Assistance in deciphering audit log entries

Zack W 41 Reputation points


I am trying to trace the sequence of events in an AAD Audit Log. More specifically, I am wondering about the events after admin1 forced password reset and revoked the session tokens.
I see the Self-service Password Management service changing John Doe's security info to presumably allow for password reset. However, after that, there are Update user activities, all of which are using the It looks like John Doe initiated another password reset on 8/2, then on 8/8, his password was changed twice and again on 8/17. Is that correct? If so, why is there not a SSPM entry for the 8/8 and 8/17 changes.

Could someone explain the chain of events in the attached .csv for me?237034-auditlogs-2022-09-01-scrubbed.txt

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,414 questions
{count} votes

Accepted answer
  1. Shweta Mathur 27,216 Reputation points Microsoft Employee

    Hi @Zack W ,

    Thanks for reaching out.

    I understand you are trying to read the Self Service Password Reset reporting in audit logs.

    Based on the logs attached, on 2022-08-02 admin force the password and other related activities by user to complete security info registration. There are no activities related to Self-service Password Management on 2022-08-08 and 2022-08-17.

    However, there are logs to update StrongAuthenticationPhoneAppDetail for John Doe by on 2022-08-08 and 2022-08-17.
    This activity created when a user’s phone application used for multi-factor authentication and password reset verification have been changed by which is an internal account used to indicate activity is done in App context rather than App + User context.

    Hope this will help you to understand the logs events based on activity type.



    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful