In this article, I will show you how to access Windows 365 Cloud PC audit logs. You can use PowerShell and the Graph API to get Windows 365 audit logs. The audit logs for Windows 365 keep track of what changed on a cloud PC because of an action.
For an Intune admin managing the cloud PCs, the Windows 365 audit logs are useful when you want to audit certain events on the cloud PCs. The audit logs are also useful when you would like to troubleshoot Cloud PC issues.
Create, update (edit), delete, assign, and remote actions all create audit events that administrators can review for most Cloud PC actions that go through Graph. By default, auditing is enabled for all customers using cloud PCs. It can’t be disabled.
It doesn’t matter whether the device is a cloud PC or a Windows device managed with Intune, the audit logs will contain the log for every action initiated for the devices. The audit reports are available when you provision a Cloud PC or reprovision Cloud PCs.
Recommended Article: Troubleshoot Windows 365 Cloud PC Setup Issues
Methods to access the Audit Logs for Cloud PCs
If you are looking to access the audit logs for Cloud PCs, there are two methods that you can use:
- Method 1: Access the audit logs for Cloud PC from Intune Portal.
- Method 2: Use Graph API and PowerShell to retrieve Windows 365 audit events.
The easiest method to access the Windows 365 audit logs is via the Intune portal. To get the Cloud PC audit data with the PowerShell and Graph API method, you will need to install the Microsoft Graph SDK. I will cover both methods to retrieve the Windows 365 audit events.
Useful Article: How to Access Cloud PCs using multiple methods
Who can access the Cloud PC Audit data?
In order to access the Cloud PC audit logs, the users require the following permissions:
- Global Administrator.
- Intune Service Administrator.
- Administrators assigned to an Intune role with Audit data – Read permissions.
Note: If you don’t have permission to log in to or access parts of the Azure portal, contact your IT admin. Only when you have proper permissions, you can retrieve the Windows 365 audit logs.
Recommended: Enable Cloud PC Local Admin Access to User in Windows 365
Where can I find the Cloud PC Audit Logs?
The Cloud PC audit logs are located in Intune Portal and you can access the logs with following steps:
- Sign in to Microsoft Intune Portal.
- Navigate to Tenant Administration > Audit Logs.
- Here you’ll find all the audit logs related to Cloud PCs.
What details are available in Cloud PC Audit Logs
In the Intune portal, when you access the Cloud PC audit logs, there are multiple columns that you see. The following details are included for a Cloud PC audit log:
- Date: The date and time of the activity.
- Initiated by: The user account who initiated the action. It can be an admin or application who initiated the action. The initiated by (actor) reveals who initiated the action on Cloud PC.
- Application name: The name of the application, for example, Microsoft Intune Portal extension.
- Activity: The activity details show what action was performed on the Cloud PC. For example, if you have initiated a Cloud PC sync action, the activity “syncDevice ManagedDevice” will be logged.
- Target: The target is typically the component for which the activity was triggered. For example, the windowsDefenderScan ManagedDevice activity relates to target WindowsDefenderScan.
- Category Details: This includes the category to which the audit logs belong to. The examples of categories include Device, Device Configuration, Software Updates, etc.
- Status: The status column shows the status of the activity which is either “Success” or “Failed“.
When you audit the logs for Cloud PCs, you get the options to choose the columns in Intune Portal. On the Audit Logs section, select Columns and here you can pick the columns that you wish to include or exclude while viewing the logs.
Also Read: How to Restore Windows 365 Cloud PC in Intune
How to Access Windows 365 audit logs using PowerShell and Graph API
Using PowerShell and Graph API, you can access the Windows 365 audit logs. There are series of steps that you must follow before you can retrieve the audit logs of Cloud PCs. I am going to run the below PowerShell commands on my Configuration Manager server. In your case, it could be a laptop that you use for work.
1. Install Microsoft Graph PowerShell SDK
Using the Install-Module cmdlet is the preferred installation method for the Microsoft Graph PowerShell module. Launch the PowerShell and run the below command to install Microsoft Graph module.
Install-Module Microsoft.Graph -Scope CurrentUser
Run the below command to verify if the Microsoft Graph module is installed successfully. After running the below command, the output should include the Graph API version which is 1.15.0 in this case.
Get-InstalledModule Microsoft.Graph
Once you have installed the Microsoft Graph API module, you can run the below PowerShell command to get all Cloud PC Graph Endpoints.
Get-Command -Module Microsoft.Graph* *virtualEndpoint*
2. Connect to Microsoft Graph and Sign in
Once you have isntalled the Graph PowerShell SDK, we’ll use the Microsoft Graph PowerShell SDK to perform some basic tasks. The Connect-MgGraph cmdlet is used to connect to Microsoft Graph PowerShell.
To connect to Microsoft Graph and sign in, you can run any of the below command in PowerShell.
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Connect-MgGraph -Scopes "CloudPC.Read.All"
You’ll need to sign in with an admin account to consent to the required scopes. On the resulting web page, sign in to your tenant with a user account that has the appropriate read and/or write permissions. I am using a global administrator account in this example. To provide the consent, check box the option “Consent on behalf of your organization” and click Accept.
Switch to the Graph beta environment by running the below PowerShell command.
Select-MgProfile -Name "beta"
3. Get the Audit Data of Cloud PCs using PowerShell & Graph API
In this step, we will retrieve the audit data of Windows 365 Cloud PC using PowerShell and the Graph API. We’ll see some examples of how to retrieve the entire list of audit events pertaining to Cloud PCs, the complete list of audit events, and a specific event by event ID.
There are several ways to view the audit information for Cloud PCs, and I’ll go over each one with an illustration. All the below commands will work only when you have installed the Graph API and connected to your tenant with proper credentials.
4. Get entire list of Cloud PC audit events, including the audit actor
To get the entire list of Cloud PC audit events, including the actor (person who performed the action), use the following command:
Get-MgDeviceManagementVirtualEndpointAuditEvent | Select-Object -Property Actor,ActivityDateTime,ActivityType,ActivityResult -ExpandProperty Actor | Format-Table UserId, UserPrincipalName, ActivityType, ActivityDateTime, ActivityResult
5. Get a list of Windows 365 Audit Events
To get a list of Windows 365 audit events without the audit actor, use the following command:
Get-MgDeviceManagementVirtualEndpointAuditEvent -All
The output will display all the audit events for Cloud PCs. When you have multiple Cloud PCs in the setup, the output will be lengthier. Move to next step to filter the events using Event ID.
6. Get a Single Cloud PC Event using Event ID
You can use the following command to get a single audit event, where you’ll need to provide the {event ID}:
Get-MgDeviceManagementVirtualEndpointAuditEvent -CloudPcAuditEventId {event ID}
Good writeup. Is there any way that we can add microsft graph powershell module ( currently known as Microsoft graph powershell SDK and CLI) into entra / aad enterprise application, so that helps to authenticate with aad and assign Permissions to users / groups