When running a CA search for changes to AAD Global Administrator (example) the 'Who' field is 'MS-PIM' and not the user who made the change.
we tested assigning a user to a Role through Privileged Identity Management (PIM) and two events are recorded in the Azure audit log:
1. The first is recorded by the PIM service and shows the user that made the change
2. The second is recorded by the Core Directory service and shows MS-PIM as making the change
Change Auditor records both events slightly differently:
1. The first is recorded as an "azure active directory - role event" with an activity of "Add an eligible member to a role in PIM completed (timebound)"
2. The second is recorded as an "Eligible member added to the role" event with an activity of "Add an eligible member to the role"
Create a search to return both events by performing the following:
On the what tab, go to "Add | subsystem | azure active directory | selected events | activity name | Like: *Add eligible member to role"
