List of Azure Active Directory Audit Activities

發行項
02/12/2018

Hi all,

Audit logs in Azure Active Directory help customers to gain visibility about users and group management, managed applications and directory activities in their cloud-based Active Directory.

Using the logs you can detect and investigate security incidents, and review important configuration changes.

By using the Graph API, which provides programmatic access to Azure AD, you can get a detailed list of all auditing activities. Because the access to Graph API is based on REST API calls you can use PowerShell scripts.

I wrote a quick script, based on Paulo Marques's post

Script code is here, just remember to change YOUR_Domain_Name

The full list is here (updated on 12/2/2018 and probably subject to change)

category	activityResourceType	activity
Account Provisioning	Application	process escrow
Account Provisioning	Application	administration
Account Provisioning	Application	directory operation
Account Provisioning	Application	synchronization rule action
Account Provisioning	Application	import
Account Provisioning	Application	export
Account Provisioning	Application	other
Application Proxy	Application	update application
Application Proxy	Application	delete application
Application Proxy	Application	add application
Application Proxy	Application	update application single sign-on mode
Application Proxy	Directory	enable desktop sso for a specific domain
Application Proxy	Directory	enable application proxy
Application Proxy	Directory	disable desktop sso
Application Proxy	Directory	disable passthrough authentication
Application Proxy	Directory	enable desktop sso
Application Proxy	Directory	disable desktop sso for a specific domain
Application Proxy	Directory	disable application proxy
Application Proxy	Directory	enable passthrough authentication
Application Proxy	Resource	register connector
Application Proxy	Resource	add application ssl certificate
Application Proxy	Resource	delete ssl binding
Automated Password Rollover	Application	automated password rollover
B2C	Application	get v1 and v2 applications
B2C	Application	retrieve v2 application permissions grants
B2C	Application	get v2 applications
B2C	Application	add v2 application permissions
B2C	Application	delete v2 application permission grant
B2C	Application	update v2 application permission grant
B2C	Application	delete v1 application
B2C	Application	create v2 application
B2C	Application	retrieve v2 application service principals
B2C	Application	update v2 application
B2C	Application	get v1 application
B2C	Application	update v1 application
B2C	Application	retrieve v2 application service principals in the current tenant
B2C	Application	get v2 application
B2C	Application	delete v2 application
B2C	Application	get v1 applications
B2C	Application	create v1 application
B2C	Authorization	get all certificates
B2C	Authorization	user authorization: access is denied
B2C	Authorization	gettenantprovisioninginfo
B2C	Authorization	create certificate
B2C	Authorization	retrieve v2 application service principals
B2C	Authorization	create admin policy
B2C	Authorization	adminpolicydatas-removeresources
B2C	Authorization	gettenantinfo
B2C	Authorization	getkeysets
B2C	Authorization	get list of tags for all admin flows for all users
B2C	Authorization	user authorization: user granted 'cpimservice admins' access rights
B2C	Authorization	adminuserjourneys-removeresources
B2C	Authorization	get tenant policy list
B2C	Authorization	get the details of an admin flow
B2C	Authorization	get tenant defined idp list
B2C	Authorization	delete a b2c directory resource
B2C	Authorization	get tenant defined local idp list
B2C	Authorization	get allowed application claims for user journey
B2C	Authorization	get the set of available supported cultures for cpim
B2C	Authorization	create new idp
B2C	Authorization	user authorization: user was granted 'authenticated users' access rights
B2C	Authorization	get trustframework policy as xml
B2C	Authorization	gets a cpim key container in jwk format
B2C	Authorization	add v2 application permissions
B2C	Authorization	get b2c directory resources in a resource group
B2C	Authorization	validate move resources
B2C	Authorization	create a custom domains in the tenant
B2C	Authorization	get user journey list
B2C	Authorization	create trustframework policy with configurable prefix
B2C	Authorization	deleteidentityprovider
B2C	Authorization	deleteoutputclaim
B2C	Authorization	gets cpim key as a certificate
B2C	Authorization	linkidentityprovider
B2C	Authorization	deleteinputclaim
B2C	Authorization	getinputclaims
B2C	Authorization	create trustframework policy to store
B2C	Authorization	gettrustframeworkwithouttenantobjectid
B2C	Authorization	updatetrustframeworkswithtenantobjectid
B2C	Authorization	recoverarchivedtenantwithtenantobjectid
B2C	Authorization	put ief policy
B2C	Authorization	get admin flows list
B2C	Authorization	delete trustframework policy from store
B2C	Authorization	adminpolicydatas-getresources
B2C	Authorization	get custom idp
B2C	Authorization	getb2cuserattributes
B2C	Authorization	create identityprovider
B2C	Authorization	getb2cpolicies
B2C	Authorization	getiefpolicies
B2C	Authorization	set ssl operation status for the custom domains operations in the tenant
B2C	Authorization	get resource properties of a tenant
B2C	Authorization	get policy
B2C	Authorization	get supported idp list of the user journey
B2C	Authorization	get user attribute
B2C	Authorization	delete idp
B2C	Authorization	create policy
B2C	Authorization	get tenant details for a user for resource creation
B2C	Authorization	get localized resource json
B2C	Authorization	update local idp
B2C	Authorization	get v1 application
B2C	Authorization	adminuserjourneys-getresources
B2C	Authorization	adminuserjourneys-setresources
B2C	Authorization	get trustframework policy
B2C	Authorization	verify if b2c feature is enabled
B2C	Authorization	gets the type of tenant
B2C	Authorization	get certificates
B2C	Authorization	getiefpolicy
B2C	Authorization	user authorization: user granted access as 'tenant admin'
B2C	Authorization	delete identityprovider
B2C	Authorization	update custom idp
B2C	Authorization	delete policy
B2C	Authorization	getkeyset
B2C	Authorization	create a new adminuserjourney
B2C	Authorization	enable b2c feature
B2C	Authorization	retrieve v2 application service principals in the current tenant
B2C	Authorization	get tenant allowed features
B2C	Authorization	get idp
B2C	Authorization	get v2 applications
B2C	Authorization	get the default supported culture for cpim
B2C	Authorization	get allowed self-asserted claims of policy
B2C	Authorization	create user attribute
B2C	Authorization	update idp
B2C	Authorization	update v2 application
B2C	Authorization	get list of tenants for a user
B2C	Authorization	create v2 application
B2C	Authorization	delete a cpim key container
B2C	Authorization	add a key based on ascii secret to a cpim key container
B2C	Authorization	move resources
B2C	Authorization	get the list of userjourneys for this tenant
B2C	Authorization	get user attributes
B2C	Authorization	get list of all admin flows
B2C	Authorization	getidentityproviders
B2C	Authorization	restore a cpim key container backup
B2C	Authorization	create v1 application
B2C	Authorization	creates or update an new adminuserjourney
B2C	Authorization	get and download certificate
B2C	Authorization	link inputclaim
B2C	Authorization	gettenants
B2C	Authorization	patch identityprovider
B2C	Authorization	get list of policies
B2C	Authorization	user authorization: api is disabled for tenant featureset
B2C	Authorization	get trustframework ids from store
B2C	Authorization	createtrustframeworkpolicy
B2C	Authorization	get idps for a specific admin flow
B2C	Authorization	delete v1 application
B2C	Authorization	authorization: the action is not allowed to make changes to config tenant
B2C	Authorization	migratetenantmetadata
B2C	Authorization	user authorization: user login tenant is different from target tenant
B2C	Authorization	get a b2c drectory resource
B2C	Authorization	get available output claims list
B2C	Authorization	verify if feature is enalbed
B2C	Authorization	get policies
B2C	Authorization	get tenant list
B2C	Authorization	get tenant info
B2C	Authorization	retrieve v2 application permissions grants
B2C	Authorization	get content definitions for user journey
B2C	Authorization	get b2c directory resources in a subscription
B2C	Authorization	get local accounts' self-asserted claims
B2C	Authorization	get supported idp list
B2C	Authorization	create trustframework policy
B2C	Authorization	update policy
B2C	Authorization	delete trustframework policy
B2C	Authorization	delete user attribute
B2C	Authorization	update subscription status
B2C	Authorization	delete v2 application permission grant
B2C	Authorization	update v2 application permission grant
B2C	Authorization	upload a cpim encrypted key
B2C	Authorization	add a key to a cpim key container
B2C	Authorization	get v1 applications
B2C	Authorization	get a user journey
B2C	Authorization	update v1 application
B2C	Authorization	user authorization: tenantid parameter is missing in request
B2C	Authorization	delete certificate
B2C	Authorization	create b2cuserattribute
B2C	Authorization	link outputclaim
B2C	Authorization	create ief policy
B2C	Authorization	getb2cpolicy
B2C	Authorization	get certificate
B2C	Authorization	get trustframework policy as xml from store
B2C	Authorization	get a specific admin flow
B2C	Authorization	adminpolicydatas-setresources
B2C	Authorization	get admin policy
B2C	Authorization	puttrustframeworkpolicy
B2C	Authorization	getidentityprovider
B2C	Authorization	gettrustframeworkpolicy
B2C	Authorization	create new custom idp
B2C	Authorization	get tenantdomains
B2C	Authorization	remove a user journey
B2C	Authorization	create or update a b2c directory resource
B2C	Authorization	get v1 and v2 applications
B2C	Authorization	get operations of microsoft.azureactivedirectory resource provider
B2C	Authorization	get v2 application
B2C	Authorization	get allowed self-asserted claims for user journey
B2C	Authorization	update user attribute
B2C	Authorization	gets list of key containers in the tenant
B2C	Authorization	delete v2 application
B2C	Authorization	get key container active key metadata in jwk
B2C	Authorization	create localized resource json
B2C	Authorization	get a list of custom domains in the tenant
B2C	Authorization	update a b2c directory resource
B2C	Authorization	get tenant defined custom idp list
B2C	Directory	enable b2c feature
B2C	Directory	get a list of custom domains in the tenant
B2C	Directory	get resource properties of a tenant
B2C	Directory	create a custom domains in the tenant
B2C	Directory	gettenantprovisioninginfo
B2C	Directory	set ssl operation status for the custom domains operations in the tenant
B2C	Directory	gets the type of tenant
B2C	Directory	get tenant list
B2C	Directory	verify if feature is enalbed
B2C	Directory	get tenant info
B2C	Directory	get tenant allowed features
B2C	Directory	verify if b2c feature is enabled
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid idtokensigningkeycontainer
B2C	Key	list all keys
B2C	Key	gets a cpim key container in jwk format
B2C	Key	add a key based on ascii secret to a cpim key container
B2C	Key	maintenance key container. revoke first true, revoke last false, cleanup true, operation 'undefined', kid undefined
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid twaj4qpb-l30fa0kc3nuaesy_z6ukvptiwvvyine-cw
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid j-yzdgvppiwfgjsgdmsucbcisdegkllfksiz51ulejs
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid x7kahnrq5gnu4eujwqqot_1jhlchwcetleimhdkdywg
B2C	Key	write new generated key container
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup false, operation 'rollback', kid undefined
B2C	Key	gets list of key containers in the tenant
B2C	Key	get key container active key metadata in jwk
B2C	Key	upload a cpim encrypted key
B2C	Key	gets cpim key as a certificate
B2C	Key	get certificates
B2C	Key	delete key container
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid key0
B2C	Key	add a key to a cpim key container
B2C	Key	get and download certificate
B2C	Key	create certificate
B2C	Key	save key container
B2C	Key	restore a cpim key container backup
B2C	Key	delete certificate
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid t8zpabofkcj9b-nfjzzyiikjgsjaka2p08ykwry_1ao
B2C	Key	maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid idtokensigningkeycontainer.v2
B2C	Key	get key container metadata
B2C	Key	get certificate
B2C	Key	change protection scheme
B2C	Key	delete a cpim key container
B2C	Other	issue an authorization code to the application
B2C	Other	issue an id_token to the application
B2C	Resource	recoverarchivedtenantwithtenantobjectid
B2C	Resource	gettenants
B2C	Resource	linkidentityprovider
B2C	Resource	link outputclaim
B2C	Resource	link inputclaim
B2C	Resource	getb2cpolicies
B2C	Resource	put ief policy
B2C	Resource	patch identityprovider
B2C	Resource	get admin flows list
B2C	Resource	get admin policy
B2C	Resource	delete trustframework policy from store
B2C	Resource	createtrustframeworkpolicy
B2C	Resource	adminuserjourneys-removeresources
B2C	Resource	getiefpolicies
B2C	Resource	get tenant defined idp list
B2C	Resource	get tenant defined local idp list
B2C	Resource	get supported idp list
B2C	Resource	create new idp
B2C	Resource	get the default supported culture for cpim
B2C	Resource	create trustframework policy
B2C	Resource	delete trustframework policy
B2C	Resource	create policy
B2C	Resource	get tenant details for a user for resource creation
B2C	Resource	get the list of userjourneys for this tenant
B2C	Resource	getidentityprovider
B2C	Resource	update custom idp
B2C	Resource	gettenantinfo
B2C	Resource	getkeyset
B2C	Resource	create identityprovider
B2C	Resource	get the details of an admin flow
B2C	Resource	create or update a b2c directory resource
B2C	Resource	get idp
B2C	Resource	get allowed application claims for user journey
B2C	Resource	get allowed self-asserted claims of policy
B2C	Resource	get allowed self-asserted claims for user journey
B2C	Resource	create user attribute
B2C	Resource	update idp
B2C	Resource	update user attribute
B2C	Resource	update subscription status
B2C	Resource	get b2c directory resources in a resource group
B2C	Resource	create localized resource json
B2C	Resource	validate move resources
B2C	Resource	get localized resource json
B2C	Resource	update a b2c directory resource
B2C	Resource	adminuserjourneys-getresources
B2C	Resource	get user attributes
B2C	Resource	create trustframework policy to store
B2C	Resource	create b2cuserattribute
B2C	Resource	deleteinputclaim
B2C	Resource	deleteoutputclaim
B2C	Resource	deleteidentityprovider
B2C	Resource	gettrustframeworkwithouttenantobjectid
B2C	Resource	get trustframework policy as xml from store
B2C	Resource	get list of policies
B2C	Resource	get a specific admin flow
B2C	Resource	get list of tags for all admin flows for all users
B2C	Resource	gettrustframeworkpolicy
B2C	Resource	create new custom idp
B2C	Resource	migratetenantmetadata
B2C	Resource	creates or update an new adminuserjourney
B2C	Resource	get a b2c drectory resource
B2C	Resource	get operations of microsoft.azureactivedirectory resource provider
B2C	Resource	get b2c directory resources in a subscription
B2C	Resource	get policy
B2C	Resource	get local accounts' self-asserted claims
B2C	Resource	get supported idp list of the user journey
B2C	Resource	update policy
B2C	Resource	get trustframework policy as xml
B2C	Resource	get tenant defined custom idp list
B2C	Resource	update local idp
B2C	Resource	create trustframework policy with configurable prefix
B2C	Resource	get tenant policy list
B2C	Resource	getb2cpolicy
B2C	Resource	delete identityprovider
B2C	Resource	create admin policy
B2C	Resource	adminpolicydatas-setresources
B2C	Resource	get trustframework ids from store
B2C	Resource	adminpolicydatas-getresources
B2C	Resource	delete policy
B2C	Resource	getkeysets
B2C	Resource	getidentityproviders
B2C	Resource	get idps for a specific admin flow
B2C	Resource	get list of all admin flows
B2C	Resource	remove a user journey
B2C	Resource	delete a b2c directory resource
B2C	Resource	delete idp
B2C	Resource	get list of tenants for a user
B2C	Resource	get trustframework policy
B2C	Resource	getinputclaims
B2C	Resource	getb2cuserattributes
B2C	Resource	updatetrustframeworkswithtenantobjectid
B2C	Resource	create ief policy
B2C	Resource	getiefpolicy
B2C	Resource	adminpolicydatas-removeresources
B2C	Resource	get custom idp
B2C	Resource	puttrustframeworkpolicy
B2C	Resource	create a new adminuserjourney
B2C	Resource	get available output claims list
B2C	Resource	get policies
B2C	Resource	get content definitions for user journey
B2C	Resource	get the set of available supported cultures for cpim
B2C	Resource	get user attribute
B2C	Resource	delete user attribute
B2C	Resource	move resources
B2C	Resource	adminuserjourneys-setresources
B2C	Resource	get a user journey
B2C	Resource	get user journey list
Core Directory	Application	add service principal
Core Directory	Application	update service principal
Core Directory	Application	update application
Core Directory	Application	remove service principal
Core Directory	Application	delete application
Core Directory	Application	add service principal credentials
Core Directory	Application	remove app role assignment from service principal
Core Directory	Application	remove owner from application
Core Directory	Application	consent to application
Core Directory	Application	add application
Core Directory	Application	add owner to service principal
Core Directory	Application	remove oauth2permissiongrant
Core Directory	Application	add oauth2permissiongrant
Core Directory	Application	add app role assignment to service principal
Core Directory	Application	remove service principal credentials
Core Directory	Application	remove owner from service principal
Core Directory	Application	add owner to application
Core Directory	Application	revoke consent
Core Directory	Device	add registered owner to device
Core Directory	Device	add registered users to device
Core Directory	Device	update device configuration
Core Directory	Device	remove registered owner from device
Core Directory	Device	delete device configuration
Core Directory	Device	update device
Core Directory	Device	add device
Core Directory	Device	add device configuration
Core Directory	Device	remove registered users from device
Core Directory	Device	delete device
Core Directory	Directory	update domain
Core Directory	Directory	remove partner from company
Core Directory	Directory	remove verified domain
Core Directory	Directory	add unverified domain
Core Directory	Directory	add verified domain
Core Directory	Directory	set dirsyncenabled flag
Core Directory	Directory	set directory feature on tenant
Core Directory	Directory	create company settings
Core Directory	Directory	update company settings
Core Directory	Directory	set company allowed data location
Core Directory	Directory	delete company settings
Core Directory	Directory	set company multinational feature enabled
Core Directory	Directory	update external secrets
Core Directory	Directory	set rights management properties
Core Directory	Directory	update company
Core Directory	Directory	verify domain
Core Directory	Directory	remove unverified domain
Core Directory	Directory	set domain authentication
Core Directory	Directory	set password policy
Core Directory	Directory	add partner to company
Core Directory	Directory	promote company to partner
Core Directory	Directory	set partnership
Core Directory	Directory	set accidental deletion threshold
Core Directory	Directory	demote partner
Core Directory	Directory	set company information
Core Directory	Directory	set federation settings on domain
Core Directory	Directory	create company
Core Directory	Directory	verify email verified domain
Core Directory	Directory	set dirsync feature
Core Directory	Directory	purge rights management properties
Core Directory	Group	add app role assignment to group
Core Directory	Group	start applying group based license to users
Core Directory	Group	delete group settings
Core Directory	Group	remove member from group
Core Directory	Group	set group license
Core Directory	Group	create group settings
Core Directory	Group	add member to group
Core Directory	Group	add group
Core Directory	Group	update group
Core Directory	Group	add owner to group
Core Directory	Group	finish applying group based license to users
Core Directory	Group	remove app role assignment from group
Core Directory	Group	set group to be managed by user
Core Directory	Group	delete group
Core Directory	Group	remove owner from group
Core Directory	Group	update group settings
Core Directory	Policy	update policy
Core Directory	Policy	add policy to service principal
Core Directory	Policy	delete policy
Core Directory	Policy	remove policy credentials
Core Directory	Policy	remove policy from service principal
Core Directory	Policy	add policy
Core Directory	User	update role
Core Directory	User	add role from template
Core Directory	User	update user
Core Directory	User	delete user
Core Directory	User	add user
Core Directory	User	convert federated user to managed
Core Directory	User	create application password for user
Core Directory	User	set license properties
Core Directory	User	restore user
Core Directory	User	remove member from role
Core Directory	User	remove app role assignment from user
Core Directory	User	remove scoped member from role
Core Directory	User	change user license
Core Directory	User	change user password
Core Directory	User	reset user password
Core Directory	User	add app role assignment grant to user
Core Directory	User	add member to role
Core Directory	User	set user manager
Core Directory	User	delete application password for user
Core Directory	User	update user credentials
Core Directory	User	add scoped member to role
Identity Protection	Directory	update alert settings
Identity Protection	Directory	update weekly digest settings
Identity Protection	Directory	onboarding
Identity Protection	Other	set user risk policy
Identity Protection	Other	download a single risk event type
Identity Protection	Other	set mfa registration policy
Identity Protection	Other	download all risk event types
Identity Protection	Other	download users flagged for risk
Identity Protection	Other	download free user risk events
Identity Protection	Other	admin dismisses/resolves/reactivates risk event
Identity Protection	Other	set sign-in risk policy
Identity Protection	Other	download admins and status of weekly digest opt-in
Identity Protection	Policy	set mfa registration policy
Identity Protection	Policy	set sign-in risk policy
Identity Protection	Policy	set user risk policy
Identity Protection	User	admin generates a temporary password
Identity Protection	User	admins requires the user to reset their password
Invited Users	Other	batch invites processed
Invited Users	Other	batch invites uploaded
Invited Users	User	viral tenant creation
Invited Users	User	invite external user
Invited Users	User	email not sent, user unsubscribed
Invited Users	User	assign external user to application
Invited Users	User	redeem external user invite
Invited Users	User	viral user creation
MIM Service	Group	create group
MIM Service	Group	remove member
MIM Service	Group	add member
MIM Service	Group	delete group
MIM Service	Group	update group
MIM Service	User	user password registration
MIM Service	User	user password reset
Self-service Group Management	Group	delete a pending request to join a group
Self-service Group Management	Group	set dynamic group properties
Self-service Group Management	Group	update lifecycle management policy
Self-service Group Management	Group	approve a pending request to join a group
Self-service Group Management	Group	request to join a group
Self-service Group Management	Group	create lifecycle management policy
Self-service Group Management	Group	reject a pending request to join a group
Self-service Group Management	Group	cancel a pending request to join a group
Self-service Group Management	Group	renew group
Self-service Password Management	User	reset password (self-service)
Self-service Password Management	User	unlock user account (self-service)
Self-service Password Management	User	reset password (by admin)
Self-service Password Management	User	self-serve password reset flow activity progress
Self-service Password Management	User	change password (self-service)
Self-service Password Management	User	user registered for self-service password reset
Self-service Password Management	User	blocked from self-service password reset
Terms Of Use	Policy	decline terms of use
Terms Of Use	Policy	accept terms of use
Terms Of Use	Policy	edit terms of use
Terms Of Use	Policy	unpublish terms of use
Terms Of Use	Policy	create terms of use
Terms Of Use	Policy	publish terms of use
Terms Of Use	Policy	delete terms of use

Comments

Anonymous
February 13, 2018
Moti,Is it possible to pull the Azure AD Identity Protection - Risk events into a SIEM like Splunk?Thx,Jeff
- Anonymous
  February 18, 2018
  Hi Jeff, you can using Azure Security Center and Splunk connector
Anonymous
February 18, 2018
Thanks Moti, very useful script!

共用方式為

List of Azure Active Directory Audit Activities

Comments

其他資源