Azure AD not recording Password Change event in Audit log

Rahul 236 Reputation points
2021-03-04T09:33:55.393+00:00

Hi Team,

I need some clarification related to Azure AD audit logs not capturing the password change event for synced users.

AAD Connect Current Configuration:

  • Password HashSync is Disabled
  • It's a federated environment (not using ADFS but other IDP)
  • Password WriteBack is Disabled

Problem is I don't see any event in Azure AD audit logs related to when user password got changed in-on premises AD. Requirement is I'm checking if our PAM solution is rotating end user password in AD and the same is recorded in Azure AD for Synced user.

Is this something because we have completely turned off Password HashSync in AAD Connect ?

Or is this by default that Azure AD never record any Password change event for Synced users from on-premises AD? (I believe this is not TRUE because in case of SSPR it records an event)

Let me know your views on this scenario.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,446 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-03-10T00:53:37.57+00:00

    To view password management reports you must be a global administrator, and you must opt-in for this data to be gathered on behalf of your organization.

    What type of password change is it? Is it a user or an admin performing the change?

    You should be able to see them under Users > Audit logs > Activity

    76009-image.png

    This page goes over the types of logs that are available. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-reporting

    0 comments