How to track the creation of a user in Active directory Hybrid

Anielka Oliveros 25 Reputation points

I have an hybrid environment and I have a situation where someone create a fake account, I look into AD on-premise and I don't have any logs for that user (I have logs for others). I look into AAD and I can't find where is the main app who create a user or whom?

Please someone can help me if there is a view or a script where I can find a complete trace for a user creation (security audit and compliance)

Thanks in advance.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,634 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 17,766 Reputation points Microsoft Employee

    Hi @Anielka Oliveros , you can locate a newly created user account in your Azure AD audit log by following these steps:

    1. Navigate to the audit log.
    2. In the toolbar, select Add filters.
    3. In the Pick a field list, select Target, and then select Apply.
    4. In the Target textbox, type the User Principal Name of the user you're looking for, and then select Apply.

    This will help you filter the audit log for the specific user account. You can then review the Audit Log Details to find more information about the user creation event.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,


    0 comments No comments