Assistance in deciphering audit log entries

Zack W 41 Reputation points
2022-09-01T18:00:38.2+00:00

Hello,

I am trying to trace the sequence of events in an AAD Audit Log. More specifically, I am wondering about the events after admin1 forced password reset and revoked the session tokens.
I see the Self-service Password Management service changing John Doe's security info to presumably allow for password reset. However, after that, there are Update user activities, all of which are using the fim_password_service@support.onmicrosoft.com. It looks like John Doe initiated another password reset on 8/2, then on 8/8, his password was changed twice and again on 8/17. Is that correct? If so, why is there not a SSPM entry for the 8/8 and 8/17 changes.

Could someone explain the chain of events in the attached .csv for me?237034-auditlogs-2022-09-01-scrubbed.txt

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,414 questions
{count} votes

Accepted answer
  1. Shweta Mathur 27,216 Reputation points Microsoft Employee
    2022-09-02T10:36:30.847+00:00

    Hi @Zack W ,

    Thanks for reaching out.

    I understand you are trying to read the Self Service Password Reset reporting in audit logs.

    Based on the logs attached, on 2022-08-02 admin force the password and other related activities by user to complete security info registration. There are no activities related to Self-service Password Management on 2022-08-08 and 2022-08-17.

    However, there are logs to update StrongAuthenticationPhoneAppDetail for John Doe by fim_password_service@support.onmicrosoft.com on 2022-08-08 and 2022-08-17.
    This activity created when a user’s phone application used for multi-factor authentication and password reset verification have been changed by fim_password_service@support.onmicrosoft.com which is an internal account used to indicate activity is done in App context rather than App + User context.

    Hope this will help you to understand the logs events based on activity type.

    Thanks,
    Shweta

    -----------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful