Auditing Microsoft Entra
On Demand Audit simplifies the audit process by tracking, auditing, and reporting on activity that corresponds to the events in the Microsoft Entra audit logs, sign-in activity report, and risky sign-ins report.
|
NOTE: An Microsoft Entra ID Premium (P1) license or higher is required for On Demand Audit to audit sign-in and Microsoft Entra ID Premium (P2) license or higher to audit risky sign-in activity. |
You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.
For example, you can easily track and report on activities such as:
- When users and groups are added to and removed from the directory.
- When user and group attributes are changed.
- Successful and failed logins.
- Suspicious sign-in activity.
Event collection and Microsoft Entra subscription
Historical auditing is dependent on your Microsoft Entra subscription.
Microsoft Entra ID license |
Microsoft Entra- Audit Log historical events in the last 7 days |
Microsoft Entra ID premium license (Optional) |
Microsoft Entra- Audit Log historical events in the last 30 days |
Microsoft Entra ID premium license (Required) |
Microsoft Entra- Sign-ins historical events in the last 30 days |
Microsoft Entra ID Premium license (Required) |
Microsoft Entra- Risky Sign-ins historical events in the last 90 days |
|
NOTE: Microsoft Entra ID Premium P2 subscription is required to include the Risk Level and Risk Detail information in events. |
Working with Microsoft Entra Searches
On Demand Audit provides numerous Microsoft Entra built in searches that allow you to locate and report on the Microsoft Entra data. If required, you can also easily create custom searches to locate specific information that is of interest to you.
There are numerous columns, filters, and pre-defined values that you can use to help you find the information you need to secure your environment.
See Creating a custom search and Appendix A: Available search columns and filters for more details.
Microsoft Entra- specific columns
The following columns are available to display additional Microsoft Entra information:
Microsoft Entra - Audit Log |
- Microsoft Entra Activity Type
- Microsoft Entra Activity Operation Type
- Microsoft Entra Result Description
- Microsoft Entra Category
|
Microsoft Entra Sign-ins |
- Error Code
- Failure Reason
- Location
|
Microsoft Entra Risky Sign-ins |
- RiskEventStatus
- RiskEventId
- RiskEventType
- RiskLevel
- RiskEventDateTime
- PreviousCity (impossible travel risk events only)
- PreviousState (impossible travel risk events only)
- PreviousCountry (impossible travel risk events only)
- PreviousSignInDateTime (impossible travel risk events only)
- PreviousIpAddress (impossible travel risk events only)
- PreviousLocation (impossible travel risk events only)
- RiskEventDetails
- MalwareName
- isAtypicalLocation
|
Working with Microsoft Entra events with multiple targets
To help filter searches and fine tune the results, the following Microsoft Entra group membership, group ownership, and role membership activity has been split so that a single event is reported based on the target and subject
Add member to group |
Group being modified |
User or group added to a group |
Add group membership |
User or group added to a group |
Group being modified |
Remove member from group |
Group from which a user or group is removed |
User or group being removed from a group |
Remove group membership |
User or group being removed from a group |
Group from which the user or group is removed |
Add owner to group |
Group that is modified |
User added as group owner |
Group ownership assigned |
User added as group owner |
Group that is modified |
Remove owner from group |
Group that is modified as a result of a removed owner |
User removed as group owner |
Group ownership removed |
User removed as group owner |
Group that is modified as a result of a removed owner |
Add member to role |
Role to which a user is added |
User added to the role |
Role assignment added |
User added to a role |
Role to which a user is added |
Remove member from role |
Role from which a user is removed |
User removed from a role |
Role assignment removed |
User removed from a role. |
Role from which a user is removed |
Add eligible member to role |
Role to which a user is added |
User added to a role |
Role assignment added to eligible member |
User added to a role |
Role to which a user is added |
Additional filters
You can, for example, create a search for all group membership events and see distinct events for both the group you are adding a user to and the user you are adding to the group. Using the target to filter your searches allows you to pinpoint the activity by specific users, and changes to critical groups and roles. See Appendix A: Available search columns and filters for a complete list of available filters.