Auditing and Connections
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Auditing and Connections in Microsoft Dataverse
Introduction: Why Data Integrity Matters
In the world of enterprise applications, the ability to track "who did what, and when" is not just a regulatory requirement; it is a fundamental pillar of data governance. When you build solutions on Microsoft Dataverse, you are managing the lifeblood of an organization. Whether it is financial records, customer personal information, or internal project updates, the integrity of that data is paramount. This lesson explores two critical components of the Dataverse ecosystem: Auditing and Connections.
Auditing provides a historical trail of changes within your database. It allows administrators and compliance officers to reconstruct the state of a record at any point in time, identify unauthorized changes, and satisfy audit requirements for industry regulations like GDPR, HIPAA, or SOX. Without a robust auditing mechanism, your business data exists in a vacuum where accountability is impossible to enforce.
Connections, on the other hand, provide a flexible way to link records across different tables without requiring a rigid, formal relationship. While traditional relationships are defined by schema design (like a one-to-many lookup), Connections allow users to define ad-hoc, semantic relationships between records. For example, you might want to mark an Account as a "Competitor" to another Account, or link a Contact to a specific Project as an "External Consultant." By mastering both Auditing and Connections, you move from simply storing data to managing a transparent, interconnected information landscape.
Part 1: Mastering Dataverse Auditing
Auditing in Dataverse is a powerful, native feature that records changes to data and access to records. It is important to distinguish between "Data Auditing" (tracking changes to values) and "Access Auditing" (tracking who opened a record).
Enabling Auditing: A Layered Approach
Dataverse auditing is not "on" by default for everything. It requires a hierarchical configuration to ensure you are not creating unnecessary storage overhead while still capturing the data that matters.
- Environment Level: You must first enable auditing at the organization level in the Power Platform Admin Center. If this is disabled, no other settings will take effect.
- Table Level: Once the environment is enabled, you must enable auditing for specific tables.
- Column Level: Finally, you can choose to audit specific columns within an enabled table. This is crucial for storage management; you might want to audit a "Credit Limit" column but ignore a "Last Modified By" system field.
Callout: Audit Storage vs. Database Storage It is essential to understand that audit logs occupy space in your Dataverse environment, but they are stored differently than standard transactional data. Audit logs are kept in a specific storage quota dedicated to logs. Excessive auditing of high-volume tables (like activity feeds or integration logs) can deplete your log storage quota faster than expected. Always audit only what is necessary for compliance or troubleshooting.
Implementation Steps
To enable auditing for a specific table:
- Navigate to the Power Apps maker portal (make.powerapps.com).
- Select your solution and locate the table you wish to configure.
- Click on the "Settings" for that table.
- Expand the "Advanced options" section and ensure the "Audit changes to its data" checkbox is selected.
- Save the table configuration.
- Go to the "Columns" tab, select the specific column, and click "Advanced options" to ensure "Enable auditing" is checked for that individual field.
Practical Scenario: Tracking Sensitive Financial Data
Imagine you are building a system to manage vendor contracts. You have a "Contract" table with a "Total Value" field. If a user changes the value from $10,000 to $50,000, you need to know who performed that update and when. By enabling auditing on the "Total Value" field, you gain access to the "Audit History" tab on the form.
When you view the audit history, Dataverse displays a list of entries showing:
- Changed By: The user who made the change.
- Date/Time: The exact timestamp of the update.
- Field: The name of the column modified.
- Old Value: The value before the change.
- New Value: The value after the change.
Tip: You can use the
RetrieveRecordChangeHistoryRequestmessage via the Dataverse Web API to programmatically extract this audit information if you need to build custom reports or export logs to an external security information and event management (SIEM) system.
Part 2: Working with Connections
Connections allow you to relate two records that might not have a formal parent-child relationship. In the Dataverse metadata, a "Connection" is a specialized entity that acts as a bridge between two records.
Why Use Connections Instead of Lookups?
A lookup field (like "Primary Contact" on an Account) creates a hard schema constraint. It implies that a record belongs to another record. Connections are softer; they describe a relationship role.
Consider these differences:
- Lookup/Relationship: An Account has a "Main Office Address." This is a structural relationship.
- Connection: An Account is a "Supplier" for another Account. This is a functional, role-based relationship that might change over time.
Configuring Connection Roles
Before users can create connections, you must define "Connection Roles." A connection role defines the nature of the link (e.g., "Manager," "Colleague," "Competitor," "Partner").
- Navigate to Settings: In the Power Platform Admin Center or the classic interface settings, look for "Connection Roles."
- Define Roles: You can define a role, such as "Mentor." You can also specify the "Category," such as "Business," "Family," or "Social."
- Reciprocal Roles: You can define a reciprocal role. If "Person A" is the "Mentor" of "Person B," then "Person B" is automatically the "Protégé" of "Person A." This keeps your data clean and logical.
Practical Example: Project Resource Management
In a project management app, you might have a "Project" table and a "Contact" table. While a project has a "Project Manager" (a lookup), you might have several subject matter experts who are not officially assigned to the project but are "Consulting" on it.
By creating a connection role called "Consultant," you allow users to:
- Open the Project record.
- Navigate to the "Connections" subgrid.
- Add a new connection, selecting the Contact and the role "Consultant."
This allows for ad-hoc relationship mapping without cluttering your schema with dozens of lookup fields that might only be used for a small fraction of records.
Part 3: Technical Deep Dive – Auditing via API
While the UI is sufficient for most configurations, understanding how to interact with auditing via the Web API is vital for developers. If you are building a custom integration that needs to verify if a record has been modified, you can query the audit table directly.
Example: Retrieving Audit History via Web API
To retrieve the audit history for a specific record, you perform a GET request on the audits entity set.
GET [Organization URI]/api/data/v9.2/audits?$filter=objectid/Id eq [Record GUID]
Explanation of the Request:
audits: This is the system table that stores all audit records.$filter: We filter by theobjectid, which corresponds to the GUID of the record you are investigating.- The response will contain the
oldvalue,newvalue,action(e.g., Update, Create, Delete), and theuseridwho performed the action.
Warning: Querying the
audittable can be performance-intensive if you do not filter by a specific record or a narrow date range. Always include specific filters to avoid large data payloads that could impact your API limits or application performance.
Part 4: Best Practices and Industry Standards
Auditing Best Practices
- Audit Only What is Necessary: Do not enable auditing on every single column. Focus on PII (Personally Identifiable Information), financial data, and status fields. This saves storage space and improves system performance.
- Regular Log Cleanup: Dataverse allows you to delete audit logs that are older than a certain duration. Set up a retention policy that aligns with your organization's compliance requirements (e.g., keep logs for 7 years).
- Monitor Audit Settings: Periodically review which tables have auditing enabled. It is common for developers to enable auditing for troubleshooting during development and forget to disable it, leading to unnecessary storage consumption in production.
- Use Security Roles: Restrict who can view audit logs. The "View Audit History" privilege should be limited to administrators and compliance officers.
Connections Best Practices
- Keep Roles Simple: Do not create too many niche roles. If you find yourself creating hundreds of roles, you may actually need a formal table/entity relationship instead of a connection.
- Use Reciprocal Roles: Always define the reciprocal side of a connection to ensure that the relationship is understood from both directions.
- Leverage Subgrids: On your Model-Driven App forms, ensure the "Connections" subgrid is visible if you want users to utilize this feature. Without the subgrid, users will not be able to manage these relationships efficiently.
Part 5: Common Pitfalls and How to Avoid Them
Pitfall 1: The "Audit Blob" Mistake
Many developers enable auditing on long text fields or multi-line text boxes. If those fields are updated frequently, the audit log will grow exponentially, consuming your storage quota in days.
- Solution: Only audit text fields if they contain critical status updates or decision-making information. If you need to track changes to large text blocks, consider using a separate "Change Log" table where you store snapshots of the data.
Pitfall 2: Over-using Connections for Reporting
Connections are great for user visibility, but they are notoriously difficult to use in complex reports or Power BI dashboards. Because connections are stored in a junction table, performing joins in SQL or Power Query to find "all projects with a consultant" can be slow.
- Solution: If you need to report on a relationship across the entire database, use a formal 1:N or N:N relationship instead of Connections. Use Connections strictly for ad-hoc, user-level visibility.
Pitfall 3: Not Auditing Deletions
Dataverse auditing can track deletions. However, if a record is hard-deleted, the audit record remains, but the context of the record might be harder to interpret.
- Solution: Enable "Delete" auditing on critical tables. Furthermore, consider implementing "Soft Delete" (a status field like "Is Deleted") if you need to keep data available for historical reporting without it appearing in active views.
Part 6: Quick Reference Comparison
| Feature | Auditing | Connections |
|---|---|---|
| Primary Purpose | Compliance, Security, History | Ad-hoc linking of records |
| Data Storage | Audit Logs (separate quota) | Database (standard table) |
| User Interface | "Audit History" tab on form | "Connections" subgrid |
| Relationship Type | Temporal (Change over time) | Semantic (Role-based) |
| Reporting | Difficult (requires API/Audit table) | Moderate (requires joining tables) |
Part 7: Advanced Configuration: Audit Log Management
As a system administrator, you are responsible for the lifecycle of audit data. Dataverse provides a way to manage the size of your audit logs through the "Audit Log Management" area.
Managing Log Retention
- Navigate to Settings > Auditing > Audit Log Management.
- You will see a list of audit log files. These files are typically broken down by month or by size.
- You can delete logs that are no longer required for compliance.
- Crucial Note: You cannot delete the current, active log file. You must delete older, closed files.
This management is vital because once your audit storage reaches 100%, Dataverse may stop recording new audit entries, creating a compliance gap. Always set up alerts in the Power Platform Admin Center to notify you when storage reaches 80% or 90% capacity.
Part 8: Integrating Connections with Power Automate
Connections are not just for manual user input. You can automate the creation of connections using Power Automate. This is useful when a specific event (like creating an Opportunity) should automatically trigger a connection to a specific internal stakeholder.
Step-by-Step: Automating a Connection
- Trigger: When a row is added to the "Opportunity" table.
- Action: Use the "Add a new row" action targeting the "Connection" table.
- Mapping:
record1id: The GUID of the Opportunity.record2id: The GUID of the Stakeholder (Contact).record1roleid: The GUID of the "Accountable Stakeholder" role.record2roleid: The GUID of the "Project Opportunity" role.
This ensures that your data relationships remain consistent without requiring manual user intervention, reducing human error.
Part 9: Security Considerations for Audit Logs
The "View Audit History" privilege is a powerful one. By default, it is included in the System Administrator and System Customizer roles. However, you should audit your security roles to ensure that standard users do not have this privilege unless explicitly required.
If a user has access to a record, they can typically view the audit history of that record. This is an important distinction: auditing is not a security feature to hide data, but a transparency feature to reveal data history. If you have sensitive data that should not be visible in the history, you should re-evaluate whether that data should be stored in Dataverse at all, or if it should be encrypted/obfuscated.
Key Takeaways
- Auditing is for Accountability: It provides the "who, what, and when" of record changes, which is critical for meeting regulatory compliance and performing system forensics.
- Connections are for Flexibility: Use Connections when you need to link records in a way that is semantic or role-based, rather than structural or hierarchical.
- Storage Awareness: Audit logs consume specific storage. Always be selective about which columns you audit to avoid unnecessary storage costs and performance degradation.
- Lifecycle Management: Regularly review and delete old audit logs to ensure you do not hit storage limits, which could lead to a gap in your compliance records.
- Schema vs. Ad-hoc: If you need to report on a relationship, use a formal table relationship. If you just need a user to see that two records are related for context, use Connections.
- Reciprocity Matters: When defining connection roles, always define the reciprocal role to ensure the system understands the relationship from both sides.
- Automation: Use Power Automate to create connections automatically when business events occur to ensure consistent data quality and reduce manual entry errors.
By mastering these two components, you ensure that your Dataverse implementation is not only functional but also transparent, compliant, and easy to navigate for your end users. The combination of audit trails and semantic connections creates a mature environment that can scale with your organization's needs.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons