Responding to DSR requests for system-generated logs in Power Apps, Power Automate, and Microsoft Dataverse
Microsoft gives you the ability to access, export, and delete system-generated logs that may be deemed personal under the privacy standard definition of personal data. Examples of system-generated logs that may be deemed personal under privacy standards include:
- Product and service usage data, such as user activity logs
- User search requests and query data
- Data generated by product and services as a product of system functionality and interaction by users or other systems
Note that the ability to restrict or rectify data in system-generated logs isn't supported. Data in system-generated logs constitutes factual actions conducted within the Microsoft cloud, and diagnostic data—including modifications to such data—would compromise the historical record of actions and increase fraud and security risks.
Prerequisites
This article focuses on responding to DSR requests for system-generated logs in managed and unmanaged tenants. To determine whether or not you belong to a managed or unmanaged tenant, see the following Determining Tenant Type section.
Accessing and exporting system-generated logs for Managed Tenants
Administrators can access system-generated logs associated with a user's use of Power Apps, Power Automate, and Dataverse services and applications.
To access and export system-generated logs, do the following:
Go to the Microsoft Service Trust Portal and sign in using Global admin credentials.
From the Privacy drop-down list at the top of the page, select Data Subject Request.
On the Data Subject Request page, under System Generated Logs, select Data Log Export. The Data Log Export displays and shows a list of export data requests submitted by your organization.
To create a new request for a user, select Create Export Data Request.
After you create a new request, the request is listed on the Data Log Export page, where you can track its status. After a request is complete, you can select a link to access the system-generated logs, which will be exported to your organization's Azure storage location within 30 days of creating the request. The data is saved in common, machine-readable file formats such as XML, CSV, or JSON. If you don't have an Azure account and Azure storage location, you'll need to create an Azure account and/or Azure storage location for your organization so that the Data Log Export tool can export the system-generated logs. For more information, see Introduction to Azure Storage.
The following table summarizes accessing and exporting system-generated logs for managed tenants:
Question | Answer |
---|---|
How long does the Microsoft Data Log Export tool take to complete a request? | It depends on several factors. In most cases it should complete in one or two days, but it can take up to 30 days. |
What format will the output be in? | The output is in the form of structured, machine-readable files such as XML, CSV, or JSON. |
Who has access to the Data Log Export tool to submit access requests for system-generated logs? | Global admin has access to the privacy Log Manager tool. |
What data does the Data Log Export tool return? | The Data Log Export tool returns system-generated logs that Microsoft stores. Exported data spans across various Microsoft services including Microsoft 365, Azure, Dynamics, Power Apps, Power Automate, and Dataverse. |
How is data returned to the user? | Data is exported to your organization's Azure storage location; it's up to administrators in your organization to determine how they'll show/return this data to users. |
What will data in system-generated logs look like? | Example of a system-generated log record in JSON format: [{ "DateTime": "2017-04- 28T12:09:29-07:00", "AppName": "SharePoint", "Action": "OpenFile", "IP": "154.192.13.131", "DevicePlatform": "Windows 1.0.1607" }] |
Note
For security and audit purposes, some features do not allow you to export or delete system-generated logs in order to maintain the integrity of personal information.
Deleting system-generated logs for Managed Tenants
To delete system-generated logs retrieved through an access request, you must remove the user from the service and permanently delete their Microsoft Entra account. For instructions on how to permanently delete a user, see the Deleting a user section in the Azure Data Subject Request privacy documentation that can be found on the Microsoft 365 Service Trust Portal. It's important to note that permanently deleting a user account is irreversible once initiated.
Permanently deleting a user account removes the user's data from system-generated logs for Power Apps, Power Automate, and Dataverse services within 30 days.
Accessing and exporting system-generated logs for Unmanaged Tenants
Users can access system-generated logs associated with their use of Power Apps, Power Automate, and Dataverse services and applications.
To access and export system-generated logs, do the following:
- Go to the Work and School Privacy portal.
- On the My data requests page, a user can request a data export by clicking on the New export request button.
- Upon clicking this button, you'll be asked for to confirm your request. Select Yes to continue.
- New export requests may take up to one month to complete. During this time, you'll see a status of Running.
- Once complete, the Date Completed column is populated and a link to your system-generated logs will be provided.
- Select on this link to download your data. You can use a text editor to view this data.
- Also note, the Expiry date for this content is being populated within the Expiry Date column. You have up until this time to retrieve your system-generated logs.
The following table summarizes accessing and exporting system-generated logs for unmanaged tenants:
Question | Answer |
---|---|
How long does the Microsoft Data Log Export tool take to complete a request? | This depends on several factors. In most cases it should complete in one or two days, but it can take up to 30 days. |
What format will the output be in? | The output is in the form of structured, machine-readable files such as XML, CSV, or JSON. |
Who has access to the Data Log Export tool to submit access requests for system-generated logs? | Users who are a member of an unmanaged tenant have access to submit requests. |
What data does the Data Export tool return? | The Data Export tool returns system-generated logs that Microsoft stores. Exported data spans across various Microsoft services including Microsoft 365, Azure, Dynamics, Power Apps, Power Automate, and Dataverse. |
How is data returned to the user? | Data is exported to a Microsoft website where a link will be securely provided to the user who made the DSR request. |
What will data in system-generated logs look like? | Example of a system-generated log record in JSON format: [{ "DateTime": "2017-04- 28T12:09:29-07:00", "AppName": "SharePoint", "Action": "OpenFile", "IP": "154.192.13.131", "DevicePlatform": "Windows 1.0.1607" }] |
Note
For security and audit purposes, some features do not allow you to export or delete system-generated logs in order to maintain the integrity of personal information.
Deleting system-generated logs for Unmanaged Tenants
To delete system-generated logs retrieved through an access request, you must close your account, which will delete your system-generated logs and remove your data in Power Apps, Power Automate, and Dataverse services within 30 days.
To delete system-generated logs, do the following:
- Go to the Work and School Privacy portal.
- On the My data requests page, a user can request the deletion of their data by clicking on the Close account button.
- Upon clicking this button, you'll be asked for to confirm your request. Select Yes to continue.
- Once the account has been closed, you won't have access to Power Apps, Power Automate, and Dataverse.
Determining Tenant Type
To determine whether or not you're a user of a managed or unmanaged tenant, perform the following actions:
Open the following URL in a browser, making sure to replace your email address in the URL:https://login.microsoftonline.com/common/userrealm/name@contoso.com?api-version=2.1.
If you are a member of an unmanaged tenant,** then you'll see an
"IsViral": true
in the response.{ ... "Login": "name@unmanagedcontoso.com", "DomainName": "unmanagedcontoso.com", "IsViral": **true**, ... }
Otherwise, you belong to a managed tenant.