Merge pull request #205488 from dominicbetts/central-auditing

PMEds28 · web-flow · commit fc692beb64cc · 2022-09-26T11:29:45.000+01:00
IoT Central: describe audit log feature
diff --git a/articles/iot-central/TOC.yml b/articles/iot-central/TOC.yml
@@ -242,6 +242,8 @@
           href: core/howto-administer.md
         - name: Manage users and roles
           href: core/howto-manage-users-roles.md
+        - name: Use audit logs
+          href: core/howto-use-audit-logs.md
         - name: Manage organizations
           href: core/howto-create-organizations.md
         - name: Customize application UI
diff --git a/articles/iot-central/core/concepts-architecture.md b/articles/iot-central/core/concepts-architecture.md
@@ -48,6 +48,7 @@ In IoT Central, you can configure and manage security in the following areas:
 - Device access to your application.
 - Programmatic access to your application.
 - Authentication to other services from your application.
+- Audit logs track activity in your application.
 
 To learn more, see the [IoT Central security guide](overview-iot-central-security.md).
 
diff --git a/articles/iot-central/core/concepts-iiot-architecture.md b/articles/iot-central/core/concepts-iiot-architecture.md
@@ -77,6 +77,8 @@ Secure your IIoT solution by using the following IoT Central features:
 
 - Ensure safe, secure data exports with Azure Active Directory managed identities.
 
+- Use audit logs to track activity in your IoT Central application.
+
 ## Patterns
 
 :::image type="content" source="media/concepts-iiot-architecture/automation-pyramid.svg" alt-text="Diagram that shows the five levels of the automation pyramid." border="false":::
diff --git a/articles/iot-central/core/howto-authorize-rest-api.md b/articles/iot-central/core/howto-authorize-rest-api.md
@@ -3,7 +3,7 @@ title: Authorize REST API in Azure IoT Central
 description: How to authenticate and authorize IoT Central REST API calls
 author: dominicbetts
 ms.author: dobett
-ms.date: 06/22/2022
+ms.date: 07/25/2022
 ms.topic: how-to
 ms.service: iot-central
 services: iot-central
@@ -62,6 +62,9 @@ To get a bearer token for a service principal, see [Service principal authentica
 
 To get an API token, you can use the IoT Central UI or a REST API call. Administrators associated with the root organization and users assigned to the correct role can create API tokens.
 
+> [!TIP]
+> Create and delete operations on API tokens are recorded in the [audit log](howto-use-audit-logs.md).
+
 In the IoT Central UI:
 
 1. Navigate to **Permissions > API tokens**.
diff --git a/articles/iot-central/core/howto-faq.yml b/articles/iot-central/core/howto-faq.yml
@@ -146,7 +146,6 @@ sections:
         answer: |
           The first time you access the application, you must navigate to the application URL link you received from the administrator
 
-
   - name: Organizations
     questions:
       - question: |
@@ -168,3 +167,15 @@ sections:
           Can device groups, dashboards, and jobs be associated with multiple organizations?
         answer: |
           No, experiences such as device groups, dashboards, and jobs are associated with a single organization.
+
+  - name: Monitoring and logging
+    questions:
+      - question: |
+          What are the differences between monitoring an IoT Central application in the Azure portal and using the audit logs within in IoT Central application.
+        answer: |
+          Monitoring in the Azure portal is useful for operations monitoring. The audit log in an IoT Central application lets you see who made changes to entities within the application.
+      - question: |
+          Can I extend the audit log to store more than 30 days of data?
+        answer: |
+          Currently, you can't store more tha 30 days of data in the audit log. Entries older than 30 days are deleted automatically.
+  
diff --git a/articles/iot-central/core/howto-manage-iot-central-from-portal.md b/articles/iot-central/core/howto-manage-iot-central-from-portal.md
@@ -87,6 +87,9 @@ You can configure role assignments in the Azure portal or use the Azure CLI:
 
 You can use the set of metrics provided by IoT Central to assess the health of devices connected to your IoT Central application and the health of your running data exports.
 
+> [!NOTE]
+> IoT Central applications have an internal [audit log](howto-use-audit-logs.md) to track activity within the application. 
+
 Metrics are enabled by default for your IoT Central application and you access them from the [Azure portal](https://portal.azure.com/). The [Azure Monitor data platform exposes these metrics](../../azure-monitor/essentials/data-platform-metrics.md) and provides several ways for you to interact with them. For example, you can use charts in the Azure portal, a REST API, or queries in PowerShell or the Azure CLI.
 
 Access to metrics in the Azure portal is managed by [Azure role based access control](../../role-based-access-control/overview.md). Use the Azure portal to add users to the IoT Central application/resource group/subscription to grant them access. You must add a user in the portal even they're already added to the IoT Central application. Use [Azure built-in roles](../../role-based-access-control/built-in-roles.md) for finer grained access control.
diff --git a/articles/iot-central/core/howto-manage-users-roles-with-rest-api.md b/articles/iot-central/core/howto-manage-users-roles-with-rest-api.md
@@ -16,6 +16,9 @@ The IoT Central REST API lets you develop client applications that integrate wit
 
 Every IoT Central REST API call requires an authorization header. To learn more, see [How to authenticate and authorize IoT Central REST API calls](howto-authorize-rest-api.md).
 
+> [!NOTE]
+> Operations on users and roles are recorded in the IoT Central [audit log](howto-use-audit-logs.md).
+
 For the reference documentation for the IoT Central REST API, see [Azure IoT Central REST API reference](/rest/api/iotcentral/).
 
 [!INCLUDE [iot-central-postman-collection](../../../includes/iot-central-postman-collection.md)]
diff --git a/articles/iot-central/core/howto-manage-users-roles.md b/articles/iot-central/core/howto-manage-users-roles.md
@@ -3,7 +3,7 @@ title: Manage users and roles in Azure IoT Central application | Microsoft Docs
 description: As an administrator, how to manage users and roles in your Azure IoT Central application
 author: dominicbetts
 ms.author: dobett
-ms.date: 06/22/2022
+ms.date: 08/01/2022
 ms.topic: how-to
 ms.service: iot-central
 services: iot-central
@@ -226,6 +226,16 @@ When you define a custom role, you choose the set of permissions that a user is
 | Manage | None     |
 | Full Control | Manage |
 
+**Audit log permissions**
+
+| Name | Dependencies |
+| ---- | -------- |
+| View | None     |
+| Full Control | View |
+
+> [!CAUTION]
+> Any user granted permission to view the audit log can see all log entries even if they don't have permission to view or modify the entities listed in the log. Therefore, any user who can view the log can view the identity of and changes made to any modified entity.
+
 #### Managing users and roles
 
 **Custom roles permissions**
diff --git a/articles/iot-central/core/howto-use-audit-logs.md b/articles/iot-central/core/howto-use-audit-logs.md
@@ -0,0 +1,81 @@
+---
+title: Use Azure IoT Central audit logs | Microsoft Docs
+description: Learn how to use audit logs in IoT Central to track changes made in an IoT Central application
+author: dominicbetts
+ms.author: dobett
+ms.date: 07/25/2022
+ms.topic: how-to
+ms.service: iot-central
+services: iot-central
+
+# Administrator
+---
+
+# Use audit logs to track activity in your IoT Central application
+
+This article describes how to use audit logs to track who made what changes at what time in your IoT Central applications. You can:
+
+- Sort the audit log.
+- Filter the audit log.
+- Customize the audit log.
+- Manage access to the audit log.
+
+The audit log records information about who made a change, information about the modified entity, the action that made change, and when the change was made. The log tracks changes made through the UI, programatically with the REST API, and through the CLI.
+
+The log records changes to the following IoT Central entities:
+
+- [Users](howto-manage-users-roles.md#add-users)
+- [Roles](howto-manage-users-roles.md#manage-roles)
+- [API tokens](howto-authorize-rest-api.md#token-types)
+- [Application template export](howto-create-iot-central-application.md#create-and-use-a-custom-application-template)
+- [File upload configuration](howto-configure-file-uploads.md#configure-device-file-uploads)
+- [Application customization](howto-customize-ui.md)
+- [Device enrollment groups](concepts-device-authentication.md)
+- [Device templates](howto-set-up-template.md)
+- [Device lifecycle events](howto-export-to-blob-storage.md#device-lifecycle-changes-format)
+
+The log records changes made by the following types of user:
+
+- IoT Central user - the log shows the user's email.
+- API token - the log shows the token name.
+- Azure Active Directory user - the log shows the user email or ID.
+- Service principal - the log shows the service principal name.
+
+The log stores data for 30 days, after which it's no longer available.
+
+The following screenshot shows the audit log view with the location of the sorting and filtering controls highlighted:
+
+:::image type="content" source="media/howto-use-audit-logs/audit-log.png" alt-text="Screenshot that shows the audit log. The location of the sort and filter controls is highlighted.":::
+
+## Customize the log
+
+Select **Column options** to customize the audit log view. You can add and remove columns, reorder the columns, and change the column widths:
+
+:::image type="content" source="media/howto-use-audit-logs/audit-logs-column-options.png" alt-text="Screenshot that shows the audit log column options.":::
+
+## Sort the log
+
+You can sort the log into ascending or descending timestamp order. To sort, select **Timestamp**:
+
+:::image type="content" source="media/howto-use-audit-logs/audit-logs-sorting.png" alt-text="Screenshot that shows how to sort the log into descending timestamp order.":::
+
+## Filter the log
+
+To focus on a specific time, filter the log by time range. Select **Edit time range** and specify the range you're interested in:
+
+:::image type="content" source="media/howto-use-audit-logs/audit-logs-time.png" alt-text="Screenshot that shows how filter the log to show the last hour of entries.":::
+
+To focus on specific entries, filter by entity type or action. Select **Filter** and use the multi-select drop-downs to specify your filter conditions:
+
+:::image type="content" source="media/howto-use-audit-logs/audit-logs-filter.png" alt-text="Screenshot that shows how filter the log to show only updates to user entities.":::
+
+## Manage access
+
+The built-in **App Administrator** role has access to the audit logs by default. The administrator can grant access to other roles. An administrator can assign either **Full control** or **View** audit log permissions to other roles. To learn more, see [Manage users and roles in your IoT Central application](howto-manage-users-roles.md).
+
+> [!IMPORTANT]
+> Any user granted permission to view the audit log can see all log entries even if they don't have permission to view or modify the entities listed in the log. Therefore, any user who can view the log can view the identity of and changes made to any modified entity.
+
+## Next steps
+
+Now that you've learned how to manage users and roles in your IoT Central application, the suggested next step is to learn how to [Manage IoT Central organizations](howto-create-organizations.md).
diff --git a/articles/iot-central/core/media/howto-use-audit-logs/audit-log.png b/articles/iot-central/core/media/howto-use-audit-logs/audit-log.png
diff --git a/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-column-options.png b/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-column-options.png
diff --git a/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-filter.png b/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-filter.png
diff --git a/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-sorting.png b/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-sorting.png
diff --git a/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-time.png b/articles/iot-central/core/media/howto-use-audit-logs/audit-logs-time.png
diff --git a/articles/iot-central/core/overview-iot-central-admin.md b/articles/iot-central/core/overview-iot-central-admin.md
@@ -60,6 +60,7 @@ In IoT Central, you can configure and manage security in the following areas:
 - Device access to your application.
 - Programmatic access to your application.
 - Authentication to other services from your application.
+- Use audit logs to track activity in your IoT Central application.
 
 To learn more, see the [IoT Central security guide](overview-iot-central-security.md).
 
@@ -85,13 +86,13 @@ An administrator can:
 
 To learn more, see [Create and use a custom application template](howto-create-iot-central-application.md#create-and-use-a-custom-application-template).
 
-## Integrate with DevOps pipelines
+## Integrate with Azure Pipelines
 
-Continuous integration and continuous delivery (CI/CD) refers to the process of developing and delivering software in short, frequent cycles using automation pipelines. You can use Azure DevOps pipelines to automate the build, test, and deployment of IoT Central application configurations.
+Continuous integration and continuous delivery (CI/CD) refers to the process of developing and delivering software in short, frequent cycles using automation pipelines. You can use Azure Pipelines to automate the build, test, and deployment of IoT Central application configurations.
 
 Just as IoT Central is a part of your larger IoT solution, make IoT Central a part of your CI/CD pipeline.
 
-To learn more, see [Integrate IoT Central into your Azure DevOps CI/CD pipeline](howto-integrate-with-devops.md).
+To learn more, see [Integrate IoT Central into your Azure CI/CD pipeline](howto-integrate-with-devops.md).
 
 ## Monitor application health
 
diff --git a/articles/iot-central/core/overview-iot-central-security.md b/articles/iot-central/core/overview-iot-central-security.md
@@ -3,7 +3,7 @@ title: Azure IoT Central application security guide
 description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how to secure your IoT Central application. IoT Central security includes users, devices, API access, and authentication to other services for data export.
 author: dominicbetts 
 ms.author: dobett 
-ms.date: 04/12/2022
+ms.date: 07/25/2022
 ms.topic: conceptual
 ms.service: iot-central
 services: iot-central
@@ -22,6 +22,8 @@ In IoT Central, you can configure and manage security in the following areas:
 - Device access to your application.
 - Programmatic access to your application.
 - Authentication to other services from your application.
+- Use a secure virtual network.
+- Audit logs track activity in the application.
 
 ## Manage user access
 
@@ -90,6 +92,10 @@ To learn more, see:
 
 Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging. You may choose to lock down these destinations by using an Azure Virtual Network (VNet) and private endpoints. To enable IoT Central to connect to a destination on a secure VNet, configure a firewall exception. To learn more, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).
 
+## Audit logs
+
+Audit logs let administrators track activity within your IoT Central application. Administrators can see who made what changes at what times. To learn more, see [Use audit logs to track activity in your IoT Central application](howto-use-audit-logs.md).
+  
 ## Next steps
 
 Now that you've learned about security in your Azure IoT Central application, the suggested next step is to learn about [Manage users and roles](howto-manage-users-roles.md) in Azure IoT Central.
diff --git a/articles/iot-central/core/overview-iot-central-tour.md b/articles/iot-central/core/overview-iot-central-tour.md
@@ -40,40 +40,45 @@ You launch your IoT Central application by navigating to the URL you chose durin
 Once you're inside your IoT application, use the left pane to access various features. You can expand or collapse the left pane by selecting the three-lined icon on top of the pane:
 
 > [!NOTE]
-> The items you see in the left pane depend on your user role. Learn more about [managing users and roles](howto-manage-users-roles.md). 
+> The items you see in the left pane depend on your user role. Learn more about [managing users and roles](howto-manage-users-roles.md).
+
+<!-- TODO: Needs a new screenshot and entry. -->
 
 :::row:::
   :::column span="":::
-      :::image type="content" source="media/overview-iot-central-tour/navigation-bar.png" alt-text="left pane":::
+
+    :::image type="content" source="media/overview-iot-central-tour/navigation-bar.png" alt-text="left pane":::
 
   :::column-end:::
   :::column span="2":::
-     
-     **Devices** lets you manage all your devices.
 
-     **Device groups** lets you view and create collections of devices specified by a query. Device groups are used through the application to perform bulk operations.
+    **Devices** lets you manage all your devices.
+
+    **Device groups** lets you view and create collections of devices specified by a query. Device groups are used through the application to perform bulk operations.
 
-     **Device templates** lets you create and manage the characteristics of devices that connect to your application.
+    **Device templates** lets you create and manage the characteristics of devices that connect to your application.
 
-     **Data explorer** exposes rich capabilities to analyze historical trends and correlate various telemetries from your devices.
+    **Data explorer** exposes rich capabilities to analyze historical trends and correlate various telemetries from your devices.
 
-     **Dashboards** displays all application and personal dashboards. 
+    **Dashboards** displays all application and personal dashboards. 
 
-     **Jobs** lets you manage your devices at scale by running bulk operations.
+    **Jobs** lets you manage your devices at scale by running bulk operations.
 
-     **Rules** lets you create and edit rules to monitor your devices. Rules are evaluated based on device data and trigger customizable actions.
+    **Rules** lets you create and edit rules to monitor your devices. Rules are evaluated based on device data and trigger customizable actions.
 
-     **Data export** lets you configure a continuous export to external services such as storage and queues.
+    **Data export** lets you configure a continuous export to external services such as storage and queues.
 
-     **Permissions** lets you manage an organization's users, devices and data.
+    **Audit logs** lets you view changes made to entities in your application.
 
-     **Application** lets you manage your application's settings, billing, users, and roles.
+    **Permissions** lets you manage an organization's users, devices and data.
+
+    **Application** lets you manage your application's settings, billing, users, and roles.
     
-     **Customization** lets you customize your application appearance.
+    **Customization** lets you customize your application appearance.
+
+    **IoT Central Home** lets you jump back to the IoT Central app manager.
 
-     **IoT Central Home** lets you jump back to the IoT Central app manager.
-     
-   :::column-end:::
+  :::column-end:::
 :::row-end:::
 
 ### Search, help, theme, and support
diff --git a/articles/iot-central/core/overview-iot-central.md b/articles/iot-central/core/overview-iot-central.md
@@ -115,7 +115,7 @@ Build IoT solutions such as:
 
 ## Administer your application
 
-IoT Central applications are fully hosted by Microsoft, which reduces the administration overhead of managing your applications. Administrators manage access to your application with [user roles and permissions](howto-administer.md).
+IoT Central applications are fully hosted by Microsoft, which reduces the administration overhead of managing your applications. Administrators manage access to your application with [user roles and permissions](howto-administer.md) and track activity by using [audit logs](howto-use-audit-logs.md).
 
 ## Pricing
 
