AzureAD App registrations: no audit logs for Client Credential flow

Maurice L 26 Reputation points
2020-08-27T10:54:48.443+00:00

I've been looking around for a few months but I've been unable to find this:
Are there any signin activity logs for AzureAD apps which use the Client Credential Flow?

At the moment only the flow for delegated permissions create audit logs, but the apps which use the client credential flow produce no audit logs at all (at least none which I've been able to find).

To clarify: the client credential flow is used for "headless" applications (Powershell scripts for instance) which request an Oauth token using only the ClientId + a clientSecret.
Since I can't find any audit logs regarding tokens issued (to which application was a token issued at which timestamp) which caused a major "black spot" in our security auditing.

Maybe I've been looking in the wrong places since I would except to be able to get audit logs for this. If a key is compromised there is no way for me at the moment to notice this (our scripts run at specific times so I I see an oauth token issued outside of the regular hours the scripts run I know that a key has been compromised).

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,673 questions
{count} vote

Accepted answer
  1. soumi-MSFT 11,776 Reputation points Microsoft Employee
    2020-08-27T11:25:57.5+00:00

    @Maurice L , Thank you for reaching out. Unfortunately, we do not have the option to collect signing logs for the Client-Credentials flow. Client Credential Flow is referred to as a non-interactive flow and currently, we are only registering the interactive flows in Azure AD signing logs.

    But the good news is, we are getting this feature of registering sign-in logs for non-interactive login also pretty soon. You can find more details here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31991029-make-spn-non-interactive-login-events-logged-and

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Matthew Stevenson 0 Reputation points
    2023-10-02T07:41:51.96+00:00

    Has this feature been implemented? I am seeing the same behaviour as the original poster: app registrations that are used for client credential authorisation still show nothing in the interactive and non-interactive tabs of the sign in logs. My use case is the same as the original poster: security monitoring of the client app registration.

    0 comments No comments