Share via

Azure Active Directory Audit Logs

AlwaysLearning 0 Reputation points
Jun 27, 2023, 6:07 AM

Hi. I have a query regarding Azure Audit Logs > Modified Properties

Microsoft Workplace Search Service

ServicePrincipalName

["f3a218b7-5c8f-460b-93af-56b072788c15","https://thor.aesir.office.com/"]

["f3a218b7-5c8f-460b-93af-56b072788c15","https://thor.aesir.office.com/","https://df.thor.aesir.office.com"]

Microsoft Workplace Search Service

Included Updated Properties

"ServicePrincipalName"

Microsoft Workplace Search Service

TargetId.ServicePrincipalNames

"f3a218b7-5c8f-460b-93af-56b072788c15;https://thor.aesir.office.com/;https://df.thor.aesir.office.com"

See above something has been changed to a website I don't know and doesn't appear to be a Microsoft one.

BACKGROUND

A couple of user accounts emails stopped working. Upon investigation, I found that those 2 users had their licenses tampered with. The M365 Business Standard license module, it's made up of 28 elements. Most had been switched off, including the Exchange Online element. Upon enabling all 28 elements, their services were restored.

My admin account is secured using 2FA, and I'm the only admin. Obviously, I haven't changed anything so I'm currently investigating who and what has made the change.

I can also see when the change was made a little further up on the logs - see attached image.

Any help is gratefully received.

1 - shows the object licence change from and to

2 - shows top level user(s) who had their accounts changed and by what.2

1

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,897 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Tim R 0 Reputation points
    Jun 29, 2023, 9:00 PM

    No answer, but I'm curious to see what the answer is. I was looking at service principal sign-ins in Enterprise Apps Usage and Insights and saw an app called Thor that I didn't recognize. Oddly, I cannot search for it in Enterprise Apps by name, but can by the Application ID of f3a218b7-5c8f-460b-93af-56b072788c15. It was a search for that online that lead to your question from just a few days ago.


  2. Shweta Mathur 30,196 Reputation points Microsoft Employee
    Jun 30, 2023, 5:38 AM

    Hi AlwaysLearning •,

    Thanks for reaching out.

    Based on the information provided, it appears that the TEAMS_EXPLORATORY license was removed for the user, but the Office 365 premium license was still retained. It's possible that the mailbox should continue to function even with this change, as Exchange Online is not listed in the disabled plans.

    Could you please confirm if you are using Group-Based Licensing? If that is configured and there is a change in group membership for the impacted user, then this could be the reason for the license change.

    Group Based Licensing allows you to assign licenses to users based on their group membership, and any changes to group membership can result in changes to license assignments. It's possible that the user was removed from a group that had the TEAMS_EXPLORATORY license assigned, which resulted in the license being removed for the user.

    Could you confirm if GBL is being used and if there were any changes to group membership for the impacted user. This can help to determine the root cause of the license change.

    Thanks,

    Shweta

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.