How to audit the creator of an Enterprise Application in Azure

Stalder Jonas 0 Reputation points
2024-02-07T16:11:00.8033333+00:00

Hy I'm trying to get the creator of an "Enterprise Application", as soon as someone is creating one by query below.

AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Add application"
| mv-expand TargetResources
| extend AppDisplayname=TargetResources.displayName, AppID=TargetResources.id
| extend PrincipalName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, iff(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, "No Reference" ))
| extend PrincipalID= iff(isnotempty(InitiatedBy.user.id), InitiatedBy.user.id, iff(isnotempty(InitiatedBy.app.servicePrincipalId), InitiatedBy.app.servicePrincipalId, "No Reference"))

Usually, the InitiatedBy is type "app", named as "AAD App Management", as long as the app has been created by a user using Azure Portal Enterprise Applications. But therefore, I do not have any information about the creator of the app. User's image

Is there a way to correlate this to the creator?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
986 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,582 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 5,716 Reputation points MVP
    2024-02-08T12:50:36.78+00:00

    I think this maybe a start to help you answer this question (this is more of theory than a well tested answer). Do you have tables: CloudAppEvents and SigninLogs ?

    AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Add application"
| mv-expand TargetResources
| extend AppDisplayname=TargetResources.displayName, AppID=TargetResources.id
| extend PrincipalName = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, iff(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, "No Reference" ))
| extend PrincipalID= iff(isnotempty(InitiatedBy.user.id), InitiatedBy.user.id, iff(isnotempty(InitiatedBy.app.servicePrincipalId), InitiatedBy.app.servicePrincipalId, "No Reference"))
| join 
(
    CloudAppEvents
    | where isnotempty(RawEventData.InterSystemsId)
    | project InterSystemsId = tostring(RawEventData.InterSystemsId), AccountId
) on $left.CorrelationId == $right.InterSystemsId
| join 
(
    SigninLogs 
    | project ResourceIdentity, UserDisplayName, ResourceDisplayName 
) on $left.AccountId == $right.ResourceIdentity
  2. Akhilesh 5,090 Reputation points Microsoft Vendor
    2024-02-08T14:25:57.52+00:00

    Hi @Stalder Jonas

    Thank you for posting your query on Q&A.

    For your query it seems that you are trying to retrieve the creator of an Enterprise Application in Entra ID.

    To know who created an enterprise application in Entra ID, you can use the Audit Logs feature which is records various activities of your application.

    To check the audit logs sign-in to Entra admin center->Identity -> Monitor & health ->Audit logs
    Add the filters according to your date range and set the filter as Service: All, Category: All Activity: Add application, Initiated by (actor) starts with you will get the list of audits related to application management by selecting the appropriate one from the list you will get the details of application which is shown in the below picture.
    User's image

    Log storage within Microsoft Entra varies by report type and license type. for more information, please refer How long does Microsoft Entra ID store the data?

    I hope this information helps! please Feel free to ask any questions you may have.

    Thanks,

    Akhilesh.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  3. Per B. Olsen 0 Reputation points
    2024-04-26T10:17:14.51+00:00

    We've just hit the same problem, no audit of the user when the SPN's/Enterprise Applications are created via the portal UI. That is, if one starts in the Enterprise Application screen, then there are no notion in the audit log of who did it. But if one creates an App Registration first, the InitiatedBy is filled in the Enterprise Application. There are about 6 "appTypes" that and Enterprise Application can be (hidden field that can be seen by debugging the browser, look for main.iam.ad.ext.azure.com calls), but it seems that Ent App experience (type 5) is the one without audit.

    I would like to retrieve the audit log via Graph, either rest or the PS wrappers. Does anyone know if @Clive Watson 's Kusto suggestion worked?, and which raw logs that I could retrieve via Graph to get the same result?