question

AustinDsouza-5378 avatar image
0 Votes"
AustinDsouza-5378 asked shashishailaj commented

Azure ad user verbose logs

Hi all ,
I would like know if it's possible to get the azure and user verbose logs .I am not looking at sign in or activity logs . What I am looking at is user activity like user changing the network configuration, user creating vm , deleting vm etc

Thank you

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AustinDsouza-5378 , Hope you are doing good. Please let us know in case the reply provided helped you ? If the information helps , please do accept the post as answer so as to improve the relevancy of the answer.

0 Votes 0 ·

1 Answer

ManuPhilip avatar image
1 Vote"
ManuPhilip answered

Hello @AustinDsouza-5378,

Yes it is possible. make sure that you have the corresponding settings is enabled. I will explain the way in which you can enable It through Security & Compliance Center PowerShell

Open PowerShell and type the following cmdlets one-by-one

 Set-ExecutionPolicy RemoteSigned
 $UserCredential = Get-Credential
 $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
 Import-PSSession $Session -DisableNameChecking

Get the output of the following cmdlet and check if the 'verbose' logging is enabled in your tenant

 Get-AdminAuditLogConfig | fl AdminAuditLogEnabled, LogLevel,UnifiedAuditLogIngestionEnabled

The values are expected to be

AdminAuditLogEnabled : True
LogLevel : Verbose
UnifiedAuditLogIngestionEnabled : True

If not, set the values first

 Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

 Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * -AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets Get-*

This example enables administrator audit logging for every cmdlet and every parameter in the organization, with the exception of Get cmdlets.

  1. Sign in to the Azure portal using an account with global administrator permissions.

  2. Search for and select Azure Active Directory, then choose Users from the menu on the left-hand side.

  3. Under Activity from the menu on the left-hand side, select Sign-ins. 4. A list of sign-in events is shown, including the status. You can select an event to view more details.
    The Authentication Details or Conditional Access tab of the event details shows you the status code or which policy triggered the MFA prompt.
    Check the codes corresponding to user activity from the table here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting#downloaded-activity-reports-result-codes


Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.