.

  • Open the administration / audit / reporting menu and follow the steps below.
    image
  • Now it depends, how you want to use the Delegate365 audit logs: You can download the data with a tool like Microsoft Storage Explorer, or you can access the data directly with Excel, Power BI or other tools.
  • If you want to access the data directly on your computer, you need to install the cost free tool Microsoft Storage Explorer from storageexplorer.com once. This allows you connect to the Delegate365 storage in a similar way as the Windows Explorer.
  • Download and install StorageExplorer.exe on your computer.
    image
  • After starting, select “Use a storage account name and key” to connect and click Next.
    image
  • Now we need to enter the Account name and Account key. Leave the other settings as defaults (and as shown here).
    image
  • Switch to Delegate365 and get the access keys from there by clicking the Get account button.
    image
  • Copy both keys (Account name and Account key) into the Microsoft Storage Explorer form and click Next.
    image
  • Confirm by clicking Connect.
    image
  • Now you should be connected to the Delegate365 storage account. Navigate to your storage account name (d365demo5 in this sample) / Tables / AuditLogSearch. In here you can access all the log data.
    image
  • Info: Edit shows one row in a better readable format.
    image
    The changes itself are stored in JSON format in the Value column which can look as here. To split these values, we recommend to use Microsoft Excel or Power BI (see the below).
    Sample data:
    {  "Fields": [    {      "FieldName": "Id",      "CurrentValue": "0",      "OldValueIfAny": ""    },
        {      "FieldName": "Identity",      "CurrentValue": "projecta",      "OldValueIfAny": ""    },
        {      "FieldName": "Name",      "CurrentValue": "projecta",      "OldValueIfAny": ""    },
        {      "FieldName": "DisplayName",      "CurrentValue": "Project A",      "OldValueIfAny": ""    },
        {      "FieldName": "Alias",      "CurrentValue": "projecta",      "OldValueIfAny": ""    },
        {      "FieldName": "Guid",      "CurrentValue": "4c317d67-fac5-4896-b4a0-fc005be01fb9",      "OldValueIfAny": ""    },
        {      "FieldName": "Synced",      "CurrentValue": "4/20/2017 5:19:52 PM",      "OldValueIfAny": ""    },
        {      "FieldName": "PrimarySmtpAddress",      "CurrentValue": "projecta@CIE4851707.onmicrosoft.com",      "OldValueIfAny": ""    },
        {      "FieldName": "DirSyncEnabled",      "CurrentValue": "False",      "OldValueIfAny": ""    },
        {      "FieldName": "ExternalDirectoryObjectId",      "CurrentValue": "0e4fb799-c968-4561-b92d-1637692bcb43",      "OldValueIfAny": ""    }  ],
      "UserMembershipChanges": {    "DistributionGroupAdded": "",    "DistributionGroupRemoved": "",    "SecurityGroupsAdded": [],
        "SecurityGroupsRemoved": [],    "SharedMailboxAdded": "",    "SharedMailboxRemoved": ""  },  "Licenses": [],  "MembersAdded": [],  "MembersRemoved": [] }
  • You can query the result for filtering, as for example to see all objects, the user admin@….onmicrosoft.com has changed, combined with further filter expressions. If you need recurring queries, a query can be saved as .stgquery file and reused later. The Storage Explorer is a powerful tool.
    image
  • The (filtered) data can be exported easily and reopened, for example with Microsoft Excel for further usage.
    SNAGHTML6472cc4
  • Storage Explorer can manage multiple connections. You also can add another connection anytime with the Connect Icon. Then, simply follow the wizard as shown above to connect to other data sources within the Azure Storage.
    image

Microsoft Storage Explorer is a powerful tool for exporting or querying Delegate365 audit data.

3. Using Power-BI

The third approach is to use Delegate365 audit logs directly from the storage with Microsoft Power BI.

  • Open powerbi.microsoft.com/desktop/ and install the Desktop client PBIDesktop_x64.msi on your computer.
    image
    (It is not necessary to use the client version. You can also access and work with the data in the online client directly in a browser at https://app.powerbi.com/, but the desktop client usually provides more features and more convenience.)
  • Start Power BI Desktop and sign in (you need to have an Office 365 Power BI license).
  • In Delegate365, open the administration / audit / reporting menu and follow the steps below.
    image
  • Download the Delegate365 Power-BI file by clicking the “Get Power-BI file” button.
  • Unzip Delegate365-Dashboard.zip. That extracts Delegate365-Dashboard.pbix.
  • Change to Power BI Desktop and open Delegate365-Dashboard.pbix. This should look as follows:
    image
  • In the ribbon, click Edit Queries and Data source settings.
    image
  • In the data source settings, click the “Change source” button.
  • You need to get the access Delegate365 storage account settings as described in (2). Now copy the Azure account name (in our sample “d365demo5”) into the Account name or URL field. Confirm with “Ok”.
    image
  • If asked, confirm the message “There are pending changes in your queries that haven’t been applied.”. Click the “Apply changes” button.
  • Then, Power BI Desktop will ask you for the Account key. Paste the account key (in our sample “bO/GmPYD00ci+….”) from the Delegate365 settings into that field and click “Connect”.
    image
  • Now data should be transferred from the Delegate365 storage to the Power BI client. Depending on the log size, this can take some seconds or longer…
    image
  • That’s it. The dashboard will be populated with the (Pivot) queries of the AuditLogSearch table.
    image
  • In the Delegate365 Power BI data source, all (possible) data is already transformed from JSON to extra data fields. This allows to easily access all kind of data in the dashboard editor. The following screenshot shows the applied steps for the data source to extract all data from JSON format to fields.
    image
  • To refresh the dashboard, click the Refresh button in the ribbon any time (and wait for the latest data that will be visualized then instantly).
    image
  • Feel free to modify your dashboards with the data provided by Delegate365 Audit Logs (and don’t forget to save your dashboard with the current data).
  • Power BI provides a quick and cool toolset to get the data you are interested in.

Summary

All actions executed in Delegate365 are logged, whether it’s a manual action or an automated process. Portal Administrators get access to all the audit data of Delegate365. There are several ways to get all audit data easily for further usage in other tools. Opening the Delegate365 data storage is based on Microsoft standards and supports further scenarios and custom development.

We hope you like the (new) way of working with data out of Delegate365 and we appreciate your feedback.


Viewing all articles
Browse latest Browse all 1136