On Demand Audit provides numerous Azure Active Directory built in searches that allow you to locate and report on the Azure Active Directory data. If required, you can also easily create custom searches to locate specific information that is of interest to you.
There are numerous columns, filters, and pre-defined values that you can use to help you find the information you need to secure your environment.
See Creating a custom search and Appendix A: Working with search columns and filters for more details.
Azure Active Directory- specific columns
The following columns are available to display additional Azure Active Directory information:
|Azure Active Directory - Audit Log||
|Azure Active Directory Sign-ins||
|Azure Active Directory Risky Sign-ins||
To help filter searches and fine tune the results, the following Azure Active Directory group membership, group ownership, and role membership activity has been split so that a single event is reported based on the target and subject
|Group Membership Event||Target||Subject|
Add member to group
Group being modified
User or group added to a group
|Add group membership||User or group added to a group||Group being modified|
Remove member from group
Group from which a user or group is removed
|User or group being removed from a group|
|Remove group membership||User or group being removed from a group||Group from which the user or group is removed|
|Add owner to group||Group that is modified||User added as group owner|
|Group ownership assigned||User added as group owner||Group that is modified|
|Remove owner from group||Group that is modified as a result of a removed owner||User removed as group owner|
|Group ownership removed||User removed as group owner||Group that is modified as a result of a removed owner|
|Add member to role||Role to which a user is added||User added to the role|
|Role assignment added||User added to a role||Role to which a user is added|
|Remove member from role||Role from which a user is removed||User removed from a role|
|Role assignment removed||User removed from a role.||Role from which a user is removed|
|Add eligible member to role||Role to which a user is added||User added to a role|
|Role assignment added to eligible member||User added to a role||Role to which a user is added|
You can, for example, create a search for all group membership events and see distinct events for both the group you are adding a user to and the user you are adding to the group. Using the target to filter your searches allows you to pinpoint the activity by specific users, and changes to critical groups and roles. See Appendix A: Working with search columns and filters for a complete list of available filters.
On Demand Audit captures both the risk event as well as when an administrator takes action on the detected risk.
IMPORTANT: To capture and view this information, ensure that you have enabled auditing of the Azure Active Directory - Audit Logs module.
This following information is listed in the Azure AD risk event's activity.:
On Demand Audit audits activity for Exchange Online, OneDrive for Business, Teams, and SharePoint Online that corresponds to the events in the Office 365 Security & Compliance Center unified audit log.
You can easily track and identify important activities such as:
For details on running the searches and creating custom searches based off the built in searches, see: