No answer, but I'm curious to see what the answer is. I was looking at service principal sign-ins in Enterprise Apps Usage and Insights and saw an app called Thor that I didn't recognize. Oddly, I cannot search for it in Enterprise Apps by name, but can by the Application ID of f3a218b7-5c8f-460b-93af-56b072788c15. It was a search for that online that lead to your question from just a few days ago.
Azure Active Directory Audit Logs
Hi. I have a query regarding Azure Audit Logs > Modified Properties
Microsoft Workplace Search Service
ServicePrincipalName
["f3a218b7-5c8f-460b-93af-56b072788c15","https://thor.aesir.office.com/"]
["f3a218b7-5c8f-460b-93af-56b072788c15","https://thor.aesir.office.com/","https://df.thor.aesir.office.com"]
Microsoft Workplace Search Service
Included Updated Properties
"ServicePrincipalName"
Microsoft Workplace Search Service
TargetId.ServicePrincipalNames
"f3a218b7-5c8f-460b-93af-56b072788c15;https://thor.aesir.office.com/;https://df.thor.aesir.office.com"
See above something has been changed to a website I don't know and doesn't appear to be a Microsoft one.
BACKGROUND
A couple of user accounts emails stopped working. Upon investigation, I found that those 2 users had their licenses tampered with. The M365 Business Standard license module, it's made up of 28 elements. Most had been switched off, including the Exchange Online element. Upon enabling all 28 elements, their services were restored.
My admin account is secured using 2FA, and I'm the only admin. Obviously, I haven't changed anything so I'm currently investigating who and what has made the change.
I can also see when the change was made a little further up on the logs - see attached image.
Any help is gratefully received.
1 - shows the object licence change from and to
2 - shows top level user(s) who had their accounts changed and by what.
2 answers
Sort by: Most helpful
-
-
Shweta Mathur 30,196 Reputation points Microsoft Employee
Jun 30, 2023, 5:38 AM Hi AlwaysLearning •,
Thanks for reaching out.
Based on the information provided, it appears that the TEAMS_EXPLORATORY license was removed for the user, but the Office 365 premium license was still retained. It's possible that the mailbox should continue to function even with this change, as Exchange Online is not listed in the disabled plans.
Could you please confirm if you are using Group-Based Licensing? If that is configured and there is a change in group membership for the impacted user, then this could be the reason for the license change.
Group Based Licensing allows you to assign licenses to users based on their group membership, and any changes to group membership can result in changes to license assignments. It's possible that the user was removed from a group that had the TEAMS_EXPLORATORY license assigned, which resulted in the license being removed for the user.
Could you confirm if GBL is being used and if there were any changes to group membership for the impacted user. This can help to determine the root cause of the license change.
Thanks,
Shweta