Chat now with support
Chat with Support

Change Auditor 7.2 - Office 365 and Azure Active Directory User Guide

Azure Active Directory auditing page

The Azure Active Directory auditing page contains a list of auditing templates that define the directory to audit.

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

The following information is displayed for each template:

Template
Displays the name assigned to the auditing template when it was created. This name is the same as your tenant initial domain name.
Status
Indicates whether the auditing template is enabled or disabled.
Enabled templates that are lacking the required permissions for auditing are identified with a warning icon and a status of “Requires update”.
Audit Logs
Indicates whether the Azure Active Directory audit logs are monitored.
Sign-ins
Indicates whether Azure Active Directory sign-in and sign-in risk events are monitored.

Create an Azure Active Directory auditing template

The following section describes how to create a template and the required web application so you can begin to audit the Azure Active Directory activity. After the template is created, Change Auditor starts collecting events that are available on your tenant.

* 
NOTE: You can only create one Azure Active Directory template per tenant.
To create an auditing template
1
Open the Administration Tasks page.
2
Click Auditing.
3
Select Azure Active Directory (under Directories).
4
Click Add to open the auditing wizard.
5
Enter the Azure directory
6
Under Authentication Configuration, select to Create a new web application or Use existing web application.
If you select to create a new Azure web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.
* 
NOTE: The Azure Active Directory sign-in page opens automatically once you have selected all your template settings and clicked Finish.
To grant permission for all administrators to create a web application:
1
Select an account with the Global Administrator role.
2
Enter the required password, and select Sign in.
3
Review the required permissions for the Change Auditor Configuration Assistant on the Azure consent page.
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.
To apply the consent for just the current signed-in user simply click Accept.
* 
NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.
If you select to use an existing Azure web application, enter the Azure directory, application ID, and application key. See the Microsoft documentation for details on integrating applications with Azure Active Directory and creating a web application.
* 
NOTE: When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

Ensure the following permissions are assigned to the Azure web application:

Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information

Office 365 Management APIs application permissions:
ActivityFeed.Read – Application - Read activity data for your organization

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

7
Select the activity to audit:
Audit Logs: Audits Azure Active Directory user, group, application, and directory activity. A Change Auditor for Active Directory license is required.
Sign-ins: Audits Azure Active Directory user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.
8
Click Select agent to view available agents and whether they are assigned to an auditing template. The Azure Active Directory cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.
* 
NOTE: You cannot use an agent that is already assigned for Azure Active Directory auditing.
* 
IMPORTANT: See the Change Auditor Release Notes for ports that must be opened on the agent server.
9
Click Finish to create the template.

Edit an Azure Active Directory auditing template

This section describes how to add or remove Azure Active Directory activity to audit.

To select a new agent, you must create a new template or use the Set-CAAzureADTemplate command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

To edit an Azure Active Directory auditing template
1
Open the Administration Tasks page.
2
Click Auditing button.
3
Select Azure Active Directory (under Directories).
4
Select the template and click Edit to open the auditing wizard.
5
Under Authentication Configuration, select to Create a new web application or Use existing web application.
If you select to create a new Azure web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.
* 
NOTE: The Azure Active Directory sign-in page opens automatically once you have selected all your template settings and clicked Finish.
To grant permission for all administrators to create a web application:
1
Select an account with the Global Administrator role.
2
Enter the required password, and select Sign in.
3
Review the required permissions for the Change Auditor Configuration Assistant on the Azure consent page.
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.
To apply the consent for just the current signed-in user simply click Accept.
* 
NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.
If you select to use an existing Azure web application, enter the Azure directory, application ID, and application key. See the Microsoft documentation for details on integrating applications with Azure Active Directory and creating a web application.
* 
NOTE: When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

Ensure the following permissions are assigned to the Azure web application:

Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information

Office 365 Management APIs application permissions:
ActivityFeed.Read – Application - Read activity data for your organization

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

6
Enter the name of the Azure Active Directory.
7
Add and remove the activity to audit as required.
Audit Logs audits Azure Active Directory user, group, application, and directory activity. A Change Auditor for Active Directory license is required.
Sign-ins: Audits Azure Active Directory user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.
8
Click Finish to apply the updates.

Disable a template

Disabling a template temporarily stops auditing activities without having to remove the template.

* 
NOTE: Change Auditor stops collecting events if a license expired, the template is disabled, or the agent stops. After you apply a valid license, enable the template, or restart the agent Change Auditor collects available events from the tenant that were missed.
To disable an auditing template
1
On the Azure Active Directory Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.
Right-click the template to disable and select Disable
The entry in the Status column for the template changes to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating