This article applies exclusively to Configuration Manager SaaS
CoreView’s “Audit Logs” allow you to monitor activities performed in Configuration Manager SaaS. Among them, you can
- Track, store, and audit changes applied to configurations
- Identify who made a change, when, on which configuration, and using which parameters
- Distinguish the source of the change (e.g. manual action, backup, scheduled system process)
The Audit Log displays data relevant to the tenant you are logged into. Actions performed in other tenants will not be shown.
Based on your needs, you can either base your search on
- The actual change (a modified configuration, the Sync ID), for troubleshooting purposes, filtering parameters' values.
- The actions performed, if you are tracking your tenant's history.
How to filter through Audit Logs for troubleshooting
When searching through parameters, it’s important to know that you can only search based on the value of a parameter, not its name. This means:
- You cannot search by the parameter name (e.g., “DailySummaryEmails”).
- You must search using the actual value (e.g., “user@domain.com”).
Using filters for troubleshooting
For troubleshooting purposes, among others, you can:
- Filter by Sync ID: retrieve the Sync ID and input it into the “Notes” or “Parameters” column; doing so will display all actions linked to that specific sync process.
- Filter by configuration/settings: to analyze the change history of a given configuration, use its value to filter via the Parameters section or with the “Configuration Name” field.
- Filter by user or time: use the “Username” and “Created On” columns to identify which operator performed each change and when.
- Filter by status: filter by specific values like “BackupOnly”.
See the full legenda below.
Information available as columns and as values
Some details are presented in columns in the main “Audit Logs” view, while others are available by expanding the “Notes” or “Parameters” columns:
Information available as columns
| Column Name | Description |
|---|---|
| Action | Indicates the operation performed (e.g., Sync). |
| Username | Shows the operator or admin who executed the change. |
| Created on | Specifies when the action occurred. |
Information found under “Parameters”
| Parameters | Value description |
|---|---|
| ApprovalByUPN | Shows the admin approving or rejecting a Sync |
| ApprovalType | Shows whether the change has been approved, rejected, or rejected and reverted |
| Change Source | Identifies the origin of the change (such as Backup, Deploy, App Builder) |
| Comment | Shows comments that have been inserted (e.g. “Manual Sync Backup Only”) |
| Configuration Name | Lists the configuration(s) affected |
| DailySummaryEmails | Shows recipient of daily notification emails |
| ErrorNotificationEmails | Shows recipient of error notification emails |
| FileCount | Shows number of total resources changed |
| FileName | Lists name of added/removed/modified resource |
| IsScheduled | Shows “True” or “False” based on whether the Sync is scheduled |
| PendingApprovalEmails | Shows recipient of pending approval emails |
| Region | Tenant where the action occurs |
| ScheduleSetting | Shows whether it is enabled (true, false), the Cron Expression, and the timezone |
| StartedBy | Lists the operator starting the Sync |
| SyncFilterJson | Shows Sync filters settings |
| Sync ID | Serves as a unique identifier to group all changes associated with a specific sync process |
| SyncType | Lists the type of Sync (Preview, Deploy, BackupOnly) |
| SyncTypeSettings | Shows when Sync is enabled as Backup Only |
| TotalChangedProperties | Numeric value indicating the total number of properties that have changed |
| TotalResourceAdded | Numeric value indicating the total number of resources that have added |
| TotalResourceChanged | Numeric value indicating the total number of resources that have changed |
For deeper investigation, you can use filters.
Filtering by logged actions
The actions you can keep track of can be divided into macro-categories such as:
- Sync actions
- Post-Sync actions
- App Builder actions
- Configuration actions
This is especially useful if you want to keep track of the history of your tenant.
Sync actions
- When an operator starts a Sync
- When an operator cancels a running Sync
- Admin response to pending approval (approve, reject, and reject and revert)
- When an operator changes “Sync Settings”
Post-Sync actions
- Backup only (started by operator or by scheduled Sync)
- Changes made directly in the tenant (on Intune, for example), followed by BackupOnly
- Running a Reconcile, running Sync now, approving Sync
- Running a Reconcile, running Sync now, rejecting Sync
- Running a Reconcile, running Sync now, rejecting and reverting
- Reconcile with baseline, tenant, tenant snapshot.
- When running Reconcile with the “Sync Later” option, you can, after performing a sync, identify:
- Who reconciled the data
- Which baseline was used
- Which resource was updated
App Builder actions
- Creating or editing an App via App Builder
Configuration actions
- Applying configuration(s) to one or more tenants using “Apply to”
Suggested actions
Certain workflows may require additional review steps for complete analysis. The following operational tips are recommended:
- Running manual Sync for event visibility: for events such as “Sync Required” or pending approval changes, running a manual Sync (“Sync Now”) will ensure that related actions are recorded in the logs and available for audit.
- Managing pending changes: if unexpected pending changes appear, reject them and relaunch your own actions for full control, preventing unintended updates.