Hello, Azure AD audit logs, which is a comprehensive report on every logged event in Azure AD. In order to refine and/or shrink down the resulting dataset you can filter by category, activity and others. Eg. to obtain entries for non guest users created you can filter by category "userManagent", activity "Add user" with any targetResources with modifiedProperties that contains key "userType" and value "["Guest"]".
Below you will find recommended categories and activities that will help you filter entries for the desired events:
Events | Audit category | Audit activity | ||
---|---|---|---|---|
Integration changes with other in-scope systems. | ApplicationManagement | Add service principal | ||
Creation of a new ADD role or modifying the permissions assigned under an existing ADD role. | RoleManagement | Add role definition/Add role from template | ||
Transactions which truly indicate “new ADD accounts created” as opposed to "Add User" entries as when existing guest users are invited to a SharePoint site. | UserManagement | Add user | ||
Transactions indicate a user’s account privilege was modified, including granting ADD role for a regular user who previously didn’t have an ADD role and modifying a user’s ADD role assignment. | RoleManagement | Add eligible member to role/Add member to role/Add member to role scoped over Restricted Management Administrative Unit/Add role assignment to role definition/Add scoped member to role |
Additionally, you can use MS Graph PowerShell SDK to retrieve your audit logs. In this sample we will retrieve new service principals added for multi-tenant applications:
Connect-MgGraph -Scopes AuditLog.Read.All
Get-MgAuditLogDirectoryAudit -Filter "category eq 'ApplicationManagement' and activityDisplayName eq 'Add service principal'"
Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution. an