How to track the creation of a user in Active directory Hybrid

Anielka Oliveros 115 Reputation points
2023-09-05T21:35:11.2533333+00:00

I have an hybrid environment and I have a situation where someone create a fake account, I look into AD on-premise and I don't have any logs for that user (I have logs for others). I look into AAD and I can't find where is the main app who create a user or whom?

Please someone can help me if there is a view or a script where I can find a complete trace for a user creation (security audit and compliance)

Thanks in advance.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2023-09-06T22:28:02.43+00:00

    Hi @Anielka Oliveros , you can locate a newly created user account in your Azure AD audit log by following these steps:

    1. Navigate to the audit log.
    2. In the toolbar, select Add filters.
    3. In the Pick a field list, select Target, and then select Apply.
    4. In the Target textbox, type the User Principal Name of the user you're looking for, and then select Apply.

    This will help you filter the audit log for the specific user account. You can then review the Audit Log Details to find more information about the user creation event.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.