Just to add to this, at some point a while back, Read Auditing came out which started pushing stuff to the Security and Compliance Centre. One of the things it should be collecting is 'Signed in or Out'.
https://docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/admin/enable-use-comprehensive-auditing I was testing this at the time and while I was able to export some stuff, a lot of the switches didnt really work and the export was a mess with a lot of the useful stuff unfilterable.I have no idea whether this has changed at all in the months since but its possibly worth looking at to see what can be done with it now.Jamie
It's hard to tell exactly what permissions got me into it as we're using a PIM thing and I have to request Global Admin to get into the O365 admin just for licensing stuff. I have little idea where the other O365 admin roles get you to be honest as we've not used them.
Security and Compliance isn't our area either so I was surprised to be able to get into it without fighting the security guys for specific Privs.It feels like eventually all audits across power platfom stuff will end up in this area but the requirement for O365 admin rights outside of the D365 security roles brings its own confusion. This stuff is worth keeping an eye on the for improvements but we didn't find it to solve this requirement and ultimately resorted to XRMToolbox and/or giving up like everyone else.
<fetch version="1.0" output-format="xml-platform" mapping="logical" distinct="true" aggregate="true" no-lock="false" >
<entity name="audit" >
<attribute name="createdon" alias="lastlogon" aggregate="max" />
<attribute name="action" groupby="true" alias="actionid" />
<attribute name="userid" groupby="true" alias="name" />
<filter type="and" >
<condition attribute="action" operator="eq" value="64" />
<condition attribute="createdon" operator="on-or-after" value="2019-09-01" />
<link-entity name="systemuser" from="systemuserid" to="objectid" link-type="outer" alias="SystemUser" >
<attribute name="fullname" groupby="true" alias="fullname" />
<attribute name="isdisabled" groupby="true" alias="isdisable" />
<filter type="and" >
<condition attribute="isdisabled" operator="eq" value="0" />
If you've found this thread useful, dive deeper into User Group community content by role