question

MalliBoppe-3688 avatar image
0 Votes"
MalliBoppe-3688 asked vipulsparsh-MSFT commented

Azure AD Audit logs - Not showing teh User who made the changes

Was investigating on AD group membership changes. Checked the AD audit logs and found that events related to group membership changes, but doesn't show the account which made the changes. It says that the changes was intiated by an application called Microsoft Substrate Management and not the actual Username.

Can any one point me to right direction on how to findout the group memebrship changes.

Initiated by (actor)
Type
Application
Display Name
Microsoft Substrate Management

We use sentinel and would be nice to setup an alert

microsoft-sentinel
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MalliBoppe-3688 @MalliBoppe-2134 I wanted to follow up and know if the below responses helped in answering your query. If it did, please do not forget to accept the appropriate response as Answer.

0 Votes 0 ·

1 Answer

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@MalliBoppe-2134 Microsoft Substrate Management” is a service principal used by Exchange Online during dual-writing operations to AAD. These audit log entries refer to create/update/delete operations executed by EXO to AAD. These entries are informational in nature do not require any action and there is no user as this is a service which is doing it, this can be ignored.

The event that you see is because of a Dual-write concept which gets enabled on every tenant from Service Side. Normally when you create or modify user’s properties via Exchange Admin Center (EAC), Exchange Online PowerShell or other API, the change replicates to Azure Active Directory (AAD) through a sync mechanism which can take some time to complete. Simply put, you might not see the result of your change in AAD for a while due to this back-sync process.

In Dual -write state, when you make user object changes in Exchange the changes will now be dual-written to AAD and EXO. The end result is that the replication of those properties should be close to immediate and changes made in EXO will immediately reflect in AAD when the cmdlet completes successfully.

As part of dual-write operations, you will see audit log entries with actions taken by “Microsoft Substrate Management”.

Even if the admin uses Microsoft office admin portal for any group membership activity, the actions are captured in Azure AD Audit logs. For example, an addition in group by adding a member user is reflect in Azure AD audit logs like this :


120316-image.png


If you track the same event in Azure sentinel, it does give you who initiated the request/changes. :

120288-image.png

If you expand that, you will see the initiated actor :

120279-image.png



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.





image.png (77.6 KiB)
image.png (147.6 KiB)
image.png (100.9 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Vipul
The administrator that is making changes to group membership is using admin.microsfot.com portal.
So is there way to find out the administrator account who made the changes straight away. Is there any auditing capabilities in M365 portal which can provide me the information.

1 Vote 1 ·

@MalliBoppe-2134 I have updated my answer to reflect your current question as well, please check and do let me know if you need any help.

1 Vote 1 ·

Thanks once again
When I run the below Sentinel query I don't see any logs. There are definitely group membership changes in the last 3 days.
Same in the Azure AD portal. No logs.
Any thing wrong with our tenant that I need to report to Microsoft support.

120715-sentinel.png


120700-office365.png


120689-audit.png


0 Votes 0 ·
sentinel.png (43.2 KiB)
office365.png (52.6 KiB)
audit.png (40.4 KiB)
Show more comments