entra
Application permission
- AuditLog.Read.All
Documentation
These launch notes cover setup, permissions, usage, and disconnection. Expanded connector and delivery documentation will follow.
Getting Started
Use a Microsoft work or school account. Your organization's Conditional Access and MFA policies still apply.
Create the MSP or consulting organization that will own customer tenant connections.
Add the customer tenant and choose the Entra, Intune, or Teams workloads to monitor.
A customer administrator grants consent separately for each enabled read-only connector app.
Permissions Explained
The service cannot modify monitored Microsoft 365 configurations. Teams monitoring subscriptions are created only because Microsoft requires them for change delivery.
Application permission
Application permission
Application permission
Quotas and Billing
One persisted canonical change that matches an enabled rule, is not suppressed, and has not already been counted is one billable change. Multiple destinations, retries, tests, health notifications, warnings, duplicate source events, and unmatched events do not add usage. Paid plans receive a 20 percent grace allowance before individual external delivery changes to one daily quota summary per tenant.
Disconnecting
Disconnect the workload in ChangeWitness to stop collection and remove active Microsoft monitoring subscriptions. Then revoke enterprise-application consent in Microsoft Entra. Tenant deletion is a separate confirmed action with a 7-day recoverable period.
Connector health may briefly show a revoked-permission state if Microsoft consent is removed before the workload is disconnected in ChangeWitness.