Audit logs

Power BI activities stored in the Office 365 audit logs provide administrators with a complete view of user activities in the Power BI service. Each log event record identifies the user, the date and time of the activity, the type of activity, such as printed a report page, and the item in Power BI, such as the report that was printed. This level of detail at the tenant level across all primary activities helps administrators answer both high-level usage and adoption questions, as well as targeted compliance questions.

For example, the audit logs could prove that the volume of users and their level of engagement with Power BI reports and dashboards is increasing. Alternatively, an administrator could investigate the activities of just a few users to ensure they're only engaging in activities aligned with their role. Perhaps most importantly, an IT organization can understand what Power BI content is being utilized by the business. In the event that a few reports or dashboards become very popular, some level of engagement may be appropriate to ensure the underlying dataset is accurate and secure or migrate the content to an IT-supported solution. 

Once enabled in the Power BI admin portal, the audit log data can be retrieved on an ad hoc basis or, more commonly, retrieved on a recurring basis as part of a continuous monitoring and governance solution. To minimize the setup and maintenance of these monitoring solutions, Microsoft has made available PowerShell scripts that export Power BI audit log data to a CSV file format. Additionally, a Power BI solution template is available with built-in audit log retrieval and prebuilt monitoring reports. 

The first step in utilizing the audit logs is to enable the create audit logs setting in the Power BI admin portal. This setting in the Audit and Usage settings group of the Tenant settings page is set at the organizational level, as shown in the following screenshot:

Enable Power BI audit logs

Once the audit log setting is enabled, user activities start to be recorded in the audit logs with a delay of 12 hours or less from their occurrence and will be stored for 90 days. This log data can be accessed directly from the Office 365 admin center or remotely via PowerShell scripts and solution templates. In terms of direct or ad hoc access, an Office 365 global administrator or a user with permission to the Security & Compliance Center can log in to Office 365 (www.office.com) and select the Security & Compliance app icon, as shown in the following screenshot:

Office 365 app menu

Alternatively, a link to the Office 365 admin center is provided on the Audit logs page of the Power BI admin portal. This links directly to the Audit log search interface of the Security & Compliance Center described later.

From the Security & Compliance Center, the Search and Investigation menu at the bottom (magnifying-glass icon) can be expanded to expose an Audit log search item. Select Audit log search and then specify the Power BI activities to search for, the start and end dates for the search, and, optionally the users, as shown in the following screenshot:

Audit log search in Security & Compliance Center

In this example, the following four activities are searched for—Created Power BI gateway, created Power BI dataset, deleted Power BI gateway, and deleted Power BI dataset. The Filter results button can be used to filter the results of the search by any of the search columns (User, Activity, Item). The Export results dropdown supports two formats to be exported to a comma-separated value (CSV) file. Specifically, the Save loaded results option exports only the columns displayed in the search. The Download all results option contains many more columns, such as the name of the app workspace and the user's web browser. However, these details are embedded in a single JSON column (AuditData), such as the following activity record: 

{"Id":"9933734c-0dbd-ba5b-41ce-42d89b7ac8cd","RecordType":20,"CreationTime":"2018-02-10T21:17:18","Operation":"CreateDataset","OrganizationId":"77243ddd-cf6a-466f-9246-06edb8809332","UserType":0,"UserKey":"10033FFFA28BA395","Workload":"PowerBI","UserId":"[email protected]","ClientIP":"12.123.645.99","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML  like Gecko) Chrome/99.0.3539.132 Safari/537.36","Activity":"CreateDataset","ItemName":"Dashboard Usage Metrics Model","WorkSpaceName":"Global Sales","DatasetName":"Dashboard Usage Metrics Model","WorkspaceId":"fb70ab4f-0daf-4aa8-b704-7fae5ff9506f","ObjectId":"Dashboard Usage Metrics Model","DatasetId":"4465997a-b043-4f7c-b31f-82e9740ad4f1","DataConnectivityMode":"DirectQuery"}

As shown in the preceding activity record associated with the creation of a Power BI dataset, many more attributes of the activity are available in the audit logs which aren't displayed from the main Audit log search results interface. To view these additional details from the Audit log search page, one of the result records must be selected, thus prompting a Details window specific to this user activity.

 Object IDs such as WorkspaceID and DatasetID can be used to programmatically manage Power BI content via the Power BI REST API, as described in the Staged Deployments section of Chapter 8Managing Application Workspaces and Content.

A BI team would expect the creation and deletion of datasets and gateways to be infrequent activities relative to the creation and deletion of reports and dashboards. If many datasets are being created, this could be a sign of inefficient resource utilization and version control issues. For example, rather than four reports using Live connections to a single published dataset, each report may have its own dataset, which requires its own resources and data refresh schedule (if import mode). 

Excluding global admins, an Exchange Online license is required to access the auditing section of the Office 365 Security & Compliance Center. Additionally, administrators who are not global admins need to be mapped to an Exchange admin role that provides access to the audit log. As shown in the following screenshot, the Permissions menu of the Security & Compliance Center provides a link to the Exchange Admin center to add users to the necessary roles to access the audit logs:

Security & Compliance Center: Permissions

Clicking the Exchange admin center link highlighted in the preceding screenshot allows a global admin to assign a user to an Exchange Online role group, such as Compliance Management, that includes access to audit logs. 

There are currently 45 distinct Power BI activities tracked in the audit logs, including the sharing of dashboards and reports, any updates to an organization's Power BI settings (Tenant settings), and activities related to the management of Power BI Premium capacities as described in the next section. The list of Power BI activities audited and their descriptions is available and updated at MS Docs via the following URL http://bit.ly/2skXjAB.

The maximum date range for an audit log search is 90 days and the date/time of each activity is presented in Coordinated Universal Time (UTC) format. Additionally, a maximum of 1,000 events (one user and one activity) can be displayed per audit log search. Given these limitations and the manual nature of audit log searches, a scheduled log retrieval process is necessary to support a more robust monitoring solution. 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.141.75