Keeping track of rapid changes across your Microsoft 365 tenant, like user modifications, security updates, or role assignments, can feel impossible without centralized visibility.
A solution to this is to use Power Automate for the audit logs, turning them into a clear, actionable record for accountability and security. In this guide, you’ll learn how to build this using Power Automate and Microsoft Purview, step by step.
Procedures for building a tenant change log
Centralizing change tracking prevents security gaps and simplifies compliance audits across your Microsoft 365 environment.
📌 Use case: An automated tenant change log helps you monitor critical activities like permission changes, policy updates, user lifecycle events, and maintain historical visibility across departments. It turns scattered Microsoft Purview audit logs into a unified security asset.
📌 Prerequisites: Before proceeding, make sure you have Microsoft 365 E3/E5, Power Automate access, an administrator role in the environment (e.g., Global Admin, Security Admin, or Compliance Admin), access to Microsoft Purview Compliance Portal, and PowerShell modules (specifically Microsoft Graph and ExchangeOnlineManagement).
We recommend checking ⚠️Things to look out for before proceeding.
📌 Deployment strategies:
Method 1: Enable Unified Audit Logging
Activating unified auditing ensures Microsoft 365 records every critical change across your tenant.
📌 Use case: This is the ideal procedure when setting up your tenant change log for the first time or verifying existing audit coverage..
Step-by-step procedure:
- Access Purview Portal.
- Go to Microsoft Purview Compliance Portal, then sign in with your admin account.
- Navigate to Audit.
- In the left menu, select Solutions > Audit.
- If you can’t find it, click View all solutions first.
- Enable logging.
- If auditing is disabled, you’ll see a prominent banner; then, click Start recording user and admin activity.
💡 Note: If no banner appears, auditing is already enabled.
- Verify coverage.
- Confirm these services are included:
- Exchange Online
- SharePoint/OneDrive
- Microsoft Teams
- Microsoft Entra ID
- Confirm these services are included:
- Wait for activation.
- Give the system 24 hours for full log generation. Initial events appear within one hour.
Within 24 hours, Microsoft 365 will begin recording events, such as user creations, permission changes, and policy updates. These Microsoft Purview audit logs become the data source for your Power Automate workflow.
Method 2: Use Power Automate to log changes from audit events
Automate tenant-wide tracking by transforming raw audit data into actionable records.
📌 Use case: Do this when you need continuous, customized logging of specific changes like permission updates or mailbox modifications..
Step-by-step procedure:
- Create an Azure AD App registration.
- Go to the Azure Portal > Entra ID > App registrations > New registration.
- Grant these API permissions:
- AuditLog.Read.All (for Microsoft Graph)
- ActivityFeed.Read (Office 365 Management APIs)
- Create a new flow.
- Go to Power Automate, then click Create, choose Scheduled cloud flow.
- Name it (e.g., Tenant Change Logger).
- Set to run every one hour (default setting), then click Create.
- Get your security token.
- Add a new action:
- Click Search, then select Azure AD > Get OAuth 2.0 Token.
- Fill in:
- Authority URL: https://login.microsoftonline.com
- Client ID: [From your Azure AD app]
- Client Secret: [From your Azure AD app]
- Resource: https://graph.microsoft.com
- Add a new action:
- Add the Audit Log Fetcher.
- Click + New step, then search for HTTP and select HTTP-HTTP.
- Configure:
- Method: GET
- URI: Paste https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
- Headers:
{
“Authorization”: “Bearer <PASTE_TOKEN_HERE>”
}
- Filter important events.
- Click + New step, then search Filter array.
- In From, select value from the HTTP step.
- Paste this in the filter box:
@or(
equals(item()?[‘activityDisplayName’], ‘Add member to role’),
equals(item()?[‘activityDisplayName’], ‘Delete user’)
)
- This catches only role/permission changes – customize your watchlist here.
- Save to your log.
- Add final action, then search SharePoint > Add item to list.
- Select your site/list.
- Map fields:
- Timestamp: activityDateTime
- User: userPrincipalName
- Action: activityDisplayName
- Test and activate.
- Run manually with the Test button.
- Confirm events appear in your log destination.
Your flow will automatically populate your automated change log hourly with events like user deletions or policy updates. You’ll now have a searchable, centralized record for audits or incident investigations.
Method 3: Use PowerShell to export and store audit logs
PowerShell delivers precision control for extracting and storing critical change records.
📌 Use case: Use this method when you need deep filtering, custom scheduling, or direct CSV exports for historical analysis.
Step-by-step procedure:
- Connect to Exchange Online.
- Open Windows Terminal (Admin), then run:
Connect-ExchangeOnline -Device
# Authenticate with your admin account when prompted
- Search and export logs.
- Run this command to capture key events:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) `-Operations “Add-MailboxPermission”, “Update-User”, “Add-MemberToRole” `-ResultSize 1000 | Export-Csv “C:\AuditLogs\Changes.csv” -NoTypeInformation
- Automate daily exports.
- Save the script as Export-AuditLogs.ps1.
- Create a Windows Task Scheduler job or use your RMM platform (e.g., NinjaOne) to deploy this script to your enterprise devices:
- Trigger: Daily at 2 AM (or whenever is best in your workplace).
- Action: powershell.exe -File “C:\Scripts\Export-AuditLogs.ps1”
Your scheduled task will generate daily CSV files (e.g., Changes_08-15-2023.csv) containing timestamped records of admin actions, ready for Excel analysis (use Power Query to parse JSON fields), long-term storage (Azure Blob/network shares), and manual audits or SIEM ingestion.
Method 4: Store logs in a centralized SharePoint or Teams location
Store your change history where teams can securely access and collaborate.
📌 Use case: Ideal for teams needing shared, searchable audit trails with customizable permissions.
Step-by-step procedure:
- Create a SharePoint Log location.
- Go to SharePoint Online > + New > List.
- Name: TenantChangeLog.
- Create these columns:
| Column Name | Type |
| Timestamp | Date & Time |
| User | Person |
| Operation | Single Line |
| Workload | Choice (Options: Exchange, Teams, Entra ID) |
| Item | Single Line |
- Auto-populate with Power Automate.
- Modify your existing Power Automate flow (from Method 2):
- Replace the final action with: SharePoint > Add item to list.
- Map fields:
- Timestamp: activityDateTime
- User: userPrincipalName
- Operation: activityDisplayName
- Workload: service
- Item: targetResources
- Modify your existing Power Automate flow (from Method 2):
- Set permissions.
- In SharePoint:
- Go to Settings > List permissions.
- Grant Read access to auditors.
- Restrict Edit to security admins.
- In SharePoint:
Your automated change log will update hourly with new events. Team members can now search historical changes in SharePoint/Teams, set alerts on critical operations (e.g., “Add member to role”), and build Power BI dashboards from the list.
Method 5: Use Registry to tag endpoint events or attach device metadata
Add endpoint context to your audit trails for precise incident tracing.
📌 Use case: Use this when you need to trace actions to specific devices or departments during security investigations.
Step-by-step procedure:
- Create the Registry keys.
- Open Run (Win + R), then type regedit to open the Registry Editor.
- Make sure you have administrative privileges.
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Org\TenantMetadata
- If the TenantMetadata key is missing, create it (Right-click > New > Key).
- Add two String Values (Right-click inside the key > New > String).
- Name one String as DeviceTag.
- Input its Value as NYC-Laptop-001.
- Name the other String as Department.
- Input its Value as Finance.
- Name one String as DeviceTag.
- Open Run (Win + R), then type regedit to open the Registry Editor.
- Automate tag deployment (Group Policy).
- Open Group Policy Management Console.
- Create a new GPO in Computer Configuration > Preferences > Registry:
- Input the following:
- Action: Create
- Hive: HKEY_LOCAL_MACHINE
- Key Path: SOFTWARE\Org\TenantMetadata
- Value: DeviceTag, then set Type to REG_SZ and Data to “%COMPUTERNAME%”
- Input the following:
- Enrich audit logs:
- Using PowerShell, append to export the script below:
| $deviceTag = (Get-ItemProperty -Path “HKLM:\SOFTWARE\Org\TenantMetadata”).DeviceTag $dept = (Get-ItemProperty -Path “HKLM:\SOFTWARE\Org\TenantMetadata”).Department [PSCustomObject]@{ Timestamp = Get-Date User = $env:USERNAME Device = $deviceTag Department= $dept Event = “Local Admin Change” } | Export-Csv “C:\Logs\EndpointEvents.csv” -Append |
- Power Automate: Add an HTTP action to the device management API to fetch tags during log processing.
Method 6: Apply Group Policy for event auditing on endpoints
Extend your visibility to on-premises devices for comprehensive hybrid monitoring.
📌 Use case: Ideal for organizations with Windows 11 devices in hybrid Azure AD environments needing local activity tracking.
Step-by-step procedure:
- Open Group Policy Management.
- Press Win + R, then type gpmc.msc to open the tool.
- Go to Forest > Domains > [Your Domain].
- Create a new policy.
- Right-click Group Policy Objects, then select New.
- Name it as Endpoint-Audit-Policy.
- Configure Audit settings.
- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
- Enable the following:
- Account Management: Audit User Account Management (Success)
- Account Management: Audit Security Group Management (Success)
- Logon/Logoff: Audit Logon (Success, Failure).
- Link to organizational unit.
- Right-click your target OU (e.g., Hybrid-Workstations).
- Select Link an Existing GPO, then choose Endpoint-Audit-Policy.
Windows 11 devices will begin logging specified events to their local Security event log. You can now correlate events to match local logons with Entra ID sign-ins, forward logs using Azure Monitor to ingest into Sentinel/Purview, and enrich cloud logs by adding device context via Method 5’s registry tags.
Method 7: Use CMD and CLI for validation and log diagnostics
Command-line diagnostics offer quick validation for your logging infrastructure.
📌 Use case: Ideal for troubleshooting missing events, testing connectivity, or verifying log contents during deployments.
Step-by-step procedure:
- Verify audit policies.
- Open Command Prompt (Admin) by searching for it in the taskbar.
- Run this command: auditpol /get /category:*
- Look for Account Management and Logon categories to confirm Method 6’s GPO is applied.
- Check local security events.
- Run this command:
wevtutil qe Security “/q:*[System[(EventID=4720 or EventID=4625)]]” /f:text /c:5
- Test cloud connectivity.
- Run this command:
nslookup graph.microsoft.com && ping manage.office.com
- Confirm DNS resolution for Power Automate/PowerShell log fetches.
- Inspect exported logs.
- Run this command:
type “C:\Logs\TenantChangeLog.csv” | findstr “Add member”
- This searches for permission changes in PowerShell exports.
After running these diagnostics, you’ll confirm GPO/registry changes are active, identify missing events or connectivity blockers, and adjust Power Automate flows or scripts as needed.
⚠️ Things to look out for
This section highlights potential challenges to keep in mind while following this guide.
| Risks | Potential Consequences | Reversals |
| 1. Incorrect Registry edits | The operating system can become unstable, and booting up fails. | Back up the registry (regedit > File > Export) or create a System Restore Point. Watch How to Back Up and Restore Windows Registry for more details. |
| 2. Audit Logging Disabled | Miss critical changes (user deletions, role assignments) | Verify via Purview portal banner or PowerShell: Get-AdminAuditLogConfig | fl UnifiedAuditLogIngestionEnabled |
| 3. Expired Power Automate Token | Flow failures; log ingestion stops | Implement Azure Key Vault rotation and token refresh flow; set expiration alerts |
| 4. Overly Broad GPO Auditing | Event log flooding; critical event obscurity | Test policies in staging OU first; use precise filters (e.g., EventID=4720 only) |
| 5. Exceeding API Throttle Limits | Missed events; incomplete change records | Add HTTP 429 retry logic in Power Automate; chunk large requests (>5k records) |
| 6. Over-Permissioned Azure AD App | Security breaches via compromised credentials | Enforce least privilege: Grant only AuditLog.Read.All and ActivityFeed.Read |
| 7. Ignoring Log Retention Windows | Permanent data loss (Purview: 90d-180d retention) | Implement automated CSV exports to Azure Blob Storage before retention expiry. |
Key considerations when building a tenant change log
Plan strategically to ensure your solution scales securely and cost-effectively.
Retention policies
Microsoft 365’s audit logs have strict retention windows:
- E3 licenses: 90 days (default)
- E5/Audit Premium: 180 days to 10 years (with add-ons)
Make sure to automate weekly exports to Azure Blob Storage or SharePoint for long-term archival.
Cost management
Power Automate flows are free for 5,000 monthly actions or fewer, but premium connectors cost extra, listing at $15 per user per month, according to Microsoft’s price list for Power Automate.
Microsoft Purview Audit Premium is also included with Microsoft 365 E5 or the Microsoft 365 E5 Compliance add‑on, listed at $12/user/month, and provides 1‑year default audit‑log retention with options up to 10 years, according to Microsoft Learn as of July 11, 2025.
💡 Tip: Filter high-value events early to reduce volume.
Export limits
API throttling can hold up to 2,000 requests per 10 minutes for each tenant. Meanwhile, Record caps can do 5,000 entries per PowerShell/API call. You can use pagination (@odata.nextLink) and chunked searches:
Search-UnifiedAuditLog -StartDate $start -EndDate $end -SessionCommand ReturnLargeSet
Multi-Tenant Delegation (MSPs)
Leverage Azure Lighthouse to centralize log collection without switching contexts to onboard customer tenants via ARM templates, use a single dashboard to query all tenant change logs, and restrict access with RBAC roles.
How can NinjaOne make audit logging much easier?
Unify and automate tenant-wide change tracking across cloud and endpoints.
- Automated script deployment: Schedule PowerShell scripts across Windows 11 devices to centralize audit logs from Microsoft 365, Entra ID, and local systems into NinjaOne’s repository.
- Real-time alerts and ticketing: Trigger notifications and auto-create tickets for critical events:
- Privilege escalations
- Sensitive mailbox access
- User deletions
- Unified log correlation: Blend tenant change logs with endpoint events to detect anomalies like admin logins from new devices and policy changes during off-hours
- Multi-tenant compliance dashboard: For MSPs: Visualize all client automated change logs in one glass pane, filter by severity/workload, and generate audit-ready reports.
Power Automate audit logs: Achieve strong compliance
Centralizing your tenant change log transforms scattered events into actionable security intelligence, ensuring audit readiness and real-time threat detection.
Now deploy these techniques to instantly trace breaches like privilege escalations, prove compliance during audits without frantic scrambling, and sleep knowing every critical change is tracked.
Related topics
