Update on Activity Log Management for Dynamics 365

Update: thanks to @powerobjects and for directing me to the new documentation (Posted updated on April 13th based on this info)

Last summer Microsoft announced a number of updates on the way that auditing functionality would be made available as outlined in Dynamics 365 July 2017 update: activity logging and session management for security and compliance . A couple of weeks ago Microsoft, updated their official documentation on these two features:

• Enable and use Activity Logging (Microsoft Dynamics 365 Administrator Guide)
• Security enhancements: user session and access management (Microsoft Dynamics 365 Administrator Guide)

In this post I will focus on the new activity log management functionality, which extends the existing auditing functionality in Dynamics 365 with support for auditing on all data and all operations (including admin operations), with near real-time support, out of the box SIEM integration (Security Information and Event Management systems which provide real-time monitoring, correlation of events, alerting, etc ...) and seamless integration with Office 365 and Azure. Since auditing occurs at the SDK layer of Dynamics 365, much more data is available than just activities.


It is important to notice that the documentation states that this feature might change as well as limited availability so it might be that on your Office 365 tenant the functionality is not available (yet).

The only recently updated Microsoft Dynamics 365 (online) security and compliance planning guide also does not (yet) make a mention of this functionality within the Microsoft 365 Security and Compliance Center.

I however briefly looked into the Microsoft 365 Security and Compliance Center in one of the tenants that  I administer, and  listed below are a number of my findings:

• Microsoft 365 Security and Compliance Center (accessible from https://protection.office.com) now indeed seems to surface some audit log events from Dynamics 365. It is however unclear whether you still need to activate audit logging first on your Dynamics 365 instances
• Available Dynamics 365 activities – a number of pre-configured audit log reports for Dynamics 365 (see screenshot figure 1 below) are already visible in my tenant but not all events as described in https://docs.microsoft.com/en-us/dynamics365/customer-engagement/admin/enable-use-comprehensive-auditing are visible.   I also tested out some scenarios to track user login/logoff but no results were returned so this functionality is probably not activated yet in my tenant. But if you look at the documentation in  https://docs.microsoft.com/en-us/dynamics365/customer-engagement/admin/enable-use-comprehensive-auditing  you will notice that the auditing settings screen gives different options which might (which were not visible in my D365 organizations – neither 8.x and 9.x) also indicate that the functionality is not activated.

Figure 1. Pre-configured Dynamics 365 audit log search reports.

Figure 2. Auditing settings screen when activity logging is enabled.

• Audit log search capability: administrators can indeed query for different types of events using the audit log search functionality (See Search the audit log in the Office 365 Security and Compliance center for a general overview of the functionality)
• SIEM vendor integration is available using SIEM agents which will probably leverage the Office 365 Management Activity API –  I will probably test the API integration out later on when the functionality is fully available

The documentation gives already a good indication on the way that Microsoft will proceed with this new functionality so I’m really eager to get my hands on this and see how this functionality can be used. In the meanwhile you might also take a look at the Actionable Audit App (Appsource) to access audit logs functionality as an alternative to see if it covers your specific needs and requirements.

References:

• Microsoft Dynamics 365 (online) security and compliance planning guide (Updated April 9th, 2018)
• Microsoft Trust Center - Dynamics 365