The Cloud Policy service and cloud update are features in the Microsoft 365 Apps admin center designed to keep your devices managed and up to date. As keeping the Microsoft 365 Apps current and configured according to organizational standards, there might be times you need to track down when a certain change was implemented or by whom.
Based on customer feedback, we are happy to announce that you can now track and audit changes in the Cloud Policy service and Cloud Update using Microsoft Purview auditing solutions if enabled. For Cloud Policy service, this includes changes to the policy configuration, such as name, description, priority, and individual policy settings. For Cloud Update, it covers changes to the profile's configuration, tenant-wide settings (e.g., device exclusions), and actions triggered for devices. Additionally, among other things, the date, time, and user account making the change are recorded.
This blog post shows you how to use Purview Audit to review changes in mentioned services. We will cover two methods: using the Purview user interface as well as using PowerShell. Both require Purview auditing enabled, access to the Purview portal, and specific permissions to search and view the audit log.
Microsoft Purview portal
One option is to use the Microsoft Purview portal to search for recorded activities. After signing in, navigate to Audit Search. Create a search for activities using either friendly names, operation names, or any combination of these. Refer to our documentation for a comprehensive list of Cloud Policy service activities and Cloud Update activities along with their respective names.
After completing the search, you can review the list of results and examine each item. The data points include date, time, user account associated with the change, and audit data that contains the specific change.
The above example shows the AuditData for an UpdatedPolicyOperation. It includes details like the policy configuration’s name, description, and targeted groups. Additionally, it lists three new policies with their PolicyID, names, and set values.
Full schema descriptions are available for Cloud Policy service and Cloud Update, listing all values used by it, including a description and any custom enumerations.
Microsoft PowerShell
Microsoft PowerShell can also be utilized to connect to the Purview service and execute audit searches. After configuration, the Search-UnifiedAuditLog command can be employed to conduct searches and display results on the console or pipe them into files.
The example above displays the results of an Audit log search for a Cloud Update event. In this case, the audit captured changes to tenant-wide settings concerning configured Exclusion windows and device exclusions. It details the names, settings, specific start, and end dates, as well as the user account who made the change and the time it was made. Similar to the Microsoft Purview portal, the results use specific schemas for Cloud Policy service and Cloud Update.
Additional Resources
For more information about Purview Audit see Learn about auditing solutions in Microsoft Purview
For more information about using Search in the Purview Audit portal see Search the Purview Audit log.
For additional information about the Cloud Policy service, refer to Overview of the Cloud Policy service for Microsoft 365
For additional information about the Cloud Update service, refer to Overview of cloud update for Microsoft 365 Apps
A full list of tracked activities is available for both Cloud Policy service and Cloud Update.
For more information on the schemas used, refer to Office 365 Management Activity API schema.
_____________________________________________________________________________________________
Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected!
and learn about best practices directly from the product teams.