VMware

Unlocking Cloud PC Audit Logs with Azure Log Analytics and PowerShell

Leave a comment

Windows 365 Cloud PC Audit Logs with Azure Log Analytics & Graph API using PowerShell

Are you looking to keep a vigilant eye on your Windows 365 environment? Good news! You can now send Windows 365 audit events to Azure Log Analytics, Splunk, or any other SIEM system that supports it. When it comes to monitoring your Cloud PC environment, Windows 365 audit logs are an indispensable resource. These logs provide a comprehensive chronicle of significant activities that result in modifications within your Cloud PC setup (https://intune.microsoft.com/).

Here’s what gets captured:

* These audit events encompass most actions executed via the Microsoft Graph API, ensuring that administrators have visibility into the operations that affect their Cloud PC infrastructure.

It’s important to note that audit logging is an always-on feature for Windows 365 customers. This means that from the moment you start using Cloud PCs, every eligible action is automatically logged without any additional configuration.

Windows 365 has made it easier than ever to integrate with Azure Log Analytics. With a few simple PowerShell commands, you can create a diagnostic setting to send your logs directly to your Azure Log Analytics workspace. Once your logs are safely stored in Azure Log Analytics, retrieving them is a breeze. You can use Kusto Query Language (KQL) to extract and analyze the data.

Here’s a basic example of how you might query the logs:

Step 1 – Install the MS Graph Powershell Module

* Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”.

Step 2 – Check the User account by running the following beta command:

* To get the entire list of audit events including the actor (person who performed the action), use the following command:

* To get a list of audit events without the audit actor, use the following command:

Integrating Windows 365 with Azure Log Analytics is a smart move for any organization looking to bolster its security and compliance posture. With the added flexibility of forwarding to multiple endpoints, you’re well-equipped to handle whatever audit challenges come your way.

I hope you will find this helpful information for enabling and querying Windows 365 Audit Logs in Azure Log Analytics or using Graph API with PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post. Thanks,

Aresh Sarkari

Tags: Azure Log Analytics, Cloud PC, Microsoft, Microsoft Intune, MS Graph API, MSIntune, W365, Windows 365 Cloud PC

Leave a Reply