• Become a portal pro
• Download
• Print
• My Downloads ()

• Support
• Technical Documentation
• Change Auditor 7.5
• Change Auditor 7.5 - Microsoft 365 and Microsoft Entra ID Auditing User Guide

Change Auditor 7.5 - Microsoft 365 and Microsoft Entra ID Auditing User Guide

Table of Contents  

Microsoft 365 and Microsoft Entra ID Auditing Overview

Introduction System overview Client components and features Deployment requirements

System requirements License requirements Auditing and agent considerations Auditing in synchronized environments Upgrading Change Auditor

Configuring Microsoft 365 and Microsoft Entra ID auditing

Managing Microsoft 365 templates

Microsoft 365 auditing page Create an Microsoft 365 auditing template Edit a Microsoft 365 auditing template Using an existing web application Disable a template Delete a template

Microsoft 365 Auditing Wizard Managing Microsoft Entra templates

Microsoft Entra auditing page Create a Microsoft Entra auditing template Edit a Microsoft Entra auditing template Disable a template Delete a template

Considerations

Microsoft Entra Auditing Wizard

Reports and Searches

Introduction to Microsoft 365 and Microsoft Entra ID reporting Microsoft 365 built-in reports Microsoft Entra built-in reports Custom searches

Creating custom Exchange Online searches Creating a custom SharePoint Online and OneDrive for Business search

Displaying additional SharePoint Online and OneDrive for Business information

Creating custom Microsoft Entra searches

Displaying additional Microsoft Entra information

Additional information for synchronized environments Working with generic Microsoft 365 and Microsoft Entra events Additional Microsoft 365 and Microsoft Entra event details Our brand, our vision. Together. Contacting Quest Technical support resources

• Viewing Topics 21 - 24 of 43

×

Microsoft Entra auditing page

The Microsoft Entra auditing page contains a list of auditing templates that define the directory to audit.

NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

The following information is displayed for each template:

Template

Displays the name assigned to the auditing template when it was created. This name is the same as your tenant initial domain name.

Tenant Type

Displays whether the tenant is Commercial, GCC, or GCCHigh.

Status

Indicates whether the auditing template is enabled or disabled.

Enabled templates that are lacking the required permissions for auditing are identified with a warning icon and a status of “Requires update”.

Audit Logs

Indicates whether the Microsoft Entra audit logs are monitored.

Sign-ins

Indicates whether Microsoft Entra sign-in and sign-in risk events are monitored.

Create a Microsoft Entra auditing template

The following section describes how to create a template and the required web application so you can begin to audit the Microsoft Entra ID activity. After the template is created, Change Auditor starts collecting events that are available on your tenant.

NOTE:   • You can only create one Microsoft Entra template per tenant. • The ability to automatically create a new web application is not supported for GCC High tenants.

To create an auditing template

1	Open the Administration Tasks page.

2	Click Auditing.

3	Select Microsoft Entra (under Directories).

4	Click Add to open the auditing wizard.

5	Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application:

f	Select the tenant type (Commercial or GCC).

g	Enter the Microsoft Entra Directory Name.

If you select to create a new web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish. To grant permission for all administrators to create a web application: 1 Select an account with the Global Administrator role. 2 Enter the required password, and select Sign in. 3 Review the required permissions for the Change Auditor Configuration Assistant on the consent page. To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept. To apply the consent for just the current signed-in user simply click Accept.

NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

If you select to use an existing web application:

a	Select the tenant type (Commercial, GCC, or GCCHigh).

b	Enter the Microsoft Entra Directory Name, Application ID, and Application key. See Microsoft documentation for details on integrating applications with Microsoft Entra ID and creating a web application.

NOTE: The Microsoft Entra web application: • Should be a single-tenant application. A redirect URI is not required. • Must have a Client Secret configured in the web application "Certificates and Secrets" page. Ensure the following permissions are assigned to the web application: Microsoft Graph application permissions: • AuditLog.Read.All – Application - Read all audit log data • Directory.Read.All – Application - Read directory data • IdentityRiskEvent.Read.All – Application - Read all identity risk information If the app will also be used for Microsoft 365 templates, ensure that the following permissions are also set: Office 365 Management APIs application permissions: • ActivityFeed.Read – Application - Read activity data for your organization Office 365 Exchange Online APIs application permissions: • Exchange.ManageAsApp - Application - Manage Exchange As Application For required configuration, see Using an existing web application. Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

6	Select the activity to audit:

Audit Logs: Audits Microsoft Entra user, group, application, and directory activity. A Change Auditor for Active Directory license is required.

Sign-ins: Audits Microsoft Entra user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.

7	Click Select agent to view available agents and whether they are assigned to an auditing template. The Microsoft Entra cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.

NOTE:   • You cannot use an agent that is already assigned for Microsoft Entra ID auditing. • GCC and GCCHigh tenants are not supported on agents versions lower than version 7.5. • See the Change Auditor Release Notes for ports that must be opened on the agent server.

8	Click Finish to create the template.

Edit a Microsoft Entra auditing template

This section describes how to add or remove Microsoft Entra activity to audit.

To select a new agent, you must create a new template or use the Set-CAAzureADTemplate command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

To edit an auditing template

1	Open the Administration Tasks page.

2	Click Auditing button.

3	Select Microsoft Entra (under Directories).

4	Select the template and click Edit to open the auditing wizard.

5	Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish. To grant permission for all administrators to create a web application: 1 Select an account with the Global Administrator role. 2 Enter the required password, and select Sign in. 3 Review the required permissions for the Change Auditor Configuration Assistant on the consent page. To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept. To apply the consent for just the current signed-in user simply click Accept.

NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

If you select to use an existing web application, enter the Application ID and Application key. See Microsoft documentation for details on integrating applications with Microsoft Entra ID and creating a web application.

NOTE: The Microsoft Entra web application: • Should be a single-tenant application. A redirect URI is not required. • Must have a Client Secret configured in the web application "Certificates and Secrets" page. Ensure the following permissions are assigned to the web application: Microsoft Graph application permissions: • AuditLog.Read.All – Application - Read all audit log data • Directory.Read.All – Application - Read directory data • IdentityRiskEvent.Read.All – Application - Read all identity risk information If the app will also be used for Microsoft 365 templates, ensure that the following permissions are also set: Office 365 Management APIs application permissions: • ActivityFeed.Read – Application - Read activity data for your organization Office 365 Exchange Online APIs application permissions: • Exchange.ManageAsApp - Application - Manage Exchange As Application For required configuration, see Using an existing web application. Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

6	Add and remove the activity to audit as required.

•	Audit Logs audits Microsoft Entra user, group, application, and directory activity. A Change Auditor for Active Directory license is required.

•	Sign-ins: Audits Microsoft Entra user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.

7	Click Finish to apply the updates.

Disable a template

Disabling a template temporarily stops auditing activities without having to remove the template.

NOTE: Change Auditor stops collecting events if a license expired, the template is disabled, or the agent stops. After you apply a valid license, enable the template, or restart the agent Change Auditor collects available events from the tenant that were missed.

To disable a template

1	On the Microsoft Entra Auditing page, use one of the following methods to disable an auditing template:

•	Place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.

•	Right-click the template to disable and select Disable

The entry in the Status column for the template changes to ‘Disabled’.

2	To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

•  Previous
• Viewing Topics 21 - 24 of 43
• Next 

Search this document Search all documents for this product-version Search all documents for this product Search all documents

×

 Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center