learn.microsoft.com
Open in
urlscan Pro
23.47.170.124
Public Scan
Submitted URL: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities
Effective URL: https://learn.microsoft.com/en-ca/entra/identity/monitoring-health/reference-audit-activities
Submission: On September 26 via manual from IN — Scanned from CA
Effective URL: https://learn.microsoft.com/en-ca/entra/identity/monitoring-health/reference-audit-activities
Submission: On September 26 via manual from IN — Scanned from CA
Form analysis 3 forms found in the DOM
Name: site-header-search-form-mobile — GET /en-ca/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-ca/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: site-header-search-form — GET /en-ca/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-ca/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
AI SKILLS CHALLENGE
Sep 24–Nov 1, 2024
Excel in AI technologies with Microsoft Copilot, Azure, and Fabric. Start the
challenge today.
Register now
Dismiss alert
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Learn
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
* Discover
* Documentation
In-depth articles on Microsoft developer tools and technologies
* Training
Personalized learning paths and courses
* Credentials
Globally recognized, industry-endorsed credentials
* Q&A
Technical questions and answers moderated by Microsoft
* Code Samples
Code sample library for Microsoft developer tools and technologies
* Assessments
Interactive, curated guidance and recommendations
* Shows
Thousands of hours of original programming from Microsoft experts
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Product documentation
* ASP.NET
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Edge
* Microsoft Entra
* Microsoft Graph
* Microsoft Intune
* Microsoft Purview
* Microsoft Teams
* .NET
* Power Apps
* Power Automate
* Power BI
* Power Platform
* PowerShell
* SQL
* Sysinternals
* Visual Studio
* Windows
* Windows Server
View all products
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Development languages
* C++
* C#
* DAX
* Java
* OData
* OpenAPI
* Power Query M
* VBA
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Topics
* Artificial intelligence
* Compliance
* DevOps
* Platform engineering
* Security
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Microsoft Entra
* Microsoft Entra ID
* External ID
* Global Secure Access
* ID Governance
* Permissions Management
* Microsoft Security documentation
* More
* Microsoft Entra ID
* External ID
* Global Secure Access
* ID Governance
* Permissions Management
* Microsoft Security documentation
Admin center
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Monitoring and health documentation
* Overview
* Identity Monitoring and health
* Identity Recommendations
* Identity Workbooks
* Identity logs
* Concepts
* How-to guides
* Access activity logs
* Analyze provisioning logs
* Analyze activity logs with Microsoft Graph
* Archive logs to a storage account
* Customize and filter activity logs
* Download logs
* Quickstarts
* Identity reports
* Concepts
* How-to guides
* How to use Identity Recommendations
* How to use Identity Workbooks
* Recommendations
* Workbooks
* Identity monitoring
* Concepts
* How-to guides
* Configure diagnostic settings
* Stream logs to an event hub
* Configure a Log Analytics workspace
* Integrate activity logs with Azure Monitor logs
* Analyze activity logs in Azure Monitor logs
* Common troubleshooting scenarios
* Reference
* SLA performance for Microsoft Entra ID
* Audit activities
* Data retention policies
* Log latency
* FAQs
* Microsoft Graph
Download PDF
1. Learn
2. Microsoft Entra
3. Microsoft Entra ID
4. Monitoring and health
1. Learn
2. Microsoft Entra
3. Microsoft Entra ID
4. Monitoring and health
Read in English Save
* Add to Collections
* Add to Plan
Table of contents Read in English Add to Collections Add to Plan Edit
--------------------------------------------------------------------------------
SHARE VIA
Facebook x.com LinkedIn Email
--------------------------------------------------------------------------------
Print
Table of contents
MICROSOFT ENTRA AUDIT LOG CATEGORIES AND ACTIVITIES
* Article
* 2024-05-09
* 25 contributors
Feedback
IN THIS ARTICLE
1. Microsoft Entra Management UX
2. Access reviews
3. Account provisioning
4. Application proxy
5. Authentication Methods
6. Microsoft Entra Recommendations
7. Microsoft Entra multifactor authentication
8. B2B Auth
9. B2C
10. Conditional Access
11. Core Directory
12. Device Registration Service
13. Entitlement Management
14. Global Secure Access
15. Hybrid Authentication
16. Invited users
17. Lifecycle Workflows
18. Microsoft Identity Manager (MIM) Service
19. Mobility Management
20. MyApps
21. Privileged Identity Management (PIM)
22. Self-service group management
23. Self-service password management
24. Terms of use
25. Verified ID
26. Next steps
Show 22 more
Microsoft Entra audit logs collect all traceable activities within your
Microsoft Entra tenant. Audit logs can be used to determine who made a change to
service, user, group, or other item.
This article provides a comprehensive list of the audit categories and their
related activities. To jump to a specific audit category, use the "In this
article" section.
Audit log activities and categories change periodically. The tables are updated
regularly, but might not be in sync with what is available in Microsoft Entra
ID. Provide us with feedback if you think there's a missing audit category or
activity.
1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
2. Browse to Identity > Monitoring & health > Audit logs.
3. Adjust the filters accordingly.
4. To view the details, select a row from the resulting table.
MICROSOFT ENTRA MANAGEMENT UX
Expand table
Audit Category Activity AdministrativeUnit Bulk add members to administrative
unit - finished (bulk) AdministrativeUnit Bulk remove members to administrative
unit - finished (bulk) AdministrativeUnit started (bulk) DeviceManagement Bulk
add authentication devices - finished (bulk) DeviceManagement Download devices -
finished (bulk) DeviceManagement started (bulk) DirectoryManagement Bulk
download hardware tokens - finished (bulk) DirectoryManagement Download
registration and reset events - finished (bulk) DirectoryManagement Download
role assignments - finished (bulk) DirectoryManagement Download service
principals - finished (bulk) DirectoryManagement Download user registration
details - finished (bulk) DirectoryManagement Download users - finished (bulk)
DirectoryManagement Export summary data - finished (bulk) DirectoryManagement
Export summary data new - finished (bulk) DirectoryManagement started (bulk)
GroupManagement Bulk import group members - finished (bulk) GroupManagement Bulk
remove group members - finished (bulk) GroupManagement Download group members -
finished (bulk) GroupManagement Download groups - finished (bulk)
GroupManagement started (bulk) Policy Add blocked user Policy Add bypass user
Policy Clear block on user Policy Remove bypassed user Policy Update Sign-In
Risk Policy Policy Update User Risk and MFA Registration Policy UserManagement
Bulk create users - finished (bulk) UserManagement Bulk delete users - finished
(bulk) UserManagement Bulk invite users - finished (bulk) UserManagement Bulk
restore deleted users - finished (bulk) UserManagement Download users - finished
(bulk) UserManagement started (bulk)
ACCESS REVIEWS
With Microsoft Entra ID Governance access reviews, you can ensure users have the
appropriate access. Access review audit logs can tell you who initiated or ended
an access review. These logs can also tell you if any access review settings
were changed.
Expand table
Audit Category Activity DirectoryManagement Create program DirectoryManagement
Link program control DirectoryManagement Unlink program control Policy Access
review ended Policy Apply decision Policy Approve decision Policy Bulk Approve
decisions Policy Bulk Deny decisions Policy Bulk Reset decisions Policy Bulk
mark decisions as don't know Policy Cancel request Policy Create access review
Policy Create request Policy Delete access review Policy Delete approvals Policy
Deny decision Policy Don't know decision Policy Request expired Policy Reset
decision Policy Update access review Policy Update partner directory settings
Policy Update request UserManagement Apply review UserManagement Approve all
requests in business flow UserManagement Auto review UserManagement Auto apply
review UserManagement Create business flow UserManagement Create governance
policy template UserManagement Delete access review UserManagement Delete
business flow UserManagement Delete governance policy template UserManagement
Deny all decisions UserManagement Deny all requests in business flow
UserManagement Request approved UserManagement Request denied UserManagement
Update business flow UserManagement Update governance policy template
ACCOUNT PROVISIONING
Configuration changes for application provisioning, HR provisioning,
cross-tenant synchronization, and Microsoft Entra Connect cloud sync, are found
in this log. The provisioning service only has one audit category in the logs.
For actions that the provisioning service performs such as creating users,
updating users, and deleting users we recommend using the provisioning logs. For
monitoring changes to your provisioning configuration, we recommend using the
audit logs.
Expand table
Audit Category Activity Description ProvisioningManagement Add provisioning
configuration A new provisioning configuration has been created.
ProvisioningManagement Delete provisioning configuration The provisioning
configuration has been deleted. ProvisioningManagement Disable/pause
provisioning configuration The provisioning job has been disabled / paused.
ProvisioningManagement Enable/restart provisioning configuration The
provisioning job as been restarted. ProvisioningManagement Enable/start
provisioning configuration The provisioning job has been started.
ProvisioningManagement Export The provisioning job has exported a change to the
target system (ex: create a user). ProvisioningManagement Import The
provisioning job imported the object from the source system (ex: import the user
properties in Entra before provisioning the account into Salesforce).
ProvisioningManagement Other ProvisioningManagement Process escrow The
provisioning service was unable to export a change to the target application and
is retrying the operation. ProvisioningManagement Quarantine The provisioning
job is executing at a reduced frequency due to issues such as a lack of
connectivity to the target application. Learn more ProvisioningManagement
Synchronization rule action The provisioning service evaluated the object and
did not export a change to the target system. This even is most often emitted
when a user is skipped due to being out of scope for provisioning.
ProvisioningManagement Update attribute mappings or scope The attribute mappings
or scoping rules for the provisioning job have been updated.
ProvisioningManagement Update provisioning setting or credentials The settings
on your provisioning job (ex: notification email change, sync all vs. sync
assigned users and groups, accidental deletions prevention) have been updated.
The credentials for your provisioning job (ex: add a new bearer token) have been
updated. ProvisioningManagement User Provisioning The schema for the
provisioning job has been restored to the default.
APPLICATION PROXY
If you're utilizing Application Proxy to provide your users with remote access
to internal apps, the Application Proxy audit logs can help you keep track of
changes to available applications or Connector groups.
Expand table
Audit Category Activity Application Management Add application Application
Management Delete application Application Management Update application
Authentication Add a group to feature rollout Authentication Create rollout
policy for feature Authentication Delete rollout policy of feature
Authentication Remove a group from feature rollout Authentication Remove user
from feature rollout Authentication Update rollout policy of feature
DirectoryManagement Disable Desktop Sso DirectoryManagement Disable Desktop Sso
for a specific domain DirectoryManagement Disable application proxy
DirectoryManagement Disable passthrough authentication DirectoryManagement
Enable Desktop Sso DirectoryManagement Enable Desktop Sso for a specific domain
DirectoryManagement Enable application proxy DirectoryManagement Enable
passthrough authentication ResourceManagement Add connector Group
ResourceManagement Add a Connector to Connector Group ResourceManagement Add
application SSL certificate ResourceManagement Delete Connector Group
ResourceManagement Delete SSL binding ResourceManagement Register connector
ResourceManagement Update Connector Group
AUTHENTICATION METHODS
The Audit logs for Authentication Methods can be used to make sure that your
users have registered their mobile device properly to enable multifactor
authentication.
Audit events related to GDPR and data protection are also found in this service
and are found in the DirectoryManagement category. These events include strings
like MFA.CosmosDB.mfa-prd-cust-rpt-eu.activations and DSR Export:
MFA.PostgreSQL.bypassed_users_creations.
Note
For information about viewing or deleting personal data, see Azure Data Subject
Requests for the GDPR. For more information about GDPR, see the GDPR section of
the Microsoft Trust Center and the GDPR section of the Service Trust portal.
Expand table
Audit Category Activity ApplicationManagement Assign Hardware Oath Token
ApplicationManagement Authentication Methods Policy Reset ApplicationManagement
Authentication Methods Policy Update ApplicationManagement Authentication
Strength Combination Configuration Create ApplicationManagement Authentication
Strength Combination Configuration Delete ApplicationManagement Authentication
Strength Combination Configuration Update ApplicationManagement Authentication
Strength Policy Create ApplicationManagement Authentication Strength Policy
Delete ApplicationManagement Authentication Strength Policy Update
ApplicationManagement Bulk upload Hardware Oath Token ApplicationManagement
Create Hardware Oath Token ApplicationManagement DELETE
Subscription.DeleteProviders ApplicationManagement DELETE
Tenant.DeleteAgentStatuses ApplicationManagement DELETE Tenant.DeleteCaches
ApplicationManagement DELETE Tenant.DeleteGreetings ApplicationManagement Delete
Hardware Oath Token ApplicationManagement PATCH Tenant.Patch
ApplicationManagement PATCH Tenant.PatchCaches ApplicationManagement PATCH
UserAuthMethod.PatchSignInPreferencesAsync ApplicationManagement POST
SoundFile.Post ApplicationManagement Subscription.CreateProvider
ApplicationManagement Subscription.CreateSubscription ApplicationManagement POST
Tenant.CreateBlockedUser ApplicationManagement POST Tenant.CreateBypassedUser
ApplicationManagement POST Tenant.CreateCacheConfig ApplicationManagement POST
Tenant.CreateGreeting ApplicationManagement POST Tenant.CreateOemTenant
ApplicationManagement POST Tenant.CreateTenant ApplicationManagement POST
Tenant.GenerateNewActivationCredentials ApplicationManagement POST
Tenant.RemoveBlockedUser ApplicationManagement POST Tenant.RemoveBypassedUser
ApplicationManagement Update Hardware Oath Token DirectoryManagement DELETE
Subscription.DeleteProviders DirectoryManagement DELETE
Tenant.DeleteAgentStatuses DirectoryManagement DELETE Tenant.DeleteCaches
DirectoryManagement DELETE Tenant.DeleteGreetings DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-au.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-au.authentications DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-cn.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-cn.authentications DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-eu.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-eu.authentications DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ff.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ff.authentications DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ge.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ge.authentications DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-gv.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-gv.authentications DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ww.activations DirectoryManagement DSR
Delete: MFA.CosmosDB.mfa-prd-cust-rpt-ww.authentications DirectoryManagement DSR
Delete: MFA.PostgreSQL.blocked_users DirectoryManagement DSR Delete:
MFA.PostgreSQL.blocked_users_completions DirectoryManagement DSR Delete:
MFA.PostgreSQL.blocked_creations DirectoryManagement DSR Delete:
MFA.PostgreSQL.bypassed_users_completions DirectoryManagement DSR Delete:
MFA.PostgreSQL.bypassed_users_creations DirectoryManagement DSR Delete:
MFA.PostgreSQL.change_request_statuses DirectoryManagement DSR Delete:
MFA.PostgreSQL.change_request DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-au.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-au.authentications DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-cn.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-cn.authentications DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-eu.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-eu.authentications DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-ff.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-ff.authentications DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-ge.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-ge.authentications DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-gv.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-gv.authentications DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-ww.activations DirectoryManagement DSR Export:
MFA.CosmosDB.mfa-prd-cust-rpt-ww.authentications DirectoryManagement DSR Export:
MFA.PostgreSQL.blocked_users DirectoryManagement DSR Export:
MFA.PostgreSQL.blocked_users_completions DirectoryManagement DSR Export:
MFA.PostgreSQL.blocked_creations DirectoryManagement DSR Export:
MFA.PostgreSQL.bypassed_users_completions DirectoryManagement DSR Export:
MFA.PostgreSQL.bypassed_users_creations DirectoryManagement DSR Export:
MFA.PostgreSQL.change_request_statuses DirectoryManagement DSR Export:
MFA.PostgreSQL.change_request DirectoryManagement PATCH Tenant.Patch
DirectoryManagement PATCH Tenant.PatchCaches DirectoryManagement POST
SoundFile.Post DirectoryManagement POST Subscription.CreateProvider
DirectoryManagement POST Subscription.CreateSubscription DirectoryManagement
POST Tenant.CreateBlockedUser DirectoryManagement POST Tenant.CreateBypassedUser
DirectoryManagement POST Tenant.CreateCacheConfig DirectoryManagement POST
Tenant.CreateGreeting DirectoryManagement POST Tenant.CreateTenant
DirectoryManagement POST Tenant.GenerateNewActivationCredentials
DirectoryManagement POST Tenant.RemoveBlockedUser DirectoryManagement POST
TenantRemoveBypassedUser UserManagement Admin deleted security info
UserManagement Admin registered security info UserManagement Admin started
password reset UserManagement Admin updated security info UserManagement Get
passkey creation options UserManagement User canceled security info registration
UserManagement User changed default security info UserManagement User deleted
security info UserManagement User registered all required security info
UserManagement User registered security info UserManagement User reviewed
security info UserManagement User started password change UserManagement user
started password reset UserManagement User started security info registration
UserManagement User updated security info
MICROSOFT ENTRA RECOMMENDATIONS
Microsoft Entra Recommendations monitors your Microsoft Entra tenant and
provides personalized insights and actionable guidance to implement best
practices for Microsoft Entra features and optimize your tenant configurations.
These logs provide a history of the changes made to the status of a
recommendation.
Expand table
Audit Category Activity DirectoryManagement Dismiss recommendation
DirectoryManagement Mark recommendation as complete DirectoryManagement Postpone
recommendation
MICROSOFT ENTRA MULTIFACTOR AUTHENTICATION
The Microsoft Entra multifactor authentication audit logs can help you track
trends in suspicious activity or when fraud was reported. Use the Microsoft
Entra sign-in logs to see each time a user signs in when MFA is required.
Expand table
Audit Category Activity UserManagement Fraud reported - no action taken
UserManagement Fraud reported - user is blocked for MFA UserManagement
Suspicious activity reported UserManagement User registered security info
B2B AUTH
Expand table
Audit Category Activity UserManagement Redeem extern user invite
B2C
This set of audit logs is related to B2C. Due to the number of connected
resources and potential external accounts, this service has a large set of
categories and activities. Audit categories include ApplicationManagement,
Authentication, Authorization, DirectoryManagement, IdentityProtection,
KeyManagement, PolicyManagement, and ResourceManagement. Logs related to
one-time passwords are found in the Other category.
Expand table
Audit Category Activity ApplicationManagement Add V2 application permissions
ApplicationManagement Create V2 application ApplicationManagement Delete V2
application ApplicationManagement Delete V2 application permission grant
ApplicationManagement Get V1 and V2 applications ApplicationManagement Get V1
application ApplicationManagement Get V1 applications ApplicationManagement Get
V2 application ApplicationManagement Get V2 applications ApplicationManagement
Retrieve V2 application permissions grants ApplicationManagement Retrieve V2
application service principals ApplicationManagement Update V2 application
ApplicationManagement Update V2 application permission grant Authentication A
self-service sign-up request was completed Authentication An API was called as
part of a user flow Authentication Delete all available strong authentication
devices Authentication Evaluate Conditional Access policies Authentication
Exchange token Authentication Federate with an identity provider Authentication
Get available strong authentication devices Authentication Issue a SAML
assertion to the application Authentication Issue an access token to the
application Authentication Issue an authorization code to the application
Authentication Issue an id_token to the application Authentication Make phone
call to verify phone number Authentication Register TOTP secret Authentication
Remediate user Authentication Send SMS to verify phone number Authentication
Send verification email Authentication Validate Client Credentials
Authentication Validate local account credentials Authentication Validate user
authentication Authentication Verify email address Authentication verify one
time password Authentication Verify phone number Authorization Add v2
application permissions Authorization Check whether the resource name is
available Authorization Create API connector Authorization Create Identity
Provider Authorization Create authenticationEventListener Authorization Create
authenticationEventsFlow Authorization Create custom identity provider
Authorization Create custom policy Authorization Create
customAuthenticationExtension Authorization Create or update a B2C directory
resource Authorization Create or update a B2C directory tenant and resource
Authorization Create or update a CIAM directory tenant and resource
Authorization Create or update a Guest Usages resource Authorization Create or
update localized resource Authorization Create policy key Authorization Create
starter pack Authorization Create user attribute Authorization Create user flow
Authorization Create v2 application Authorization Delete API connector
Authorization Delete B2C Tenant where the caller is an administrator
Authorization Delete B2C directory resource Authorization Delete CIAM directory
resource Authorization Delete Guest Usages resource Authorization Delete
Identity Provider Authorization Delete authenticationEventlistener Authorization
Delete authenticationEventsFlow Authorization Delete custom policy Authorization
Delete customAuthenticationExtension Authorization Delete localized resource
Authorization Delete policy key Authorization Delete user attribute
Authorization Delete user flow Authorization Delete v2 application Authorization
Delete v2 application permission grant Authorization Generate key Authorization
Get API connector Authorization Get API connectors Authorization Get B2C Tenants
where the caller is an administrator Authorization Get B2C directory resource
Authorization Get B2C directory resources in a resource group Authorization Get
B2C directory resources in a subscription Authorization Get CIAM directory
resource Authorization Get CIAM directory resources in a resource group
Authorization Get CIAM directory resources in a subscription Authorization Get
Guest Usages resources Authorization Get Guest Usages resources in a
subscription Authorization Get Identity Provider Authorization Get Identity
Providers Authorization Get OnAttributeCollectionStartCustomExtension
Authorization Get OnAttributeCollectionSubmitCustomExtension Authorization Get
OnPageRenderStartCustomExtension Authorization Get active key metadata from
policy key Authorization Get age gating configuration Authorization Get
authentication flows policy Authorization Get authenticationEventListener
Authorization Get authenticationEventsFlow Authorization Get
authenticationEventsFlows Authorization Get available output claims
Authorization Get configured custom identity providers Authorization Get
configured identity providers Authorization Get configured local identity
providers Authorization Get custom domains Authorization Get custom identity
provider Authorization Get custom policies Authorization Get custom policy
Authorization Get custom policy metadata Authorization Get
customAuthenticationExtension Authorization Get customAuthenticationExtensions
Authorization Get identity provider types Authorization Get list of tenants
Authorization Get localized resource Authorization Get operation status for an
async operation Authorization Get operations of Microsoft.AzureActiveDirectory
resource provider Authorization Get policy key Authorization Get policy keys
Authorization Get resource properties of a tenant Authorization Get supported
cultures Authorization Get supported identity providers Authorization Get
supported page contracts Authorization Get tenant details Authorization Get
tenant domains Authorization Get the authenticationEventsPolicy Authorization
Get user attribute Authorization Get user attributes Authorization Get user flow
Authorization Get user flows Authorization Get v1 and v2 applications
Authorization Get v1 application Authorization Get v1 applications Authorization
Get v2 application Authorization Get v2 applications Authorization Initialize
tenant Authorization Move resources Authorization Restore policy key
Authorization Retrieve v2 application permissions grants Authorization Retrieve
v2 application service principals Authorization Update API connector
Authorization Update Identity Provider Authorization Update
OnAttributeCollectionStartCustomExtension Authorization Update
OnAttributeCollectionSubmitCustomExtension Authorization Update
OnPageRenderStartCustomExtension Authorization Update a B2C directory resource
Authorization Update a CIAM directory resource Authorization Update a Guest
Usages resource Authorization Update age gating configuration Authorization
Update authentication flows policy Authorization Update
authenticationEventListener Authorization Update authenticationEventsFlow
Authorization Update authenticationEventsPolicy Authorization Update custom
identity provider Authorization Update custom policy Authorization Update
customAuthenticationExtension Authorization Update identity provider
Authorization Update local identity provider Authorization Update policy key
Authorization Update subscription status Authorization Update user attribute
Authorization Update user flow Authorization Update v2 application Authorization
Update v2 application permission grant Authorization Upload certificate to
policy key Authorization Upload key to policy key Authorization Upload secret
into policy key Authorization Validate customExtension
authenticationConfiguration Authorization Validate move resources Directory
Management Get age gating configuration Directory Management Get custom domains
Directory Management Get list of tenants Directory Management Get resources
properties of a tenant Directory Management Get tenant details Directory
Management Get tenant domains Directory Management Initialize tenant Directory
Management Update age gating configuration IdentityProtection Evaluate
Conditional Access policies IdentityProtection Remediate user KeyManagement
Create policy key KeyManagement Delete policy key KeyManagement Get active key
metadata from policy key KeyManagement Get policy key KeyManagement Get policy
keys KeyManagement Restore policy key KeyManagement Upload key to policy key
KeyManagement Upload secret into policy key Other Generate one time password
Other Verify one time password PolicyManagement Create
authenticationEventListener PolicyManagement Create authenticationEventsFlow
PolicyManagement Create customAuthenticationExtension PolicyManagement Delete
authenticationEventListener PolicyManagement Delete authenticationEventsFlow
PolicyManagement Delete customAuthenticationExtension PolicyManagement Get
OnAttributeCollectionStartCustomExtension PolicyManagement Get
OnAttributeCollectionSubmitCustomExtension PolicyManagement Get
OnPageRenderStartCustomExtension PolicyManagement Get
authenticationEventListener PolicyManagement Get authenticationEventListeners
PolicyManagement Get authenticationEventsFlow PolicyManagement Get
authenticationEventsFlows PolicyManagement Get customAuthenticationExtension
PolicyManagement Get customAuthenticationExtensions PolicyManagement Get the
authenticationEventsPolicy PolicyManagement Update
OnAttributeCollectionStartCustomExtension PolicyManagement Update
OnAttributeCollectionSubmitCustomExtension PolicyManagement Update
OnPageRenderStartCustomExtension PolicyManagement Update
authenticationEventListener PolicyManagement Update authenticationEventsFlow
PolicyManagement Update authenticationEventsPolicy PolicyManagement Update
customAuthenticationExtension PolicyManagement Validate customExtension
authenticationConfiguration ResourceManagement Check whether the resource name
is available ResourceManagement Create API connector ResourceManagement Create
Identity Provider ResourceManagement Create custom identity provider
ResourceManagement Create custom policy ResourceManagement Create or update a
B2C directory resource ResourceManagement Create or update a B2C directory
tenant and resource ResourceManagement Create or update a CIAM directory tenant
and resource ResourceManagement Create or update a Guest Usages resource
ResourceManagement Create or update a localized resource ResourceManagement
Create policy key ResourceManagement Create user attribute ResourceManagement
Create user flow ResourceManagement Delete API connector ResourceManagement
Delete B2C Tenant where the caller is an administrator ResourceManagement Delete
B2C directory resource ResourceManagement Delete CIAM directory resource
ResourceManagement Delete Guest Usages resource ResourceManagement Delete
Identity Provider ResourceManagement Delete custom policy ResourceManagement
Delete localized resource ResourceManagement Delete policy key
ResourceManagement Delete user attribute ResourceManagement Delete user flow
ResourceManagement Generate key ResourceManagement Get API connector
ResourceManagement Get API connectors ResourceManagement Get B2C Tenant where
the caller is an administrator ResourceManagement Get B2C directory resource
ResourceManagement Get B2C directory resources in a resource group
ResourceManagement Get B2C directory resources in a subscription
ResourceManagement Get CIAM directory resource ResourceManagement Get CIAM
directory resources in a resource group ResourceManagement Get CIAM directory
resources in a subscription ResourceManagement Get Guest Usages resource
ResourceManagement Get Guest Usages directory resources in a resource group
ResourceManagement Get Guest Usages directory resources in a subscription
ResourceManagement Get Identity Provider ResourceManagement Get Identity
Providers ResourceManagement Get active key metadata from policy key
ResourceManagement Get authentication flows policy ResourceManagement Get
available output claims ResourceManagement Get configured custom identity
providers ResourceManagement Get configured identity providers
ResourceManagement Get configured local identity providers ResourceManagement
Get custom identity provider ResourceManagement Get custom policies
ResourceManagement Get custom policy ResourceManagement Get custom policy
metadata ResourceManagement Get identity provider ResourceManagement Get
identity provider types ResourceManagement Get identity providers
ResourceManagement Get localized resource ResourceManagement Get operation
status of an async operation ResourceManagement Get operations of
Microsoft.AzureActiveDirectory resource provider ResourceManagement Get policy
key ResourceManagement Get policy keys ResourceManagement Get supported cultures
ResourceManagement Get supported identity providers ResourceManagement Get
supported page contracts ResourceManagement Get user attribute
ResourceManagement Get user attributes ResourceManagement Get user flow
ResourceManagement Get user flows ResourceManagement Move resources
ResourceManagement Update API connector ResourceManagement Identity Provider
ResourceManagement Update B2C directory resource ResourceManagement Update CIAM
directory resource ResourceManagement Update Guest Usages resource
ResourceManagement Update authentication flows policy ResourceManagement Update
custom identity provider ResourceManagement Update custom policy
ResourceManagement Update identity provider ResourceManagement Update local
identity provider ResourceManagement Update policy key ResourceManagement Update
subscription status ResourceManagement Update user attribute ResourceManagement
Update user flow ResourceManagement Update certificate to policy key
ResourceManagement Update secret into policy key ResourceManagement Validate
move resources
CONDITIONAL ACCESS
Use these logs to see when changes were made to your Conditional Access
policies.
Expand table
Audit Category Activity Policy Add AuthenticationContextClassReference Policy
Add Conditional Access policy Policy Add named location Policy Delete
AuthenticationContextClassReference Policy Delete Conditional Access policy
Policy Delete named location Policy Update AuthenticationContextClassReference
Policy Update Conditional Access policy Policy Update continuous access
evaluation Policy Update named location Policy Update security defaults
CORE DIRECTORY
Logs captured in the Core Directory service cover a wide variety of scenarios.
Changes to service principals and applications, updates to company settings, and
many other directory related details are captured here. Because so many logs are
included in this service, utilize the filter options and date ranges to narrow
down the results.
Expand table
Audit Category Activity AdministrativeUnit Add administrative unit
AdministrativeUnit Add member to administrative unit AdministrativeUnit Add
member to restricted management administrative unit AdministrativeUnit Delete
administrative unit AdministrativeUnit Hard Delete administrative unit
AdministrativeUnit Remove member from administrative unit AdministrativeUnit
Remove member from restricted management administrative unit AdministrativeUnit
Restore administrative unit AdministrativeUnit Update administrative unit
Agreement Add agreement Agreement Delete agreement Agreement Hard delete
agreement Agreement Update agreement ApplicationManagement Add app role
assignment to service principal ApplicationManagement Add application
ApplicationManagement Add delegated permission grant ApplicationManagement Add
owner to application ApplicationManagement Add owner to service principal
ApplicationManagement Add policy to application ApplicationManagement Add policy
to service principal ApplicationManagement Add service principal
ApplicationManagement Add service principal credentials ApplicationManagement
Cancel application update with safe rollout ApplicationManagement Complete
application update after safe rollout ApplicationManagement Consent to
application ApplicationManagement Delete application ApplicationManagement Hard
Delete application ApplicationManagement Hard delete service principal
ApplicationManagement Remove app role assignment from service principal
ApplicationManagement Remove delegated permission grant ApplicationManagement
Remove owner from application ApplicationManagement Remove owner from service
principal ApplicationManagement Remove policy from application
ApplicationManagement Remove policy from service principal ApplicationManagement
Remove service principal ApplicationManagement Remove service principal
credentials ApplicationManagement Restore application ApplicationManagement
Restore service principal ApplicationManagement Restore consent
ApplicationManagement Set verified publisher ApplicationManagement Unset
verified publisher ApplicationManagement Update application
ApplicationManagement Update application with safe rollout ApplicationManagement
Update application - Certificates and secrets management ApplicationManagement
Update external secrets ApplicationManagement Update service principal
AttributeManagement Add an attribute set AttributeManagement Add custom security
attribute definition in an attribute set AttributeManagement Update an attribute
set AttributeManagement Update attribute values assigned to a servicePrincipal
AttributeManagement Update attribute values assigned to a user
AttributeManagement Update custom security attribute definition in an attribute
set AuthorizationPolicy Update authorization policy
CertificateBasedAuthConfiguration Add CertificationBasedAuthConfiguration
CertificateBasedAuthConfiguration Delete CertificationBasedAuthConfiguration
Contact Add contact Contact Delete contact Contact Update contact
CrossTenantAccessSettings Add a partner to cross-tenant access setting
CrossTenantAccessSettings Delete partner specific cross-tenant access setting
CrossTenantAccessSettings Migrated partner cross-tenant access settings to the
scalable model CrossTenantAccessSettings Reset the cross-tenant access default
setting CrossTenantAccessSettings Update a partner cross-tenant access setting
CrossTenantAccessSettings Update the company default cross-tenant access setting
CrossTenantIdentitySyncSettings Create a partner cross-tenant identity sync
setting CrossTenantIdentitySyncSettings Delete a partner cross-tenant identity
sync setting CrossTenantIdentitySyncSettings Update a partner cross-tenant
identity sync setting Device Add device Device Add registered owner to device
Device Add registered users to device Device Delete device Device Device no
longer compliant Device Device no longer managed Device Remove registered owner
from device Device Remove registered users from device Device Update device
DeviceConfiguration Add device configuration DeviceConfiguration Delete device
configuration DeviceConfiguration Update device configuration DeviceTemplate Add
device from DeviceTemplate DeviceTemplate Delete DeviceTemplate DeviceTemplate
Update DeviceTemplate DirectoryManagement Add partner to company
DirectoryManagement Add sharedEmailDomainInvitation DirectoryManagement Add
unverified domain DirectoryManagement Add verified domain DirectoryManagement
Create Company DirectoryManagement Create company settings DirectoryManagement
Delete company allowed data location DirectoryManagement Delete company settings
DirectoryManagement Delete subscription DirectoryManagement Demote partner
DirectoryManagement Directory deleted DirectoryManagement Directory deleted
permanently DirectoryManagement Directory scheduled for deletion (Lifecycle)
DirectoryManagement Directory scheduled for deletion (UserRequest)
DirectoryManagement Get cross-cloud verification code for domain
DirectoryManagement Promote company to partner DirectoryManagement Promote sub
domain to root domain DirectoryManagement Remove partner from company
DirectoryManagement Remove unverified domain DirectoryManagement Remove verified
domain DirectoryManagement Schedule Add sharedEmailDomain DirectoryManagement
Schedule Remove sharedEmailDomain DirectoryManagement Set Company Information
DirectoryManagement Set DirSync feature DirectoryManagement Set DirSyncEnabled
flag DirectoryManagement Set Partnership DirectoryManagement Set accidental
deletion threshold DirectoryManagement Set company allowed data location
DirectoryManagement Set company multinational feature enabled
DirectoryManagement Set directory feature on tenant DirectoryManagement Set
domain authentication DirectoryManagement Set federation settings on domain
DirectoryManagement Set password policy DirectoryManagement Update company
DirectoryManagement Update company settings DirectoryManagement Update domain
DirectoryManagement Update sharedEmailDomain DirectoryManagement Update
sharedEmailDomainInvitation DirectoryManagement Verify domain
DirectoryManagement Verify email verified domain ExternalUserProfile Create
ExternalUserProfile ExternalUserProfile Delete ExternalUserProfile
ExternalUserProfile Hard Delete ExternalUserProfile ExternalUserProfile Restore
ExternalUserProfile ExternalUserProfile Update ExternalUserProfile
GroupManagement Add app role assignment to group GroupManagement Add group
GroupManagement Add member to group GroupManagement Add owner to group
GroupManagement Assign label to group GroupManagement Create group settings
GroupManagement Delete group GroupManagement Delete group settings
GroupManagement Finish applying group based license to user GroupManagement
Grant contextual consent to application GroupManagement Hard Delete group
GroupManagement Remove app role assignment from group GroupManagement Remove
label from group GroupManagement Remove member from group GroupManagement Remove
owner from group GroupManagement Restore group GroupManagement Set group license
GroupManagement Set group to be managed by user GroupManagement Start applying
group based license to users GroupManagement Trigger group license recalculation
GroupManagement Update group GroupManagement Update group settings
KerberosDomain Add kerberos domain KerberosDomain Delete kerberos domain
KerberosDomain Restore kerberos domain KerberosDomain Update kerberos domain
Label Add label Label Delete label Label Update label
MicrosoftSupportAccessManagement Approval approved
MicrosoftSupportAccessManagement Approval removed
MicrosoftSupportAccessManagement Request approved
MicrosoftSupportAccessManagement Request canceled
MicrosoftSupportAccessManagement Request created
MicrosoftSupportAccessManagement Request created
MicrosoftSupportAccessManagement Request rejected MultiTenantOrg Create a
MultiTenantOrg MultiTenantOrg Hard Delete MultiTenantOrg MultiTenantOrg Update a
MultiTenantOrg MultiTenantOrgIdentitySyncPolicyUpdate Reset a multi tenant org
identity sync policy template MultiTenantOrgIdentitySyncPolicyUpdate Update a
multi tenant org identity sync policy template
MultiTenantOrgPartnerConfigurationTemplate Reset a multi tenant org partner
configuration template MultiTenantOrgPartnerConfigurationTemplate Update a multi
tenant org partner configuration template MultiTenantOrgTenant Add
MultiTenantOrg tenant MultiTenantOrgTenant Delete MultiTenantOrg tenant
MultiTenantOrgTenant Hard Delete MultiTenantOrg tenant MultiTenantOrgTenant
Tenant joining MultiTenantOrg tenant MultiTenantOrgTenant Update MultiTenantOrg
tenant PendingExternalUserProfile Create PendingExternalUserProfile
PendingExternalUserProfile Delete PendingExternalUserProfile
PendingExternalUserProfile Hard Delete PendingExternalUserProfile
PendingExternalUserProfile Update PendingExternalUserProfile
PermissionGrantPolicy Add permission grant policy PermissionGrantPolicy Delete
permission grant policy PermissionGrantPolicy Update permission grant policy
Policy Add owner to policy Policy Add policy Policy Delete policy Policy Remove
owner from policy Policy Remove policy credentials Policy Update policy
PrivateEndpoint Add PrivateEndpoint PrivateEndpoint Delete PrivateEndpoint
PrivateLinkResource Add PrivateLinkResource PrivateLinkResource Delete
PrivateLinkResource PrivateLinkResource Update PrivateLinkResource
RoleManagement Add EligibleRoleAssignment to RoleDefinition RoleManagement Add
eligible member to role RoleManagement Add member to role RoleManagement Add
member to role scoped over Restricted Management Administrative Unit
RoleManagement Add role assignment to role definition RoleManagement Add role
definition RoleManagement Add role from template RoleManagement Add scoped
member to role RoleManagement Delete role definition RoleManagement Remove
EligibleRoleAssignment from RoleDefinition RoleManagement Remove eligible member
from role RoleManagement Remove member from role RoleManagement Remove member
from role scoped over Restricted Management Administrative Unit RoleManagement
Remove role assignment from role definition RoleManagement Remove scoped member
from role RoleManagement Update role RoleManagement Update role definition
SourceOfAuthorityPolicy Add SOA policy UserManagement Add app role assignment to
group UserManagement Add user UserManagement Add users strong authentication
phone app detail UserManagement Change user license UserManagement Change user
password UserManagement Convert federated user to managed UserManagement Create
application password for user UserManagement Delete application password for
user UserManagement Delete user UserManagement Disable Strong Authentication
UserManagement Disable account UserManagement Enable Strong Authentication
UserManagement Enable account UserManagement Hard Delete user UserManagement
Remove app role assignment from user UserManagement Remove users strong
authentication phone app detail UserManagement Reset password UserManagement
Restore user UserManagement Set force change user password UserManagement Set
user manager UserManagement Set user oath token metadata enabled UserManagement
Update StsRefreshTokenValidFrom Timestamp UserManagement Update external secrets
UserManagement Update user
DEVICE REGISTRATION SERVICE
If you need to manage Microsoft Entra ID and Microsoft Entra hybrid joined
devices, use the logs captured in the Device Registration Service to review
changes to devices.
Expand table
Audit Category Activity Device Delete pre-created device Device pre-create
device Device Register device Device Reveal local administrator password Device
Unregister device Device Update local administrator password KeyManagement Add
BitLocker key KeyManagement Delete BitLocker key KeyManagement Read BitLocker
key Policy Set device registration policies UserManagement Add FIDO2 security
key UserManagement Add Windows Hello for Business credential UserManagement Add
passwordless phone sign-in credential UserManagement Add platform credential
UserManagement Delete FIDO2 security key(s) UserManagement Delete Windows Hello
for Business credential UserManagement Delete passwordless phone sign-in
credential UserManagement Delete platform credential
ENTITLEMENT MANAGEMENT
Use these logs to monitor changes to Entitlement Management settings.
Entitlement Management can be used to streamline how you assign members of
Microsoft Entra security groups, grant licenses for Microsoft 365, or provide
access to applications. Access reviews and Lifecycle workflows have separate
logs.
Expand table
Audit Category Activity EntitlementManagement Add Entitlement Management role
assignment EntitlementManagement Administrator directly assigns user to access
package EntitlementManagement Administrator directly removes user access package
assignment EntitlementManagement Approval stage completed for access package
assignment request EntitlementManagement Approve access package assignment
request EntitlementManagement Assign user as external sponsor
EntitlementManagement Assign user as internal sponsor EntitlementManagement Auto
approve access package assignment request EntitlementManagement Cancel access
package assignment request EntitlementManagement Create access package
EntitlementManagement Create access package assignment policy
EntitlementManagement Create access package assignment user update request
EntitlementManagement Create access package catalog EntitlementManagement Create
connected organization EntitlementManagement Create custom extension
EntitlementManagement Create incompatible access package EntitlementManagement
Create incompatible group EntitlementManagement Create resource environment
EntitlementManagement Create resource remove request EntitlementManagement
Create resource request EntitlementManagement Delete access package
EntitlementManagement Delete access package assignment policy
EntitlementManagement Delete access package assignment request
EntitlementManagement Delete access package assignment policy for a deleted user
EntitlementManagement Delete access package catalog EntitlementManagement Delete
connected organization EntitlementManagement Delete custom extension
EntitlementManagement Delete incompatible access package EntitlementManagement
Delete incompatible group EntitlementManagement Deny access package assignment
request EntitlementManagement Entitlement Management creates access package
assignment request for user EntitlementManagement Entitlement Management removes
access package assignment request for user EntitlementManagement Execute custom
extension EntitlementManagement Extend access package assignment
EntitlementManagement Failed access package assignment request
EntitlementManagement Fulfill access package assignment request
EntitlementManagement Fulfill access package resource assignment
EntitlementManagement Partially fulfill access package assignment request
EntitlementManagement Ready to fulfill access package assignment request
EntitlementManagement Remove Entitlement Management role assignment
EntitlementManagement Remove access package resource assignment
EntitlementManagement Remove user as external sponsor EntitlementManagement
Remove user as internal sponsor EntitlementManagement Schedule a future access
package assignment EntitlementManagement Update access package
EntitlementManagement Update access package assignment policy
EntitlementManagement Update access package assignment request
EntitlementManagement Update access package catalog EntitlementManagement Update
access package catalog resource EntitlementManagement Update connected
organization EntitlementManagement Update custom extension EntitlementManagement
Update request answers by approver EntitlementManagement Update tenant setting
EntitlementManagement User requests access package assignment
EntitlementManagement User requests an access package assignment on behalf of
service principal EntitlementManagement User requests to extend access package
assignment EntitlementManagement User requests to remove access package
assignment
GLOBAL SECURE ACCESS
If you're using Microsoft Entra Internet Access or Microsoft Entra Private
Access to acquire and secure network traffic to your corporate resources, these
logs can help identify when changes were made to your network policies. These
logs capture changes to traffic forwarding policies and remote networks, such as
branch office locations. For more information, see What is Global Secure Access.
Expand table
Audit Category Activity ObjectManagement Onboarding Process Started
ObjectManagement Update Adaptive Access Policy ObjectManagement Update Enriched
Audit Logs Settings PolicyManagement Create Branch PolicyManagement Create
Filtering Policy PolicyManagement Create Filtering Policy Profile
PolicyManagement Delete Filtering Policy PolicyManagement Delete Filtering
Policy Profile PolicyManagement Create Forwarding Policy PolicyManagement Update
Branch PolicyManagement Update Filtering Policy PolicyManagement Update
Filtering Policy Profile PolicyManagement Update Filtering Profile
PolicyManagement Update Forwarding Options Policy PolicyManagement Update
Forwarding Policy PolicyManagement Update Forwarding Profile
HYBRID AUTHENTICATION
Expand table
Audit Category Activity Authentication Add user to feature rollout
Authentication Remove user from feature rollout
MICROSOFT ENTRA ID PROTECTION
Expand table
Audit Category Activity IdentityProtection Update IdentityProtectionPolicy
IdentityProtection Update NotificationSettings Other ConfirmAccountCompromised
Other ConfirmCompromised Other ConfirmSafe Other
ConfirmServicePrincipalCompromised Other DismissServicePrincipal Other
DismissUser
INVITED USERS
Use the Invited users logs to help you manage the status of users who were
invited to collaborate as guests in your tenant. These logs can help
troubleshoot issues with invitations sent to external users.
Expand table
Audit Category Activity UserManagement Delete external user UserManagement Email
not sent, user unsubscribed UserManagement Email subscribed UserManagement Email
unsubscribed UserManagement Invite external user UserManagement Invite external
user with reset invitation status UserManagement Invite internal user to B2B
collaboration UserManagement Redeem external user invite UserManagement Viral
user creation
LIFECYCLE WORKFLOWS
Lifecycle Workflows(preview) are a great way to automate identity related
processes for joiners, movers, and leavers so you don't have to. For more
information, see Lifecycle Workflows audits.
Expand table
Audit Category Activity Other Create custom task extension Other Delete custom
task extension Other Update custom task extension TaskManagement Add task to
workflow TaskManagement Disable task TaskManagement Enable task TaskManagement
Remove task from workflow TaskManagement Update task WorkflowManagement Add
execution conditions WorkflowManagement Add workflow version WorkflowManagement
Create workflow WorkflowManagement Delete workflow WorkflowManagement Disable
workflow WorkflowManagement Disable workflow schedule WorkflowManagement Enable
workflow WorkflowManagement Enable workflow schedule WorkflowManagement Hard
delete workflow WorkflowManagement On-demand workflow execution completed
WorkflowManagement Restore workflow WorkflowManagement Schedule workflow
execution completed WorkflowManagement Schedule workflow execution started
WorkflowManagement Set workflow for on-demand execution WorkflowManagement
Update execution conditions WorkflowManagement Update tenant settings
WorkflowManagement Update workflow
MICROSOFT IDENTITY MANAGER (MIM) SERVICE
If you're using MIM to automate identity and group provisioning based on
business policy and workflow, these audit logs can help track when change were
made to groups and members through the MIM service.
Expand table
Audit Category Activity GroupManagement Add group GroupManagement Add member to
group GroupManagement Add owner to group GroupManagement Delete group
GroupManagement Remove member from group GroupManagement Remove owner from group
GroupManagement Update group UserManagement User Password Registration
UserManagement User Password Reset
MOBILITY MANAGEMENT
Expand table
Audit Category Activity PolicyManagement Delete policy PolicyManagement Update
mobility management policy
MYAPPS
Use the MyApps audit logs to identify when an application was added to a
collection for your MyApp portal.
Expand table
Audit Category Activity ApplicationManagement Create application collection
ApplicationManagement Delete application collection ApplicationManagement Update
application collection ApplicationManagement Update application collection order
ApplicationManagement Update preview settings
PRIVILEGED IDENTITY MANAGEMENT (PIM)
Many of the activities captured in the PIM audit logs are similar, so take note
of details like renew, timebound, and permanent. PIM activities can generate
many logs in a 24 hour period, so utilize the filters to narrow things down. For
more information on the audit capabilities within the PIM service, see View
audit history for Microsoft Entra roles in PIM.
Expand table
Audit Category Activity ApplicationManagement Add member to role approval
requested (PIM activation) ApplicationManagement Add member to role in PIM
completed (timebound) ApplicationManagement Add member to role in PIM requested
(timebound) ApplicationManagement Approve request - direct role assignment
ApplicationManagement PIM activation request expired ApplicationManagement PIM
policy removed ApplicationManagement Remove member from role in PIM completed
(timebound) ApplicationManagement Remove request ApplicationManagement Role
definition created ApplicationManagement Update role setting in PIM
GroupManagement Add eligible member to role in PIM canceled (renew)
GroupManagement Add eligible member to role in PIM canceled (timebound)
GroupManagement Add eligible member to role in PIM completed (permanent)
GroupManagement Add eligible member to role in PIM completed (timebound)
GroupManagement Add eligible member to role in PIM requested (permanent)
GroupManagement Add eligible member to role in PIM requested (renew)
GroupManagement Add eligible member to role in PIM requested (timebound)
GroupManagement Add member to role approval requested (PIM activation)
GroupManagement Add member to role canceled (PIM activation) GroupManagement Add
member to role completed (PIM activation) GroupManagement Add member to role in
PIM canceled (permanent) GroupManagement Add member to role in PIM canceled
(renew) GroupManagement Add member to role in PIM canceled (timebound)
GroupManagement Add member to role in PIM completed (permanent) GroupManagement
Add member to role in PIM completed (timebound) GroupManagement Add member to
role in PIM requested (permanent) GroupManagement Add member to role in PIM
requested (renew) GroupManagement Add member to role in PIM requested
(timebound) GroupManagement Add member to role request approved (PIM activation)
GroupManagement Add member to role request denied (PIM activation)
GroupManagement Add member to role requested (PIM activation) GroupManagement
Cancel request GroupManagement Cancel request for role removal GroupManagement
Cancel request for role update GroupManagement Offboarded resource from PIM
GroupManagement Onboarded resource to PIM GroupManagement PIM activation request
expired GroupManagement PIM policy removed GroupManagement Process request
GroupManagement Process role removal request GroupManagement Remove eligible
member from role in PIM completed (permanent) GroupManagement Remove eligible
member from role in PIM completed (timebound) GroupManagement Remove eligible
member from role in PIM requested (permanent) GroupManagement Remove eligible
member from role in PIM requested (timebound) GroupManagement Remove member from
role (PIM activation expired) GroupManagement Remove member from role completed
(PIM deactivate) GroupManagement Remove member from role in PIM completed
(permanent) GroupManagement Remove member from role in PIM completed (timebound)
GroupManagement Remove member from role in PIM requested (permanent)
GroupManagement Remove member from role in PIM requested (timebound)
GroupManagement Remove member from role requested (PIM deactivate)
GroupManagement Remove permanent direct role assignment GroupManagement Remove
permanent eligible role assignment GroupManagement Remove request
GroupManagement Resource updated GroupManagement Restore eligible member from
role in PIM completed GroupManagement Restore member from role GroupManagement
Restore member from role in PIM completed GroupManagement Restore permanent
direct role assignment GroupManagement Update eligible member in PIM canceled
(extend) GroupManagement Update eligible member in PIM requested (extend)
GroupManagement Update member in PIM approved by admin (extend/renew)
GroupManagement Update member in PIM canceled (extend) GroupManagement Update
member in PIM denied by admin (extend/renew) GroupManagement Update member in
PIM requested (extend) GroupManagement Update role setting in PIM
ResourceManagement Add eligible member to role in PIM canceled (permanent)
ResourceManagement Add eligible member to role in PIM canceled (renew)
ResourceManagement Add eligible member to role in PIM canceled (timebound)
ResourceManagement Add eligible member to role in PIM completed (permanent)
ResourceManagement Add eligible member to role in PIM completed (timebound)
ResourceManagement Add eligible member to role in PIM requested (permanent)
ResourceManagement Add eligible member to role in PIM requested (renew)
ResourceManagement Add eligible member to role in PIM requested (timebound)
ResourceManagement Add member to role approval requested (PIM activation)
ResourceManagement Add member to role canceled (PIM activation)
ResourceManagement Add member to role completed (PIM activation)
ResourceManagement Add member to role in PIM canceled (renew) ResourceManagement
Add member to role in PIM canceled (timebound) ResourceManagement Add member to
role in PIM completed (permanent) ResourceManagement Add member to role in PIM
completed (timebound) ResourceManagement Add member to role in PIM requested
(permanent) ResourceManagement Add member to role in PIM requested (renew)
ResourceManagement Add member to role in PIM requested (timebound)
ResourceManagement Add member to role outside of PIM (permanent)
ResourceManagement Add member to role request approved (PIM activation)
ResourceManagement Add member to role request denied (PIM activation)
ResourceManagement Add member to role requested (PIM activation)
ResourceManagement Cancel request ResourceManagement Cancel request for role
removal ResourceManagement Cancel request for role update ResourceManagement
Deactivate PIM alert ResourceManagement Disable PIM alert ResourceManagement
Enable PIM alert ResourceManagement Offboarded resource from PIM
ResourceManagement Onboarded resource from PIM ResourceManagement PIM activation
request expired ResourceManagement PIM policy removed ResourceManagement Process
request ResourceManagement Process role removal request ResourceManagement
Process role update request ResourceManagement Remove eligible member from role
in PIM completed (permanent) ResourceManagement Remove eligible member from role
in PIM completed (timebound) ResourceManagement Remove eligible member from role
in PIM requested (permanent) ResourceManagement Remove eligible member from role
in PIM requested (timebound) ResourceManagement Remove member from role (PIM
activation expired) ResourceManagement Remove member from role completed (PIM
deactivate) ResourceManagement Remove member from role in PIM completed
(permanent) ResourceManagement Remove member from role in PIM completed
(timebound) ResourceManagement Remove member from role in PIM requested
(permanent) ResourceManagement Remove member from role in PIM requested
(timebound) ResourceManagement Remove member from role requested (PIM
deactivate) ResourceManagement Remove permanent direct role assignment
ResourceManagement Remove permanent eligible role assignment ResourceManagement
Remove request ResourceManagement Resolve PIM alert ResourceManagement Resource
updated ResourceManagement Restore eligible member from role in PIM completed
ResourceManagement Restore member from role ResourceManagement Restore member
from role in PIM completed ResourceManagement Restore permanent direct role
assignment ResourceManagement Restore permanent eligible role assignment
ResourceManagement Tenant offboarded from PIM ResourceManagement Triggered PIM
alert ResourceManagement Update eligible member in PIM canceled (extend)
ResourceManagement Update eligible member in PIM requested (extend)
ResourceManagement Update member in PIM approved by admin (extend/renew)
ResourceManagement Update member in PIM canceled (extend) ResourceManagement
Update member in PIM denied by admin (extend/renew) ResourceManagement Update
member in PIM requested (extend) ResourceManagement Update role setting in PIM
RoleManagement Add eligible member to role in PIM canceled (permanent)
RoleManagement Add eligible member to role in PIM canceled (renew)
RoleManagement Add eligible member to role in PIM canceled (timebound)
RoleManagement Add eligible member to role in PIM completed (permanent)
RoleManagement Add eligible member to role in PIM completed (timebound)
RoleManagement Add eligible member to role in PIM requested (permanent)
RoleManagement Add eligible member to role in PIM requested (renew)
RoleManagement Add eligible member to role in PIM requested (timebound)
RoleManagement Add member to role approval requested (PIM activation)
RoleManagement Add member to role canceled (PIM activation) RoleManagement Add
member to role completed (PIM activation) RoleManagement Add member to role in
PIM canceled (renew) RoleManagement Add member to role in PIM canceled
(timebound) RoleManagement Add member to role in PIM completed (permanent)
RoleManagement Add member to role in PIM completed (timebound) RoleManagement
Add member to role in PIM requested (permanent) RoleManagement Add member to
role in PIM requested (renew) RoleManagement Add member to role in PIM requested
(timebound) RoleManagement Add member to role outside of PIM (permanent)
RoleManagement Add member to role request approved (PIM activation)
RoleManagement Add member to role request denied (PIM activation) RoleManagement
Add member to role requested (PIM activation) RoleManagement Cancel request for
role removal RoleManagement Cancel request for role update RoleManagement
Deactivate PIM alert RoleManagement Disable PIM alert RoleManagement Enable PIM
alert RoleManagement Offboarded resource from PIM RoleManagement Onboarded
resource from PIM RoleManagement PIM activation request expired RoleManagement
PIM policy removed RoleManagement Process request RoleManagement Process role
removal request RoleManagement Process role update request RoleManagement
Refresh PIM alert RoleManagement Remove eligible member from role in PIM
completed (permanent) RoleManagement Remove eligible member from role in PIM
completed (timebound) RoleManagement Remove eligible member from role in PIM
requested (permanent) RoleManagement Remove eligible member from role in PIM
requested (timebound) RoleManagement Remove member from role (PIM activation
expired) RoleManagement Remove member from role completed (PIM deactivate)
RoleManagement Remove member from role in PIM completed (permanent)
RoleManagement Remove member from role in PIM completed (timebound)
RoleManagement Remove member from role in PIM requested (permanent)
RoleManagement Remove member from role in PIM requested (timebound)
RoleManagement Remove member from role requested (PIM deactivate) RoleManagement
Remove permanent direct role assignment RoleManagement Remove permanent eligible
role assignment RoleManagement Remove request RoleManagement Resolve PIM alert
RoleManagement Restore eligible member from role in PIM completed RoleManagement
Restore member from role RoleManagement Restore member from role in PIM
completed RoleManagement Restore permanent direct role assignment RoleManagement
Restore permanent eligible role assignment RoleManagement Tenant offboarded from
PIM RoleManagement Triggered PIM alert RoleManagement Update PIM alert setting
RoleManagement Update eligible member in PIM canceled (extend) RoleManagement
Update eligible member in PIM requested (extend) RoleManagement Update member in
PIM approved by admin (extend/renew) RoleManagement Update member in PIM
canceled (extend) RoleManagement Update member in PIM denied by admin
(extend/renew) RoleManagement Update member in PIM requested (extend)
RoleManagement Update role setting in PIM
SELF-SERVICE GROUP MANAGEMENT
Users in your tenant can manage many aspects of their group memberships on their
own. Use the Self-service group management logs to help troubleshoot issues with
these scenarios.
Many of the activities in this group are associated with background processes
related to a user's activity. For example, you might see multiple
Features_GetFeaturesAsync instances in your logs when a user accesses the MyApps
or MyGroups portal. This activity doesn't indicate if the user made any changes.
Other activities such as GroupsODataV4_Get often occur in groups for similar
user actions.
Expand table
Audit Category Activity GroupManagement ApprovalNotification_Create
GroupManagement Autorenew group GroupManagement Approval_Act GroupManagement
Approval_Get GroupManagement Approval_GetAll GroupManagement
Approvals_ActOnApproval GroupManagement Approvals_Post GroupManagement Approve a
pending request to join a group GroupManagement Cancel a pending request to join
a group GroupManagement Create lifecycle management policy GroupManagement
Delete a pending request to join a group GroupManagement Delete lifecycle
management policy GroupManagement Device_Create GroupManagement Device_Delete
GroupManagement Device_Get GroupManagement Device_GetAll GroupManagement
Features_GetFeaturesAsync GroupManagement Features_IsFeatureEnabledAsync
GroupManagement Features_UpdateFeaturesAsync GroupManagement
GroupLifecyclePolicies_Get GroupManagement GroupLifecyclePolicies_addGroup
GroupManagement GroupLifecyclePolicies_removeGroup GroupManagement
Group_AddMember GroupManagement Group_AddOwner GroupManagement
Group_BatchValidateDynamicMembership GroupManagement Group_Create
GroupManagement Group_Delete GroupManagement Group_Get GroupManagement
Group_GetAll GroupManagement Group_GetDynamicGroupProperties GroupManagement
Group_GetDynamicMembershipDeviceAttributes GroupManagement
Group_GetDynamicMembershipOperators GroupManagement
Group_GetDynamicMembershipUserBaseAttributes GroupManagement
Group_GetExpiryNotificationDate GroupManagement Group_GetMembers GroupManagement
Group_GetOwners GroupManagement Group_RemoveMember GroupManagement
Group_RemoveOwner GroupManagement Group_Restore GroupManagement Group_Update
GroupManagement Group_ValidateDynamicMembership GroupManagement
GroupsODataV4_Get GroupManagement GroupsODataV4_GetgroupLifecyclePolicies
GroupManagement GroupsODataV4_evaluateDynamicMembership GroupManagement
Groups_CreateLink GroupManagement Groups_Get GroupManagement LcmPolicy_Get
GroupManagement LcmPolicy_RenewGroup GroupManagement Reject a pending request to
join a group GroupManagement Renew group GroupManagement Request to join a group
GroupManagement Settings_GetSettingsAsync GroupManagement Update lifecycle
management policy GroupManagement User_Create GroupManagement User_Delete
GroupManagement User_Get GroupManagement User_GetAll GroupManagement
User_GetMemberOf GroupManagement User_GetOwnedObjects Other
ApprovalNotification_Create UserManagement Updated ConvergedUXV2 feature value
UserManagement Updated MyApps feature value UserManagement Update MyStaff
feature value UserManagement Updated SSPRConvergence feature value
UserManagement Updated SignInReports feature value
SELF-SERVICE PASSWORD MANAGEMENT
The Self-service password management logs provide insight into changes made to
passwords by users and admins or when users register for self-service password
reset.
Expand table
Audit Category Activity DirectoryManagement Disable password writeback for
directory DirectoryManagement Enable password writeback for directory
UserManagement Blocked from self-service password reset UserManagement Change
password (self-service) UserManagement Reset password (by admin) UserManagement
Reset password (self-service) UserManagement Security info saved for
self-service password reset UserManagement Self-service password reset flow
activity progress UserManagement Unlock user account (self-service)
TERMS OF USE
Expand table
Audit Category Activity Policy Accept Terms Of Use Policy Create Terms Of Use
Policy Decline Terms Of Use Policy Delete Consent Policy Delete Terms Of Use
Policy Edit Terms Of Use Policy Publish Terms Of Use
VERIFIED ID
Expand table
Audit Category Activity ResourceManagement Create authority ResourceManagement
Create contract ResourceManagement Create issuance policy ResourceManagement
Delete issuance policy ResourceManagement Process POST
/authorities/:issuerId/didInfo/signingKeys/rotate request ResourceManagement
Process POST
/authorities/:issuerId/didInfo/signingKeys/synchronizeWithDidDocument request
ResourceManagement Revoke credential ResourceManagement Rotate signing key
ResourceManagement Tenant onboarding ResourceManagement Tenant opt-out
ResourceManagement Update MyAccount settings ResourceManagement Update authority
ResourceManagement Update contract ResourceManagement Update issuance policy
ResourceManagement Update linked domains
NEXT STEPS
* Microsoft Entra monitoring and health overview.
* Audit logs report
* Programmatic access to Microsoft Entra reports
--------------------------------------------------------------------------------
FEEDBACK
Was this page helpful?
Yes No
Provide product feedback
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Events
Build intelligent apps today
Sep 16, 4 p.m. - Oct 18, 4 p.m.
Join us on a learning journey combining AI, apps and cloud-scale data to build
unique solutions.
Learn more
English (Canada)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Events
Build intelligent apps today
Sep 16, 4 p.m. - Oct 18, 4 p.m.
Join us on a learning journey combining AI, apps and cloud-scale data to build
unique solutions.
Learn more
IN THIS ARTICLE
English (Canada)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024