The following section describes how to create a template and the required web application so you can begin to audit the Microsoft Entra ID activity. After the template is created, Change Auditor starts collecting events that are available on your tenant.
NOTE:
- You can only create one Microsoft Entra template per tenant.
- The ability to automatically create a new web application is not supported for GCC High tenants.
To create an auditing template:
- Open the Administration Tasks page.
- Click Auditing.
- Select Microsoft Entra (under Directories).
- Click Add to open the auditing wizard.
- Under Authentication Configuration, select to Create a new web application or Use existing web application.
- If you select to create a new web application:
- Select the tenant type (Commercial or GCC).
- Enter the Microsoft Entra Directory Name.
- If you select to create a new web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.
- NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish.
- To grant permission for all administrators to create a web application:
- Select an account with the Global Administrator role.
- Enter the required password, and select Sign in.
- Review the required permissions for the Change Auditor Configuration Assistant on the consent page.
- To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.
- To apply the consent for just the current signed-in user simply click Accept.
NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.
- If you select to use an existing web application:
- Select the tenant type (Commercial, GCC, or GCCHigh).
- Enter the Microsoft Entra Directory Name, Application ID, and Application key. See Microsoft documentation for details on integrating applications with Microsoft Entra ID and creating a web application.
- NOTE: The Microsoft Entra web application:
- Should be a single-tenant application. A redirect URI is not required.
- Must have a Client Secret configured in the web application "Certificates and Secrets" page.
- Ensure the following permissions are assigned to the web application:
- Microsoft Graph application permissions:
- AuditLog.Read.All – Application - Read all audit log data
- Directory.Read.All – Application - Read directory data
- IdentityRiskEvent.Read.All – Application - Read all identity risk information
- If the app will also be used for Microsoft 365 templates, ensure that the following permissions are also set: Office 365 Management APIs application permissions:
- ActivityFeed.Read – Application - Read activity data for your organization
- Office 365 Exchange Online APIs application permissions:
- Exchange.ManageAsApp - Application - Manage Exchange As Application
- For required configuration, see Using an existing web application.
- Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.
- Select the activity to audit:
- Audit Logs: Audits Microsoft Entra user, group, application, and directory activity. A Change Auditor for Active Directory license is required.
- Sign-ins: Audits Microsoft Entra user sign-in and sign-in risk event activity. A Change Auditor for Logon Activity User license is required.
- Click Select agent to view available agents and whether they are assigned to an auditing template. The Microsoft Entra cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.
- NOTE:
- You cannot use an agent that is already assigned for Microsoft Entra ID auditing
- GCC and GCCHigh tenants are not supported on agents versions lower than version 7.5.
- See the Change Auditor Release Notes for ports that must be opened on the agent server.
- Click Finish to create the template.
