Audit logs Activities

Microsoft Q & A 381 Reputation points
2021-07-26T10:22:43.193+00:00

Audit log entries with actions by "Microsoft Substrate Management" for a newly created user. I want to know how to stop them to appear. Is it something need to fix or any data loss activity.117943-image002.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,295 questions
0 comments No comments
{count} vote

Accepted answer
  1. VipulSparsh-MSFT 16,301 Reputation points Microsoft Employee
    2021-07-26T13:46:07.98+00:00

    @Microsoft Q & A Thanks for reaching out.

    The event that you see is because of a Dual-write concept which gets enabled on every tenant from Service Side. Normally when you create or modify user’s properties via Exchange Admin Center (EAC), Exchange Online PowerShell or other API, the change replicates to Azure Active Directory (AAD) through a sync mechanism which can take some time to complete. Simply put, you might not see the result of your change in AAD for a while due to this back-sync process.

    In Dual -write state, when you make user object changes in Exchange the changes will now be dual-written to AAD and EXO. The end result is that the replication of those properties should be close to immediate and changes made in EXO will immediately reflect in AAD when the cmdlet completes successfully.

    As part of dual-write operations, you will see audit log entries with actions taken by “Microsoft Substrate Management”. “Microsoft Substrate Management” is a service principal used by Exchange Online during dual-writing operations to AAD. These audit log entries refer to create/update/delete operations executed by EXO to AAD. These entries are informational in nature do not require any action.

    ---------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


1 additional answer

Sort by: Most helpful
  1. Mr.Peter 0 Reputation points
    2023-02-07T09:22:11.0633333+00:00

    This is NOT a solution. We don't have a Sentinal, - don't want to - and need to know the actor for events that already happened. So how are we supposed to do that? Magically turn on the sentinel in the past?

    This is outrages how Microsoft is trying to upsell more of its useless services.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.