[object Object]

Audit logging is a compliance requirement and an operational liability. Configured naively, it doubles your storage in 18 months and makes every form save 30ms slower. Configured well, it answers any “who changed what” question instantly.

Three levels to configure

  1. Organization-level: master switch.
  2. Table-level: which tables audit at all.
  3. Column-level: which fields within an audited table track changes.

The default after enabling is “all tables, all columns.” This is wrong. Always.

What to actually audit

  • Tables with regulatory exposure: contact (PII), opportunity (revenue forecast), incident (SLA), and any custom table holding sensitive data.
  • Columns whose changes are evidence: ownership, status reason, security-relevant flags, financial amounts.

What to never audit

  • High-write columns updated by automation (last modified timestamps, calculated mirror fields).
  • Tables holding ephemeral data (workflow logs, BPF instances).
  • Note documentbody and any binary column. Audit only stores the change marker, but the row count balloons.

The retention dial

Audit retention is environment-wide, not per-table. Set it based on your weakest compliance requirement, then archive externally for tables needing longer retention. Default is 30 days in newer environments. SOX-regulated orgs typically need 7 years, which is a job for cold storage outside Dataverse.

Power Platform Admin Center -> Environment -> Settings 
-> Auditing -> Audit retention period

Audit access via API

The audit log is queryable via the Web API just like any table. Build a daily export to a data lake for long-term retention:

GET /api/data/v9.2/audits?$filter=createdon ge 2026-04-27T00:00:00Z
&$select=objectid,operation,changedata,userid,createdon

The changedata column is JSON with old and new values. Project to Parquet, drop into ADLS, compress 90:1.

Read auditing is a separate switch

Standard audit logs writes. Read auditing logs reads of secured columns and is opt-in per FSP. Use it for “who looked at the CEO’s compensation record” scenarios, not as a default; read audit volume is 10x write audit volume.

Audit log purge nuance

Microsoft retired the per-day audit purge UI a few years back. You now delete by date range only via the “Audit log retention” system job or the DeleteAuditData action. Plan retention before turning audit on; reducing retention later requires a job run, not an instant flip.

What to do this week

Open the audit configuration on your largest table and uncheck every column updated by a plugin or workflow. Those columns generate audit rows for changes no human made. The storage savings are immediate.

[object Object]
Share