What is the difference (if any) between Azure Active Directory (Azure AD) activity logs (audit + sign in + provisioning) and Tenant Activity Logs?

Question

What is the difference (if any) between Azure Active Directory (Azure AD) activity logs (audit + sign in + provisioning) and Tenant Activity Logs?

andrei 45

Here is the documentation for Azure Active Directory (Azure AD) activity logs (audit logs and there is the others documentations for sign in and provisioning): https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

Here is the Tenant Activity logs list API: https://learn.microsoft.com/en-us/rest/api/monitor/tenant-activity-logs/list?tabs=HTTP

Are those the very same events? Or is there a difference?

Another reason that made me believe they are the same logs is that only the Azure Active Directory (Azure AD) activity logs (audit logs + sign in and provisioning) seems to be mentioned here: https://learn.microsoft.com/en-us/azure/azure-monitor/data-sources#azure-tenant

Thank you!

anza 856 Reputation points

2023-09-01T13:45:22.4566667+00:00
as i understand concepts

you have users, groups, (and more) ... in directory that is called tenant

subscriptions as azure & 365 are linked to single tenant from where subscription gets identities for authentication

regarding the difference between 'Azure AD Tenant Activity Logs' and 'Azure AD Tenant Audit Logs' as I understand

the key difference is in their focus and content

Azure AD Tenant Activity Logs: primarily for monitoring the health and performance of the Azure AD service itself
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-activity-logs#azure-ad-monitoring

Azure AD Tenant Audit Logs: for tracking user and administrative activities within your Azure AD tenant, making them essential for security, compliance, and troubleshooting user-related issues
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-activity-logs

hope this helps and my understanding is not too off
regards
anza 856 Reputation points

2023-09-01T13:51:56.0933333+00:00
AAD sign in log is focused only on authentication and captures user sign-in activities (identity, location ,device info, optiona mfa, auth result, ...)
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/what-you-get-with-azure-ad-audit

AAD provisioning log captures information regarding synchronization and management (creation/update/deletion) of user identities between Azure AD Connect or other provisioning solutions
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-provisioning-logs

regards

Accepted answer

1 additional answer

Your answer

anza 856 Reputation points

2023-09-01T13:45:22.4566667+00:00

as i understand concepts

you have users, groups, (and more) ... in directory that is called tenant

subscriptions as azure & 365 are linked to single tenant from where subscription gets identities for authentication

regarding the difference between 'Azure AD Tenant Activity Logs' and 'Azure AD Tenant Audit Logs' as I understand

the key difference is in their focus and content

Azure AD Tenant Activity Logs: primarily for monitoring the health and performance of the Azure AD service itself
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-activity-logs#azure-ad-monitoring

Azure AD Tenant Audit Logs: for tracking user and administrative activities within your Azure AD tenant, making them essential for security, compliance, and troubleshooting user-related issues
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-activity-logs

hope this helps and my understanding is not too off
regards
anza 856 Reputation points

2023-09-01T13:51:56.0933333+00:00

AAD sign in log is focused only on authentication and captures user sign-in activities (identity, location ,device info, optiona mfa, auth result, ...)
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/what-you-get-with-azure-ad-audit

AAD provisioning log captures information regarding synchronization and management (creation/update/deletion) of user identities between Azure AD Connect or other provisioning solutions
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-provisioning-logs

regards

Answer 1

Shweta Mathur 30,301 Microsoft Employee Moderator

Hi @andrei ,

Thanks for reaching out.

Yes, the Azure Active Directory (Azure AD) activity logs mentioned in the documentation you provided include audit logs, sign-in logs, and provisioning logs**.** These logs provide a comprehensive report on every logged event in Azure AD, including changes to applications, groups, users, and licenses.

The Tenant Activity logs list API you mentioned is a part of Azure Monitor, which is a platform service that provides a single source for monitoring Azure resources and applications. The Tenant Activity logs list API allows you to retrieve the activity logs for your Azure tenant, including Azure AD activity logs.

So, to answer your question, the Tenant Activity logs list API and the Azure AD activity logs are not different logs, but rather the API provides a way to retrieve the Azure AD activity logs along with other activity logs for your Azure tenant.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

andrei 45 Reputation points

2023-09-05T16:09:46.48+00:00

Thanks for your answer!

So, If I understand correctly, the Tenant Activity logs LIST API returns the Azure AD activity logs (sign-in + audit logs + provisioning logs) + other tenant related logs.

I don't know if this is the place where I can ask this question too but what roles or what API permissions should I assign to my service principal (which was created using an Application Registration within Azure AD) in order to be able to successfully call the Tenant Activity logs LIST API? I've tried to assign even the Global Administrator role at AAD level but it is not working. To add more information, I was able to successfully call the Tenant Activity logs LIST API using the token retrieved with DefaultAzureCredential Class https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python (with exclude_interactive_browser_credential set to False) and login with my Azure User (which has the Global Administrator role assigned) through the browser. It worked that way and I've received the logs.
Shweta Mathur 30,301 Reputation points Microsoft Employee Moderator

2023-09-06T06:53:00.66+00:00

Hi andrei

Yes, you are correct. The Tenant Activity logs LIST API returns the Azure AD activity logs (sign-in + audit logs + provisioning logs) + other tenant related logs.

Regarding your question, to call the Tenant Activity logs LIST API, you need to assign the "Monitoring Reader" Azure built-in role to your service principal account at the root scope of your managing tenant.

Reference - https://learn.microsoft.com/en-us/azure/azure-monitor/roles-permissions-security#monitoring-reader
andrei 45 Reputation points

2023-09-06T08:50:55.49+00:00

Shweta thanks again!!

Using your response and this thread: https://learn.microsoft.com/en-us/answers/questions/957054/how-can-i-assign-rbac-roles-on-the-tenant-root-man

I was able to assign the correct role to my service principal (created using app registration) and collect the tenant activity logs using the LIST API.

Many thanks!

Answer 2

David Broggy 6,376 MVP Volunteer Moderator

Hi test,

If you go one level up in the documentation from the link you provided, it's states that the 'tenant logs' are in fact the Azure Activity logs.

https://learn.microsoft.com/en-us/rest/api/monitor/tenant-activity-logs

Hope that helps.

andrei 45 Reputation points

2023-09-04T09:17:22.7466667+00:00

Thanks for your response!

Seems like, using the tenant logs list API (described here: https://learn.microsoft.com/en-us/rest/api/monitor/tenant-activity-logs) I am able to see audit activity from changing the AAD Monitoring diagnostic settings. But, those events are not delivered through AAD Audit logs (https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs)

So, seems like that tenant activity logs list API returns different events than AAD Sign-in + Audit logs + Provisioning logs combined

Share via

What is the difference (if any) between Azure Active Directory (Azure AD) activity logs (audit + sign in + provisioning) and Tenant Activity Logs?

1 additional answer

Your answer