Assistance in deciphering audit log entries

Question

Hello,

I am trying to trace the sequence of events in an AAD Audit Log. More specifically, I am wondering about the events after admin1 forced password reset and revoked the session tokens.
I see the Self-service Password Management service changing John Doe's security info to presumably allow for password reset. However, after that, there are Update user activities, all of which are using the fim_password_service@support.onmicrosoft.com. It looks like John Doe initiated another password reset on 8/2, then on 8/8, his password was changed twice and again on 8/17. Is that correct? If so, why is there not a SSPM entry for the 8/8 and 8/17 changes.

Could someone explain the chain of events in the attached .csv for me?237034-auditlogs-2022-09-01-scrubbed.txt

Answer 1

Hi @Zack W ,

Thanks for reaching out.

I understand you are trying to read the Self Service Password Reset reporting in audit logs.

Based on the logs attached, on 2022-08-02 admin force the password and other related activities by user to complete security info registration. There are no activities related to Self-service Password Management on 2022-08-08 and 2022-08-17.

However, there are logs to update StrongAuthenticationPhoneAppDetail for John Doe by fim_password_service@support.onmicrosoft.com on 2022-08-08 and 2022-08-17.
This activity created when a user’s phone application used for multi-factor authentication and password reset verification have been changed by fim_password_service@support.onmicrosoft.com which is an internal account used to indicate activity is done in App context rather than App + User context.

Hope this will help you to understand the logs events based on activity type.

Thanks,
Shweta

-----------------------------------

Please remember to "Accept Answer" if answer helped you.