Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor 7.1 - Office 365 and Azure Active Directory User Guide

Table of Contents

Office 365 and Azure Active Directory Auditing Overview

Introduction System overview Client components and features Deployment requirements

System requirements License requirements Auditing and agent considerations Auditing in synchronized environments Upgrading Change Auditor

Configuring Office 365 and Azure Active Directory auditing

Managing Office 365 templates

Office 365 auditing page Create an Office 365 auditing template Edit an Office 365 auditing template Disable a template Delete a template

Managing Azure Active Directory templates

Azure Active Directory auditing page Create an Azure Active Directory auditing template Edit an Azure Active Directory auditing template Disable a template Delete a template

Azure Active Directory Auditing Wizard

Reports and Searches

Introduction to Office 365 and Azure Active Directory reporting Office 365 built-in reports Azure Active Directory built-in reports Custom searches

Creating custom Exchange Online searches Creating a custom SharePoint Online and OneDrive for Business search

Displaying additional SharePoint Online and OneDrive for Business information

Creating custom Azure Active Directory searches

Displaying additional Azure Active Directory information

Additional information for synchronized environments Working with generic Office 365 and Azure Active Directory events Additional Office 365 and Azure Active Directory event details

Working with generic Office 365 and Azure Active Directory events

The Azure Active Directory audit reports and the Office 365 audit logs are continuously evolving. To ensure that Change Auditor is synchronized with these updates, generic events have been introduced. Each Azure AD and Office 365 facility in Change Auditor has one generic event defined.

The generic event is generated each time an activity occurs that does not have a corresponding event defined in Change Auditor. For example, “Azure Active Directory - User event” is generated when activities such as “Reset password (self-service)” or “Unlock user account” are performed in Azure Active Directory. Activity information is populated in additional columns and the description for the event (What statement) is dynamically constructed based upon the Azure AD/Office 365 activity and target object name.

When working with these events, you can add additional columns to the search layout to view information about the activity.

Table 8. Available columns

Search Column Name

Azure - Activity Name/Operation

Activity Name/Operation

Represents the activity that was performed as part of the event.

For sign-in risk events, this shows the risk event type.

Azure - Activity Details

Activity Details

Provides additional information about audited activity.

•

For ‘Self-serve password reset flow activity progress’, it shows what step the user is performing.

•

For sign-in events it shows why the sign-in failed.

•

For sign-in risk events, this shows the risk event status.

For a complete list of the activities available see the Microsoft support article “Audit activity reports in the Azure Active Directory portal” and “Search the audit log in the Office 365 Security & Compliance Center”.

Additional Office 365 and Azure Active Directory event details

Additional Office 365 and Azure Active Directory event details

The event details pane contains the following additional information to help gain a better understanding of the activities taking place in Microsoft Office 365 Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory.

Table 9. Event details
Tab	Available information
Overview	Displays a high-level view of the activity that is generated for each event. You can quickly see when the event occurred, who made the change, what changed, where the change originated, the activity, the target type, synchronization type, subject type, subject synchronization type, activity type, category, and action, Additional information for sign-in events include the reason for a sign-in failure and the sign-in location. Additional information for sign-in risk events include the type of risk activity, risk status, risk level, and origin (IP address).
Target (Azure Active Directory events only) NOTE: This tab is not displayed for sign-in and sign-in risk events.	Displays details on the property updates with the old and new value when available. It also displays information about multiple targets affected by a single event. For example, when a user added to a group, you can see both the user and the group as affected targets. When there are multiple targets, the target that best matches the activity type is displayed as the primary target in the Overview tab.
Details	Displays all available properties for a deeper analysis of the activity, including the raw data from the Azure Active Directory Reporting API. For sign-in risk events, it contains raw data from the Azure Active Directory Identity Protection API.
Parameters (Exchange Online Administration events only)	Displays the parameters used to run the Office 365 Administrative command.
Item	Displays Id, rights, SID, Upn, name and path details for Exchange Online permission additions, removals, or modifications.
Additional Info (Azure Active Directory Risky events only)	Displays risk event additional information such as user agent, related event time in UTC, related users agent, device information, related location, request ID, correlation ID.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center