Is there an audit event type cross-reference/combination list for Azure AD

Question

We are a publicly traded company and must comply with SOX and SOC compliance rules. Part of that compliance is conducting routine audits internally and providing audit log extracts to our external auditors.

The auditors are looking for the following categories of AAD configuration change events:

• Integration changes with other in-scope systems.
• Creation of a new ADD role or modifying the permissions assigned under an existing ADD role.
• Relevant SOX workflow changes.
• Transactions which truly indicate “new ADD accounts created” as opposed to "Add User" entries as when existing guest users are invited to a SharePoint site.
• Transactions indicate a user’s account privilege was modified, including granting ADD role for a regular user who previously didn’t have an ADD role and modifying a user’s ADD role assignment.

The problem I'm facing is how audit events are categorized. Producing an extract based simply on one or Operation Names, Add user, Modify user, etc, produces A LOT more than applicable. For example, an existing guest user invited to a SharePoint site shows up as an "Add user" event. I can exclude these results using additional fields and variables; however, iterating through this process for all the "undesirable events" would produce a VERY LARGE query. The other option is to build a query that looks only for "desirable events", which will be much smaller.

We can't be the first public company to face this hurdle. Before I devote the time to iterating through the logs I want to ask, is there a reference or document listing the combinations of "desirable" type events? For example, an "Add User" Operation Event combined with specific information from the Additional Details field. Even if just a "beta" list, anything that could get me started would be greatly appreciated.

Thank you for your time.

P.S. The external auditor has not been able to provide any support for this. They can only tell us the information they are looking for, not how to find it.

Answer 1

Hello, Azure AD audit logs, which is a comprehensive report on every logged event in Azure AD. In order to refine and/or shrink down the resulting dataset you can filter by category, activity and others. Eg. to obtain entries for non guest users created you can filter by category "userManagent", activity "Add user" with any targetResources with modifiedProperties that contains key "userType" and value "["Guest"]".

Below you will find recommended categories and activities that will help you filter entries for the desired events:

Events	Audit category	Audit activity
Integration changes with other in-scope systems.	ApplicationManagement	Add service principal
Creation of a new ADD role or modifying the permissions assigned under an existing ADD role.	RoleManagement	Add role definition/Add role from template
Transactions which truly indicate “new ADD accounts created” as opposed to "Add User" entries as when existing guest users are invited to a SharePoint site.	UserManagement	Add user
Transactions indicate a user’s account privilege was modified, including granting ADD role for a regular user who previously didn’t have an ADD role and modifying a user’s ADD role assignment.	RoleManagement	Add eligible member to role/Add member to role/Add member to role scoped over Restricted Management Administrative Unit/Add role assignment to role definition/Add scoped member to role

Additionally, you can use MS Graph PowerShell SDK to retrieve your audit logs. In this sample we will retrieve new service principals added for multi-tenant applications:

Connect-MgGraph -Scopes AuditLog.Read.All
Get-MgAuditLogDirectoryAudit -Filter "category eq 'ApplicationManagement' and activityDisplayName eq 'Add service principal'"

Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution. an