Skip to main content
Reach out to Omni support to have audit logs enabled for your instance.
Audit logs are detailed records of the activity your users are taking in Omni, which can be useful for security and performance analysis. Events included in logs are structured as JSON payloads and sent in batches to your cloud storage a few minutes after they’re written. For Azure, Omni hosts the storage. Omni creates a dedicated blob container for your instance and grants a Microsoft Entra application that you own read access to it. You read your logs by authenticating with your own application’s credential — there are no storage account keys or SAS tokens to manage, and no credentials are exchanged between you and Omni.

Requirements

To follow the steps in this guide, you’ll need:
  • To have audit logs enabled in your Omni instance
  • A multitenant Microsoft Entra application registered in your tenant, with a client secret or certificate
  • Permissions to register an application in your tenant and read its application (client) ID

Setup

After audit logs are enabled in your instance, complete the following:
1

Register a multitenant Entra application

In the Microsoft Entra admin center, navigate to App registrations > New registration.
  • Set Supported account types to Accounts in any organizational directory (multitenant). This is required so Omni can create a service principal for your application in Omni’s tenant and grant it access.
  • Under Certificates & secrets, add a client secret or certificate. This credential stays in your tenant and is never shared with Omni.
  • Copy the Application (client) ID.
No API permissions are required — you can ignore (or remove) the default User.Read permission.
2

Provide Omni support with your application details

Reach out to Omni support with the following:
  • Application (client) ID — the UUID of your multitenant application
  • Tenant ID — your Entra tenant ID (the application’s home tenant)
3

Complete setup with Omni support

Omni provisions a service principal for your application in Omni’s tenant, creates your blob container, grants that service principal the Storage Blob Data Reader role on it, and starts delivering audit logs.Omni support will share:
  • Omni’s tenant ID — you authenticate against this tenant (see below)
  • The storage account name and container name for your logs

Reading the logs

Once configured, audit logs are automatically delivered to your container. Authenticate as your application using the client secret or certificate from Step 1.
Authenticate against Omni’s tenant ID (the tenant that hosts the storage), not your own home tenant. Your application’s service principal — and the read-access grant — live in Omni’s tenant, so a token issued by your own tenant is rejected with a 403 even though access is configured correctly.
With the Azure CLI: 
# Sign in as your application, pointed at Omni's tenant.
az login --service-principal \
  --username <APPLICATION_CLIENT_ID> \
  --password <CLIENT_SECRET> \
  --tenant <OMNI_TENANT_ID> \
  --allow-no-subscriptions

# List your audit log blobs. --auth-mode login uses your signed-in identity.
az storage blob list \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --container-name <CONTAINER_NAME> \
  --auth-mode login \
  --output table
You can also use a tool like Azure Storage Explorer or the Azure SDKs — in each case, set the tenant/authority to Omni’s tenant ID and the token scope to https://storage.azure.com/.default.

Hardening

Your application only needs to read your audit logs. To keep its footprint minimal:
  • Least privilege is enforced on Omni’s side. Your application’s service principal is granted only the Storage Blob Data Reader role, scoped to your single audit-log container — no write access and no access to any other container or account.
  • Prefer a certificate over a client secret for the application credential, and rotate it regularly.
  • Restrict which tenants can use your application. In the app registration’s Authentication (Preview) blade, set Supported account types to multiple tenants and choose Allow only certain tenants (Preview), then add Omni’s tenant ID (and your own). This pins your multitenant application so it can only be used in your tenant and Omni’s, rather than any tenant that discovers it. This setting is in preview at the time of writing.

Next steps