Auditing in Purview
Note
Purview auditing solutions for Business Central is in Preview. Please register any feedback and requests for additional events to be auditable on [aka.ms/bcideas][https://aka.ms/bcideas].
Your Business Central environments automatically emit auditable events to Microsoft Purview auditing solutions. Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. For Business Central, this means that Create, Update, and Delete events that require administrator privileges are emitted to Purview's unified audit log, aiding security, legal, and compliance investigation across all Microsoft services used in your organization.
Tip
Before Business Central online logs authorization attempts to telemetry, a successful authentication (login) must happen against Microsoft Entra ID (formerly Azure Active Directory). With the information in the Microsoft Entra sign-in log, you can figure out what happened if a user sign-in failed. For more information, see Analyze sign-ins with the Microsoft Entra sign-in log.
If you want to track, monitor, or alert on successful and failed login attempts against Microsoft Entra ID, configure integration to Azure Monitor on Microsoft Entra and analyze further with KQL. For more information, see Integrate Microsoft Entra logs with Azure Monitor.
Business Central environments automatically emit all events listed below to Microsoft Purview auditing solutions, and Purview is enabled by default on every tenant. Learn more about enabling or disabling Purview auditing solutions on your tenant here.
Schema
Every event emitted to Purview auditing solutions uses the common schema. Events related to your Business Central environments can be found under the Dynamics365BusinessCentralLog
AuditLogRecordType. For events with this AuditLogRecordType, the following fields are added to the common schema to contain details specific to your Business Central environments.
Name | Description | Mandatory | Type |
---|---|---|---|
BcEnvironmentName | The name of the Business Central environment | False | Edm.String |
BcEnvironmentType | The type of the Business Central environment (that is, Production or Sandbox) | False | Edm.String |
BcCompanyName | The name of the company in your Business Central environment | False | Edm.String |
BcCustomDimensions | Contains dynamic values based on the emitted event, see details for each event below | False | Edm.ComplexType |
BcOperationName | The name of the operation for which the log was emitted | True | Edm.String |
Business Central events emitted to Purview are categorized as events and activities; events are high-level and are parents to the more specific activities.
Event name | Description |
---|---|
Administered environment | Activities that create, update, or delete environments |
Configured extension | Activities that configure extensions |
Administered user | Activities that create, update, or delete users |
Administered company | Activities that create, update, or delete companies |
Configured integration | Activities that configure integrations |
Configured Copilot | Activities that configure Copilot |
Configured cloud migration | Activities that configure cloud migration |
Administered report | Activities that create, update, or delete reports |
Administered environment activities
Activities listed in the table below can be audited by filtering to the Administered environment
event.
Activity | Custom dimensions | Sample value |
---|---|---|
Created environment | ApplicationVersion | 24.0.0.0 |
CountryCode | US | |
Removed environment | ||
Renamed environment | NewEnvironmentName | EnvironmentName |
Copied environment | targetEnvironmentType | Production |
targetEnvironmentName | EnvironmentName | |
Restored environment | EnvironmentName | RestoredEnvironment |
EnvironmentType | Production | |
PointInTime | 0001-01-01T00:00:00 | |
SkipInstallingPTEs | false | |
SkipInstallingThirdPartyGlobalApps | false | |
SkipEnvironmentCleanup | false | |
Recovered environment | ||
Scheduled update | IgnoreUpdateWindow | false |
RunOn | 0001-01-01T00:00:00 | |
Set Security Group Access | Value | 00000000-0000-0000-0000-000000000000 |
Removed Security Group Access | ||
Set Application Insights Connection String | ||
Set Access with Microsoft 365 Licenses | Value | true |
Set AppSource Apps Update Cadence | Value | DuringMajorMinorUpgrade |
Reported Service Outage | AppVersion | 24.0.0.0 |
email@cronus.com | ||
FirstName | John | |
LastName | Doe | |
OutageQuestionAnswers | 1: Yes. 2: All users | |
OutageType | Logon | |
Phone | +1 0000000000 | |
PlatformVersion | 24.0.0.0 | |
Set Update Window | PreferredEndTime | 06:00 |
PreferredEndTimeUtc | 0001-01-01T06:00:00 | |
PreferredStartTime | 00:00 | |
PreferredStartTimeUtc | 0001-01-01T00:00:00 | |
TimeZoneId | Coordinated Universal Time | |
Exported Environment | ||
Restarted Environment | ||
Cancelled Session | sessionId | 12345 |
Requested Environment Transfer | DestinationEntraTenantId | 00000000-0000-0000-0000-000000000000 |
RunAt | 0001-01-01T00:00:00 | |
Accepted Environment Transfer Request | ApplicationFamily | BusinessCentral |
DestinationEnvironmentName | EnvironmentName | |
SourceEntraTenantId | 00000000-0000-0000-0000-000000000000 | |
SourceEnvironmentName | EnvironmentName | |
Cancelled Environment Transfer Request | ||
Link Environment to Power Platform Environment | powerPlatformEnvironmentId | 00000000-0000-0000-0000-000000000000 |
applicationFamily | BusinessCentral | |
environmentName | EnvironmentName | |
Unink Environment to Power Platform Environment | powerPlatformEnvironmentId | 00000000-0000-0000-0000-000000000000 |
applicationFamily | BusinessCentral | |
environmentName | EnvironmentName | |
Set Support Contact Information | support@cronus.com | |
Name | SupportContact | |
Url | https://cronus.com/support | |
Changed tenant permission system table | ||
Changed tenant permission set system table | ||
Changed tenant permission set relation system table | ||
Changed tenant feature key system table | ||
Changed tenant profile setting system table | ||
Changed tenant profile extension system table | ||
Changed data sensitivity system table |
Configured extension activities
Activities listed in the table below can be audited by filtering to the Configured extension
event.
Activity | Custom dimensions | Sample value |
---|---|---|
Installed Global App | appId | 00000000-0000-0000-0000-000000000000 |
AllowPreviewVersion | true | |
InstallOrUpdateNeededDependencies | true | |
TargetVersion | 24.0.0.0 | |
UseEnvironmentUpdateWindow | true | |
Updated Global App | appId | 00000000-0000-0000-0000-000000000000 |
AllowPreviewVersion | true | |
InstallOrUpdateNeededDependencies | true | |
TargetVersion | 24.0.0.0 | |
UseEnvironmentUpdateWindow | true | |
Uninstalled Global App | appId | 00000000-0000-0000-0000-000000000000 |
DeleteData | true | |
UninstallDependents | true | |
UseEnvironmentUpdateWindow | true | |
Cancelled Global App Update | appId | 00000000-0000-0000-0000-000000000000 |
ScheduledOperationId | 00000000-0000-0000-0000-000000000000 | |
Published app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Installed app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Upgraded app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Uninstalled app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Unpublished app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Uploaded app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Deployed app | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
user | Test User | |
Changed permission set by extension | tenantId | tenant01a123456789 |
appId | 00000000-0000-0000-0000-000000000000 | |
appVersion | 1.1.1234.0000 | |
permissionSetExtensionObjectId | 00000000-0000-0000-0000-000000000000 | |
permissionSetExtensionObjectName | Test Permission Set Extension | |
permissionSetId | 00000000-0000-0000-0000-000000000000 | |
permissionSetName | Test Permission Set Name | |
changeSummary | Test change summary | |
isNewPermissionSet | True |
Administered user activities
You can audit the activities in the table below by filtering to the Administered user
event.
Activity | Message parameters | Sample value |
---|---|---|
The tenant [TenantPermission] permission for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] has been updated with the value: "[Value]", by the UserSecurityId [UserSecurityId] | TenantPermission | READ |
AppId | 00000000-0000-0000-0000-000000000000 | |
Role | D365 ACCOUNTANTS | |
ObjectType | Table | |
ObjectId | 18 | |
Value | True | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The Read permission for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] have been granted by the UserSecurityId [UserSecurityId] | AppId | 00000000-0000-0000-0000-000000000000 |
Role | D365 ACCOUNTANTS | |
ObjectType | Table | |
ObjectId | 18 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The tenant permissions for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] have been inserted with the following values - Read "[Read]", Insert "[Insert]", Modify "[Modify]", Delete "[Delete]" and Execute "[Execute]" by the UserSecurityId [UserSecurityId] | AppId | 00000000-0000-0000-0000-000000000000 |
Role | D365 ACCOUNTANTS | |
ObjectType | Table | |
ObjectId | 18 | |
Read | True | |
Insert | True | |
Modify | True | |
Delete | True | |
Execute | True | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The tenant permissions for the App Id [AppId], Role [Role], ObjectType [ObjectType], ObjectId [ObjectId] have been updated with the following values - Read "[Read]", Insert "[Insert]", Modify "[Modify]", Delete "[Delete]" and Execute "[Execute]" by the UserSecurityId [UserSecurityId] | AppId | 00000000-0000-0000-0000-000000000000 |
Role | D365 ACCOUNTANTS | |
ObjectType | Table | |
ObjectId | 18 | |
Read | True | |
Insert | True | |
Modify | True | |
Delete | True | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The permission set [PermissionSet] has been added to the security group [SecurityGroupName] by UserSecurityId [UserSecurityId] | PermissionSet | D365 READ |
SecurityGroupName | My security group | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The license configuration [PlanConfiguration] has been created by the UserSecurityID [UserSecurityId] | PlanConfiguration | D365 Business Central Basic Financials |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The license configuration [PlanConfiguration] has been modified by the UserSecurityID [UserSecurityId] | PlanConfiguration | D365 Business Central Basic Financials |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The license configuration [PlanConfiguration] has been deleted by the UserSecurityID [UserSecurityId] | PlanConfiguration | D365 Business Central Basic Financials |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The plan configuration [PlanConfiguration] has been customized by the UserSecurityID [UserSecurityId] | PlanConfiguration | D365 Business Central Basic Financials |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The Update users from Microsoft 365 wizard has been run by the UserSecurityID [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
The user with UserSecurityId [UserSecurityId1] has been disabled by user with UserSecurityID [UserSecurityId2] | UserSecurityId1 | 00000000-0000-0000-0000-000000000000 |
UserSecurityId2 | 00000000-0000-0000-0000-000000000000 | |
The permission set [PermissionSet] has been copied by UserSecurityId [UserSecurityId] | PermissionSet | D365 READ |
UserSecurityID | 00000000-0000-0000-0000-000000000000 | |
The Effective Permissions page has been opened by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
The user settings (UserSecurityId [UserSecurityId1]) has been updated with the values: Language ID [LanguageId], Locale ID [LocaleId], Company [Company], Time Zone [TimeZone], Profile ID [ProfileId] by UserSecurityId [UserSecurityId2] | UserSecurityID1 | 00000000-0000-0000-0000-000000000000 |
LanguageId | 1033 | |
LocaleId | 1033 | |
Company | CRONUS USA, Inc. | |
TimeZone | W. Europe Standard Time | |
ProfileId | BUSINESS MANAGER EVALUATION | |
UserSecurityId2 | 00000000-0000-0000-0000-000000000000 | |
Changed access control system table | ||
Changed user system table |
Administered company activities
You can audit the activities in the table below by filtering to the Administered company
event.
Events in the table below are emitted with custom dimensions.
Activity | Custom dimensions | Sample value |
---|---|---|
Created new company | ompanyName | CRONUS USA, Inc. |
Copied company | fromCompanyName | CRONUS USA, Inc. |
toCompanyName | CRONUS USA, Inc. | |
Deleted company | CompanyName | CRONUS USA, Inc. |
Changed company system table |
Events in the table below are emitted with message parameters.
Activity | Message parameters | Sample value |
---|---|---|
The Monitor Field feature has been set up by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Field monitoring has been set for the field [FieldId] in the table [TableId] by UserSecurityId [UserSecurityId] | FieldId | 1 |
TableId | 18 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
Field monitoring has been modified for the field [FieldId] in the table [TableId] by UserSecurityId [UserSecurityId] | FieldId | 1 |
TableId | 18 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
Field monitoring has been deleted for the field [FieldId] in the table [TableId] by UserSecurityId [UserSecurityId] | FieldId | 1 |
TableId | 18 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The data sensitivity value [DataSensitivityValue] has been set for Company Name [CompanyName], Table No. [TableId], Field No. [FieldId] by UserSecurityId [UserSecurityId] | DataSensitivityValue | Sensitive |
CompanyName | CRONUS USA, Inc. | |
TableId | 18 | |
FieldId | 1 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The new retention policy record with Table ID [TableId] is created by the UserSecurityId [UserSecurityId] | TableId | 18 |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The retention policy defined for table [TableId], [TableName] was applied by the UserSecurityId [UserSecurityId] | TableId | 18 |
TableName | Customer | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
UserSecurityId [UserSecurityId] set the status of the job queue entry [JobQueueEntryId] to Ready | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
JobQueueEntryId | 1 | |
The status of the feature key [FeatureKey] has been set to [FeatureStatus] by UserSecurityId [UserSecurityId] | FeatureKey | ConcurrentWarehousingPosting |
FeatureStatus | Enabled | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Configured integration activities
You can audit the activities in the table below by filtering to the Configured integration
event.
Events in the table below are emitted with custom dimensions.
Activity | Custom dimensions | Sample value |
---|---|---|
Set Authorized Microsoft Entra App to Admin Center API | appId | 00000000-0000-0000-0000-000000000000 |
Deleted Authorized Microsoft Entra App from Admin Center API | appId | 00000000-0000-0000-0000-000000000000 |
Set Customer Tenant Access to Application Family | varTenantId | 00000000-0000-0000-0000-000000000000 |
applicationFamily | BusinessCentral | |
country | US | |
access | read | |
Set Notification Recipient | Id | 00000000-0000-0000-0000-000000000000 |
recipient@cronus.com | ||
Name | John Doe | |
Removed Notification Recipient | Id | 00000000-0000-0000-0000-000000000000 |
Events in the table below are emitted with message parameters.
Activity | Message parameters | Sample value |
---|---|---|
Privacy Notice Approval ID [PrivacyApprovalName] provided by UserSecurityId [UserSecurityId] | PrivacyApprovalName | Azure OpenAI |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
Privacy Notice Approval ID [PrivacyApprovalName] has been reset by UserSecurityId [UserSecurityId] | PrivacyApprovalName | Azure OpenAI |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The web service record with Object Type [ObjectType], Service Name [ServiceName] has been created by UserSecurityId [UserSecurityId] | ObjectType | Page |
ServiceName | ItemLedgerEntries | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
The new API Setup record Table ID [TableId], Template Code [TemplateCode], Page ID [PageId] is created by the UserSecurityId [UserSecurityId] | TableId | 18 |
TemplateCode | RESO000001 | |
PageId | 32 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 | |
User [UserSecurityId] enabled integration to Dataverse | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
User [UserSecurityId] enabled integration to Dynamics 365 Sales | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Email Logging has been set up by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
CDS Connection Setup - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Sales and Inventory Forecast application - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Online Map Setup enabled by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Late Payment Prediction - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Cash Flow Forecast feature, Azure AI - consent provided | ||
Image Analyzer - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Image Analyzer - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
MS PayPal - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
MS Yodlee Bank Service - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
AMC Banking Fundamentals - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
VAT Registration Service enabled by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Curr. Exch. Rate Update Setup - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Document Exchange Service Setup - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
CFDI - consent provided | ||
NO Elect. VAT Setup - consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
SII Setup - consent provided | ||
The UK Making Tax Digital consent provided by UserSecurityId [UserSecurityId] | UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Configured Copilot activities
You can audit the activities in the table below by filtering to the Configured Copilot
event.
Activity | Message parameters | Sample value |
---|---|---|
The copilot/AI capability [CopilotCapability], App Id [AppId] has been activated by the UserSecurityId [UserSecurityId] | CopilotCapability | Sales Line Suggestions |
AppId | 00000000-0000-0000-0000-000000000000 | |
UserSecurityId | 00000000-0000-0000-0000-000000000000 |
Configured cloud migration activities
Coming soon.
Administered report activities
You can audit the activities in the table below by filtering to the Administered report
event.
Activity | Custom dimensions | Sample value |
---|---|---|
Created report layout | ReportId | 1 |
LayoutName | TestReport | |
LayoutDescription | Test Layout Description | |
LayoutFormat | Layout Format | |
Action | New | |
Deleted report layout | ReportId | 1 |
LayoutName | TestReport | |
Action | Delete | |
Modified report layout | ReportId | 1 |
OldLayoutName | OldTestReport | |
OldLayoutDescription | Old Layout Description | |
NewLayoutName | NewTestReport | |
NewLayoutDescription | New Layout Description | |
Action | Edit |
See also
Auditing in Business Central
Auditing changes
Security Auditing in Business Central