Disable event ID 4627

Chau Le 86 Reputation points

Our splunk logs are getting maxed out because of event ID 4627. We have AD migrated users with sidhistory and their group membership is large.

Any case, how can we simply disabling auditing of this event ID from the DC's?


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,609 questions
No comments
{count} votes

1 answer

Sort by: Oldest
  1. Marilee Turscak-MSFT 22,311 Reputation points Microsoft Employee

    This appears to be more of a local AD question than an Azure AD question, but if you are referring to local event logs you can disable logon/logoff events by going to Security Settings >Advanced Audit Policy Configuration > System Audit Policies >Logon/Logoff: