This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Community,
Can you have a custom role with the microsoft.directory/auditLogs/allProperties/read role permission and use Admin Units to scope to devices only? Is this a scope'able permission?
Kind Regards,
Jamie
AUdit Logs are restricted to the users Admin units.
You could test that out and add devices to the units:
Thanks for the feedback Andy, I think I missed a point, I'm referring to the Audit Logs on an object in the Entra ID portal.
I'm not even 100% if the microsoft.directory/auditLogs/allProperties/read role permission is enough to give access to these Audit Logs generally let alone trying to scope them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
This permission is delegatable - as illustrated by https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference and the corresponding roles (such as Cloud Device Administrator) support Admin Unit-based delegation - so I'd expect this to work for custom roles as well.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin