Azure AD audit activity reference
With Azure Active Directory (Azure AD) reports, you can get the information you need to determine how your environment is doing.
The reporting architecture in Azure AD consists of the following components:
Activity reports
- Sign-ins – Provides information about the usage of managed applications and user sign-in activities
- Audit logs - Provides traceability through logs for all changes done by various features within Azure AD.
Security reports
- Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
This articles lists the audit activities that can be logged in your audit logs.
Access reviews
| Audit Category | Activity |
|---|---|
| Access Reviews | Access review ended |
| Access Reviews | Add approver to request approval |
| Access Reviews | Add reviewer to access review |
| Access Reviews | Apply access review |
| Access Reviews | Create access review |
| Access Reviews | Create program |
| Access Reviews | Create request approval |
| Access Reviews | Delete access review |
| Access Reviews | Delete program |
| Access Reviews | Link program control |
| Access Reviews | Onboard to Azure AD Access Reviews |
| Access Reviews | Remove reviewer from access review |
| Access Reviews | Request Stop Review |
| Access Reviews | Request apply review result |
| Access Reviews | Review Rbac Role membership |
| Access Reviews | Review app assignment |
| Access Reviews | Review group membership |
| Access Reviews | Review request approval request |
| Access Reviews | Unlink program control |
| Access Reviews | Update Access Review |
| Access Reviews | Update Azure AD Access Reviews Onboarding status |
| Access Reviews | Update access review mail notification settings |
| Access Reviews | Update access review recurrence count setting |
| Access Reviews | Update access review recurrence duration in days setting |
| Access Reviews | Update access review recurrence end type setting |
| Access Reviews | Update access review recurrence type setting |
| Access Reviews | Update access review reminder settings |
| Access Reviews | Update program |
| Access Reviews | Update request approval |
| Access Reviews | User disabled |
Account provisioning
| Audit Category | Activity |
|---|---|
| Application Management | Retrieve V2 application permissions grants |
| Application Management | Retrieve V2 application service principals in the current tenant |
| Application Management | Update V1 application |
| Application Management | Update V2 application |
| Application Management | Update V2 application permission grant |
| Application Management | Add OAuth2PermissionGrant |
| Application Management | Add app role assignment to service principal |
Application proxy
| Audit Category | Activity |
|---|---|
| Application Management | Add application |
| Application Management | Add owner to application |
| Application Management | Add owner to service principal |
| Application Management | Add policy to service principal |
| Directory Management | Add service principal |
| Directory Management | Add service principal credentials |
| Directory Management | Consent to application |
| Directory Management | Delete application |
| Directory Management | Hard Delete application |
| Directory Management | Remove OAuth2PermissionGrant |
| Directory Management | Remove app role assignment from service principal |
| Directory Management | Remove owner from application |
| Resource | Remove owner from service principal |
| Resource | Remove policy from service principal |
| Resource | Remove service principal |
Automated password rollover
| Audit Category | Activity |
|---|---|
| Application Management | Remove service principal credentials |
B2C
| Audit Category | Activity |
|---|---|
| Application Management | Restore application |
| Application Management | Revoke consent |
| Application Management | Update application |
| Application Management | Update external secrets |
| Application Management | Update service principal |
| Application Management | Issue an access token to the application |
| Application Management | Issue an authorization code to the application |
| Application Management | Issue an id_token to the application |
| Application Management | Validate local account credentials |
| Application Management | Validate user authentication |
| Application Management | Add V2 application permissions |
| Application Management | Add a key based on ASCII secret to a CPIM key container |
| Application Management | Add a key to a CPIM key container |
| Application Management | AdminPolicyDatas-SetResources |
| Application Management | AdminUserJourneys-GetResources |
| Application Management | AdminUserJourneys-RemoveResources |
| Authentication | AdminUserJourneys-SetResources |
| Authentication | Create IdentityProvider |
| Authentication | Create V1 application |
| Authentication | Create V2 application |
| Authentication | Create a custom domains in the tenant |
| Authorization | Create a new AdminUserJourney |
| Authorization | Create localized resource json |
| Authorization | Create new Custom IDP |
| Authorization | Create new IDP |
| Authorization | Create or update a B2C directory resource |
| Authorization | Create policy |
| Authorization | Create trustFramework policy |
| Authorization | Create trustFramework policy with configurable prefix |
| Authorization | Create user attribute |
| Authorization | CreateTrustFrameworkPolicy |
| Authorization | Creates or Update a new AdminUserJourney |
| Authorization | Delete IDP |
| Authorization | Delete IdentityProvider |
| Authorization | Delete V1 application |
| Authorization | Delete V2 application |
| Authorization | Delete V2 application permission grant |
| Authorization | Delete a B2C directory resource |
| Authorization | Delete a CPIM key container |
| Authorization | Delete trustFramework policy |
| Authorization | Delete user attribute |
| Authorization | Enable B2C feature |
| Authorization | Get B2C directory resources in a subscription |
| Authorization | Get Custom IDP |
| Authorization | Get IDP |
| Authorization | Get V1 and V2 applications |
| Authorization | Get V1 application |
| Authorization | Get V1 applications |
| Authorization | Get V2 application |
| Authorization | Get V2 applications |
| Authorization | Get a B2C directory resource |
| Authorization | Get a list of custom domains in the tenant |
| Authorization | Get a user journey |
| Authorization | Get allowed application claims for user journey |
| Authorization | Get allowed self-asserted claims for user journey |
| Authorization | Get allowed self-asserted claims of policy |
| Authorization | Get available output claims list |
| Authorization | Get content definitions for user journey |
| Authorization | Get idps for a specific admin flow |
| Authorization | Get key container active key metadata in JWK |
| Authorization | Get list of all admin flows |
| Authorization | Get list of tags for all admin flows for all users |
| Authorization | Get list of tenants for a user |
| Authorization | Get local accounts' self-asserted claims |
| Authorization | Get localized resource json |
| Authorization | Get operations of Microsoft.AzureActiveDirectory resource provider |
| Authorization | Get policies |
| Authorization | Get policy |
| Authorization | Get resource properties of a tenant |
| Authorization | Get supported IDP list |
| Authorization | Get supported IDP list of the user journey |
| Authorization | Get tenant Info |
| Authorization | Get tenant allowed features |
| Authorization | Get tenant defined Custom IDP list |
| Authorization | Get tenant defined IDP list |
| Authorization | Get tenant defined local IDP list |
| Authorization | Get tenant details for a user for resource creation |
| Authorization | Get tenant list |
| Authorization | Get tenantDomains |
| Authorization | Get the default supported culture for CPIM |
| Authorization | Get the details of an admin flow |
| Authorization | Get the list of UserJourneys for this tenant |
| Authorization | Get the set of available supported cultures for CPIM |
| Authorization | Get trustFramework policy |
| Authorization | Get trustFramework policy as xml |
| Authorization | Get user attribute |
| Authorization | Get user attributes |
| Authorization | Get user journey list |
| Authorization | GetIEFPolicies |
| Authorization | GetIdentityProviders |
| Authorization | GetTrustFrameworkPolicy |
| Authorization | Gets a CPIM key container in jwk format |
| Authorization | Gets list of key containers in the tenant |
| Authorization | Gets the type of tenant |
| Authorization | MigrateTenantMetadata |
| Authorization | Patch IdentityProvider |
| Authorization | PutTrustFrameworkPolicy |
| Authorization | PutTrustFrameworkpolicy |
| Authorization | Remove a user journey |
| Authorization | Restore a CPIM key container backup |
| Authorization | Retrieve V2 application permissions grants |
| Authorization | Retrieve V2 application service principals in the current tenant |
| Authorization | Update Custom IDP |
| Authorization | Update IDP |
| Authorization | Update Local IDP |
| Authorization | Update V1 application |
| Authorization | Update V2 application |
| Authorization | Update V2 application permission grant |
| Authorization | Update policy |
| Authorization | Update user attribute |
| Authorization | Upload a CPIM encrypted key |
| Authorization | User Authorization: API is disabled for tenant featureset |
| Authorization | User Authorization: User granted access as 'Tenant Admin' |
| Authorization | User Authorization: User was granted 'Authenticated Users' access rights |
| Authorization | Verify if B2C feature is enabled |
| Authorization | Verify if feature is enabled |
| Authorization | Create program |
| Authorization | Delete program |
| Authorization | Link program control |
| Authorization | Onboard to Azure AD Access Reviews |
| Authorization | Unlink program control |
| Authorization | Update program |
| Authorization | Disable Desktop Sso |
| Authorization | Disable Desktop Sso for a specific domain |
| Authorization | Disable application proxy |
| Authorization | Disable passthrough authentication |
| Authorization | Enable Desktop Sso |
| Directory Management | Enable Desktop Sso for a specific domain |
| Directory Management | Enable application proxy |
| Directory Management | Enable passthrough authentication |
| Directory Management | Create a custom domains in the tenant |
| Directory Management | Enable B2C feature |
| Directory Management | Get a list of custom domains in the tenant |
| Directory Management | Get resource properties of a tenant |
| Directory Management | Get tenant Info |
| Directory Management | Get tenant allowed features |
| Directory Management | Get tenantDomains |
| Key | Gets the type of tenant |
| Key | Verify if B2C feature is enabled |
| Key | Verify if feature is enabled |
| Key | Add partner to company |
| Key | Add unverified domain |
| Key | Add verified domain |
| Key | Create company |
| Key | Create company settings |
| Key | Delete company settings |
| Key | Demote partner |
| Key | Directory deleted |
| Other | Directory deleted permanently |
| Other | Directory scheduled for deletion |
| Resource | Promote company to partner |
| Resource | Purge rights management properties |
| Resource | Remove partner from company |
| Resource | Remove unverified domain |
| Resource | Remove verified domain |
| Resource | Set Company Information |
| Resource | Set DirSync feature |
| Resource | Set DirSyncEnabled flag |
| Resource | Set Partnership |
| Resource | Set accidental deletion threshold |
| Resource | Set company allowed data location |
| Resource | Set company multinational feature enabled |
| Resource | Set directory feature on tenant |
| Resource | Set domain authentication |
| Resource | Set federation settings on domain |
| Resource | Set password policy |
| Resource | Set rights management properties |
| Resource | Update company |
| Resource | Update company settings |
| Resource | Update domain |
| Resource | Verify domain |
| Resource | Verify email verified domain |
| Resource | Onboarding |
| Resource | Update alert settings |
| Resource | Update weekly digest settings |
| Resource | Disable password writeback for directory |
| Resource | Enable password writeback for directory |
| Resource | Add app role assignment to group |
| Resource | Add group |
| Resource | Add member to group |
| Resource | Add owner to group |
| Resource | Create group settings |
| Resource | Delete group |
| Resource | Delete group settings |
| Resource | Finish applying group based license to users |
| Resource | Hard Delete group |
| Resource | Remove app role assignment from group |
| Resource | Remove member from group |
| Resource | Remove owner from group |
| Resource | Restore Group |
| Resource | Set group license |
| Resource | Set group to be managed by user |
| Resource | Start applying group based license to users |
| Resource | Trigger group license recalculation |
| Resource | Update group |
| Resource | Update group settings |
| Resource | Add Member |
| Resource | Create Group |
| Resource | Delete Group |
| Resource | Remove Member |
| Resource | Update Group |
| Resource | Approve a pending request to join a group |
| Resource | Cancel a pending request to join a group |
| Resource | Create lifecycle management policy |
| Resource | Delete a pending request to join a group |
| Resource | Reject a pending request to join a group |
| Resource | Renew group |
| Resource | Request to join a group |
| Resource | Set dynamic group properties |
| Resource | Update lifecycle management policy |
| Resource | Add a key based on ASCII secret to a CPIM key container |
| Resource | Add a key to a CPIM key container |
| Resource | Delete a CPIM key container |
| Resource | Delete key container |
| Resource | Get key container active key metadata in JWK |
| Resource | Get key container metadata |
| Resource | Gets a CPIM key container in jwk format |
| Resource | Gets list of key containers in the tenant |
| Resource | Restore a CPIM key container backup |
| Resource | Save key container |
| Resource | Upload a CPIM encrypted key |
| Resource | Issue an authorization code to the application |
| Resource | Issue an id_token to the application |
Core directory
| Audit Category | Activity |
|---|---|
| Administrative Unit Management | Download a single risk detection type |
| Administrative Unit Management | Download admins and status of weekly digest opt-in |
| Administrative Unit Management | Download all risk detection types |
| Administrative Unit Management | Download free user risk detections |
| Administrative Unit Management | Download users flagged for risk |
| Application Management | Batch invites processed |
| Application Management | Batch invites uploaded |
| Application Management | Add owner to policy |
| Application Management | Add policy |
| Application Management | Delete policy |
| Application Management | Remove policy credentials |
| Application Management | Update policy |
| Application Management | Set MFA registration policy |
| Application Management | Set sign-in risk policy |
| Application Management | Set user risk policy |
| Application Management | Accept Terms Of Use |
| Application Management | Create Terms Of Use |
| Application Management | Decline Terms Of Use |
| Application Management | Delete Terms Of Use |
| Application Management | Edit Terms Of Use |
| Application Management | Publish Terms Of Use |
| Application Management | Unpublish Terms Of Use |
| Application Management | Add application TLS/SSL certificate |
| Application Management | Delete TLS binding |
| Application Management | Register connector |
| Application Management | AdminPolicyDatas-RemoveResources |
| Application Management | AdminPolicyDatas-SetResources |
| Application Management | AdminUserJourneys-GetResources |
| Directory Management | AdminUserJourneys-RemoveResources |
| Directory Management | AdminUserJourneys-SetResources |
| Directory Management | Create IdentityProvider |
| Directory Management | Create a new AdminUserJourney |
| Directory Management | Create localized resource json |
| Directory Management | Create new Custom IDP |
| Directory Management | Create new IDP |
| Directory Management | Create or update a B2C directory resource |
| Directory Management | Create policy |
| Directory Management | Create trustFramework policy |
| Directory Management | Create trustFramework policy with configurable prefix |
| Directory Management | Create user attribute |
| Directory Management | CreateTrustFrameworkPolicy |
| Directory Management | Delete IDP |
| Directory Management | Delete IdentityProvider |
| Directory Management | Delete a B2C directory resource |
| Directory Management | Delete trustFramework policy |
| Directory Management | Delete user attribute |
| Directory Management | Get B2C directory resources in a resource group |
| Directory Management | Get B2C directory resources in a subscription |
| Directory Management | Get Custom IDP |
| Directory Management | Get IDP |
| Directory Management | Get a B2C directory resource |
| Directory Management | Get a user journey |
| Directory Management | Get allowed application claims for user journey |
| Directory Management | Get allowed self-asserted claims for user journey |
| Directory Management | Get allowed self-asserted claims of policy |
| Directory Management | Get available output claims list |
| Directory Management | Get content definitions for user journey |
| Directory Management | Get idps for a specific admin flow |
| Directory Management | Get list of all admin flows |
| Directory Management | Get list of tags for all admin flows for all users |
| Group Management | Bulk Download group members - started |
| Group Management | Bulk Download group members - finished |
| Group Management | Bulk import group members - started |
| Group Management | Bulk import group members - finished |
| Group Management | Bulk remove group members - started |
| Group Management | Bulk remove group members - finished |
| Group Management | Bulk download groups - started |
| Group Management | Bulk download groups - finished |
| Group Management | Get list of tenants for a user |
| Group Management | Get local accounts' self-asserted claims |
| Group Management | Get localized resource json |
| Group Management | Get operations of Microsoft.AzureActiveDirectory resource provider |
| Group Management | Get policies |
| Group Management | Get policy |
| Group Management | Get supported IDP list |
| Group Management | Get supported IDP list of the user journey |
| Group Management | Get tenant defined Custom IDP list |
| Group Management | Get tenant defined IDP list |
| Group Management | Get tenant defined local IDP list |
| Group Management | Get tenant details for a user for resource creation |
| Group Management | Get the default supported culture for CPIM |
| Group Management | Get the details of an admin flow |
| Group Management | Get the list of UserJourneys for this tenant |
| Group Management | Get the set of available supported cultures for CPIM |
| Group Management | Get trustFramework policy |
| Group Management | Get trustFramework policy as xml |
| Group Management | Get user attribute |
| Policy Management | Get user attributes |
| Policy Management | Get user journey list |
| Policy Management | GetIEFPolicies |
| Policy Management | GetIdentityProviders |
| Policy Management | GetTrustFrameworkPolicy |
| Resource | MigrateTenantMetadata |
| Resource | Move resources |
| Resource | Patch IdentityProvider |
| Resource | PutTrustFrameworkPolicy |
| Resource | PutTrustFrameworkpolicy |
| Resource | Remove a user journey |
| Resource | Update Custom IDP |
| Resource | Update IDP |
| Resource | Update Local IDP |
| Resource | Update a B2C directory resource |
| Resource | Update policy |
| Resource | Update subscription status |
| Role Management | Update user attribute |
| Role Management | Validate move resources |
| Role Management | Add device |
| Role Management | Add device configuration |
| Role Management | Add registered owner to device |
| Role Management | Add registered users to device |
| Role Management | Delete device |
| Role Management | Delete device configuration |
| Role Management | Device no longer compliant |
| Role Management | Device no longer managed |
| User Management | AccessReview_Review |
| User Management | AccessReview_Update |
| User Management | ActivationAborted |
| User Management | ActivationApproved |
| User Management | ActivationCanceled |
| User Management | ActivationRequested |
| User Management | Add eligible member to role |
| User Management | Add member to role |
| User Management | Add role assignment to role definition |
| User Management | Add role from template |
| User Management | Add scoped member to role |
| User Management | Added |
| User Management | Assign |
| User Management | Bulk create users - started |
| User Management | Bulk create users - finished |
| User Management | Bulk delete users - started |
| User Management | Bulk delete users - finished |
| User Management | Bulk download users - started |
| User Management | Bulk download users - finished |
| User Management | Bulk restore deleted users - started |
| User Management | Bulk restore deleted users - finished |
| User Management | Bulk invite users - started |
| User Management | Bulk invite users - finished |
| User Management | Remove registered owner from device |
| User Management | Remove registered users from device |
| User Management | Remove eligible member from role |
| User Management | Remove member from role |
| User Management | Remove role assignment from role definition |
| User Management | Remove scoped member from role |
| User Management | Update device |
| User Management | Update device configuration |
| User Management | Update role |
Entitlement Management
| Audit Category | Activity |
|---|---|
| Entitlement Management | Add Entitlement Management role assignment |
| Entitlement Management | Administrator directly assigns user to access package |
| Entitlement Management | Administrator directly removes user access package assignment |
| Entitlement Management | Approve access package assignment request |
| Entitlement Management | Assign user as external sponsor |
| Entitlement Management | Assign user as internal sponsor |
| Entitlement Management | Auto approve access package assignment request |
| Entitlement Management | Cancel access package assignment request |
| Entitlement Management | Create access package |
| Entitlement Management | Create access package assignment policy |
| Entitlement Management | Create access package assignment user update request |
| Entitlement Management | Create access package catalog |
| Entitlement Management | Create connected organization |
| Entitlement Management | Create custom action |
| Entitlement Management | Create resource remove request |
| Entitlement Management | Create resource request |
| Entitlement Management | Delete access package |
| Entitlement Management | Delete access package assignment policy |
| Entitlement Management | Delete access package catalog |
| Entitlement Management | Delete connected organization |
| Entitlement Management | Deny access package assignment request |
| Entitlement Management | Entitlement Management removes access package assignment request for user |
| Entitlement Management | Execute custom action |
| Entitlement Management | Extend access package assignment |
| Entitlement Management | Failed access package assignment request |
| Entitlement Management | Fulfill access package assignment request |
| Entitlement Management | Fulfill access package resource assignment |
| Entitlement Management | Partially fulfill access package assignment request |
| Entitlement Management | Ready to fulfill access package assignment request |
| Entitlement Management | Remove Entitlement Management role assignment |
| Entitlement Management | Remove access package resource assignment |
| Entitlement Management | Remove user as external sponsor |
| Entitlement Management | Remove user as internal sponsor |
| Entitlement Management | Schedule a future access package assignment |
| Entitlement Management | Update access package |
| Entitlement Management | Update access package assignment policy |
| Entitlement Management | Update access package catalog |
| Entitlement Management | Update access package catalog resource |
| Entitlement Management | Update connected organization |
| Entitlement Management | Update custom action |
| Entitlement Management | User requests access package assignment |
| Entitlement Management | User requests an access package assignment on behalf of service principal |
| Entitlement Management | User requests to extend access package assignment |
| Entitlement Management | User requests to remove access package assignment |
Identity protection
| Audit Category | Activity |
|---|---|
| Directory Management | Elevate |
| Directory Management | Removed |
| Directory Management | Role Setting changes |
| Other | ScanAlertsNow |
| Other | Signup |
| Other | Unelevate |
| Other | UpdateAlertSettings |
| Other | UpdateCurrentState |
| Policy Management | Access review ended |
| Policy Management | Add approver to request approval |
| Policy Management | Add reviewer to access review |
| User Management | Apply access review |
| User Management | Create access review |
Invited users
| Audit Category | Activity |
|---|---|
| Invited users | Delete external user |
| Invited users | Email not sent, user unsubscribed |
| Invited users | Email subscribed |
| Invited users | Email unsubscribed |
| Invited users | Invitation Email |
| Invited users | Invite external user |
| Invited users | Invite external user with reset invitation status |
| Invited users | Invite internal user to B2B collaboration |
| Invited users | Redeem external user invite |
| Invited users | Viral tenant creation |
| Invited users | Viral user creation |
Microsoft Identity Manager (MIM)
| Audit Category | Activity |
|---|---|
| Group Management | Review request approval request |
| Group Management | Update Access Review |
| Group Management | Update access review mail notification settings |
| Group Management | Update access review recurrence count setting |
| Group Management | Update access review recurrence duration in days setting |
| User Management | Update access review recurrence end type setting |
| User Management | Update access review recurrence type setting |
Privileged Identity Management
| Audit Category | Activity |
|---|---|
| PIM | ActivationAborted |
| PIM | ActivationApproved |
| PIM | ActivationCanceled |
| PIM | ActivationDenied |
| PIM | ActivationRequested |
| PIM | Added |
| PIM | AddedOutsidePIM |
| PIM | Assign |
| PIM | DismissAlert |
| PIM | Elevate |
| PIM | ReactivateAlert |
| PIM | Removed |
| PIM | RemovedOutsidePIM |
| PIM | Request Stop Review |
| PIM | Role Setting changes |
| PIM | ScanAlertsNow |
| PIM | Signup |
| PIM | Unassign |
| PIM | Unelevate |
| PIM | UpdateAlertSettings |
| PIM | UpdateCurrentState |
Self-service group management
| Audit Category | Activity |
|---|---|
| Group Management | Reset user password |
| Group Management | Restore user |
| Group Management | Set force change user password |
| Group Management | Set user manager |
| Group Management | Set users oath token metadata enabled |
| Group Management | Update StsRefreshTokenValidFrom Timestamp |
| Group Management | Update external secrets |
| Group Management | Update user |
| Group Management | Admin generates a temporary password |
Self-service password management
| Audit Category | Activity |
|---|---|
| Directory Management | Admins requires the user to reset their password |
| Directory Management | Assign external user to application |
| User Management | Email not sent, user unsubscribed |
| User Management | Invite external user |
| User Management | Redeem external user invite |
| User Management | Viral tenant creation |
| User Management | Viral user creation |
| User Management | User Password Registration |
| User Management | User Password Reset |
| User Management | Blocked from self-service password reset |
Terms of use
| Audit Category | Activity |
|---|---|
| Terms Of Use | Accept Terms Of Use |
| Terms Of Use | Create Terms Of Use |
| Terms Of Use | Decline Terms Of Use |
| Terms Of Use | Delete Consent |
| Terms Of Use | Delete Terms Of Use |
| Terms Of Use | Edit Terms Of Use |
| Terms Of Use | Expire Terms Of Use |
| Terms Of Use | Hard Delete Terms Of Use |
| Terms Of Use | Publish Terms Of Use |
| Terms Of Use | Unpublish Terms Of Use |