Audit User Read Access to Dynamics 365 Records

With GDPR being effective since May 25 2018, Microsoft has released a large set of tools and security mechanisms, both on Office 365 and Dynamics 365, to ensure their customers can be compliant and offer the highest level of security.
I will focus in this article on the new option to audit read actions.

Dynamics 365 now allows to track these actions:
  • Display of a single CRM record.
  • Display of a list of records in a view or export of a set of records.
In the past, it was only possible to audit Create, Update, and Delete events, not the Read event, unless you implemented specific developments with plugins that would be triggered on Retrieve and RetrieveMultiple.

This Microsoft Docs article does a very good job at explaining how Activity Logging works, its requirements, and how to set it up: Enable and use Activity Logging.

Let's make one thing clear: if people can have a read access to data, they can manage to export the data one way or another. So security should come from your security model, and not based on whether or not you display or hide fields on a form, or if you disable the Export to Excel button for your users (remember the data is available through the APIs, so it's quite easy to export, for example through a Power BI report).

How to set up Activity Logging?

  • Have a Production instance with version or higher and an Office 365 Enterprise E3 or E5 subscription.
  • Go to your instance System Settings, in the Auditing tab and make sure that Start Auditing, Audit user access and Start Read Auditing are checked. You must also enable Auditing in one of areas of your sitemap:
  • In the customizations, activate Auditing at the desired entity level, and then Single recording auditing to track when a record is opened (Retrieve message) and Multiple record auditing to track when a list of records are retrieved, either in a view or through an Excel export (RetrieveMultiple message).

What does it look like in practice?

This is what the Audit History looks like on a contact record where we have enabled audit. If you look carefully, you will see no signs of a read action, but instead the classic Create and Update history of events:

You will also notice a new Delete Change History button that allows to wipe the audit history for a single record. This action will also be tracked in the Audit History:

Where to find the Dynamics 365 Read Audit Log?

As this kind data can rapidly accumulate in huge volumes, it is logged in a dedicated place, in the Office 365 Security & Compliance Portal.
  • Under Search & investigation, go to Audit log search
  • You will notice that events from many different Office 365 applications are logged here. You can filter the list of audited activities by application, by selecting Dynamics 365 activities:

  • You will notice that many Dynamics 365 events are tracked. So you can also filter down the list of results with Users, Dates or Custom filters applied to your view:

  • When you open an audit record, you will get access to a bunch of additional information, that are not very user friendly, such as the record URL that was displayed. Here is an example for the Retrieve contact audit activity:

  • Here is a RetrieveMultiple Contacts log. Notice how the system records the FetchXML query associated with the displayed list of records, and not the collection of displayed records.
This means that you do not know precisely the records that were displayed without doing some more advanced analysis.

Initial thoughts

Well, as you can see, it's not very simple to get to the "Read" event for a CRM record. But at least, these events are tracked somewhere. No doubt Microsoft will improve the experience in future versions.

While it's still not possible to display that kind of information from the Dynamics 365 application (be it from the Audit Summary View or directly from the Audit Summary of a specific record), I get a feeling that Microsoft will be progressively moving most or all audit tracking features to the Security & Compliance portal, as a lot of Dynamics 365 events are already being tracked in it (the full list of admin and user events is available here):

Example of an Update contact activity that stores the updated values:

To programmatically download data from the Office 365 audit log, you can use the Office 365 Management Activity API (REST web service).