Azure Active Directory 入口網站中的稽核活動報告Audit activity reports in the Azure Active Directory portal

透過 Azure Active Directory (Azure AD) 報告,您可以取得判斷環境執行狀況所需的資訊。With Azure Active Directory (Azure AD) reports, you can get the information you need to determine how your environment is doing.

報告架構由下列元件組成:The reporting architecture consists of the following components:

  • 活動Activity
    • 登入登入報告會提供受控應用程式和使用者登入活動的使用情況相關資訊。Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.
    • 稽核記錄 - 可針對各種功能在 Azure AD 內進行的所有變更,提供記錄追蹤功能。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 稽核記錄的範例包括對 Azure AD 中任何資源所做的變更,像是新增或移除使用者、應用程式、群組、角色和原則。Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
  • 安全性Security
    • 有風險的登入 - 有風險的登入表示非使用者帳戶合法擁有者的某人嘗試登入。Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
    • 標幟為有風險的使用者 - 有風險的使用者表示可能被盜用的使用者帳戶。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

本文提供稽核報告的概觀。This article gives you an overview of the audit report.

誰可以存取資料?Who can access the data?

  • 中的使用者安全性 Admininistrator安全性讀取者報告讀取器或是全域管理員角色Users in the Security Admininistrator, Security Reader, Report Reader or Global Administrator roles
  • 此外,所有使用者 (非系統管理員) 都可看到自己的稽核活動In addition, all users (non-administrators) can see their own audit activities

稽核記錄Audit logs

Azure AD 稽核記錄會提供符合規範的系統活動記錄。The Azure AD audit logs provide records of system activities for compliance. 若要存取稽核報告,請選取 [Azure Active Directory] 中 [活動] 區段上的 [稽核記錄] 。To access the audit report, select Audit logs in the Activity section of Azure Active Directory. 請注意,稽核記錄可能會延遲最多一小時,所以稽核活動資料可能會在您完成該工作的一個小時後,才會出現在入口網站中。Note that audit logs may have a latency of upto an hour, so it may take that long for audit activity data to show up in the portal after you have completed the task.

稽核記錄檔Audit logs

稽核記錄的預設清單檢視顯示︰An audit log has a default list view that shows:

  • 發生時間與日期the date and time of the occurrence
  • 記錄發生的服務the service that logged the occurrence
  • 類別和活動的名稱 (什麼)the category and name of the activity (what)
  • 活動 (成功或失敗) 的狀態the status of the activity (success or failure)
  • 目標the target
  • 活動的啟動者/執行者 (對象)the initiator / actor (who) of an activity

稽核記錄檔Audit logs

您可以按一下工具列中的 [資料行] 來自訂清單檢視。You can customize the list view by clicking Columns in the toolbar.

稽核記錄檔Audit logs

這可讓您顯示其他欄位,或移除已顯示的欄位。This enables you to display additional fields or remove fields that are already displayed.

稽核記錄檔Audit logs

選取清單檢視中的項目,即可取得更詳細的資訊。Select an item in the list view to get more detailed information.

稽核記錄檔Audit logs

篩選稽核記錄Filtering audit logs

您可以在下列欄位上篩選稽核資料:You can filter the audit data on the following fields:

  • 服務Service
  • 類別Category
  • 活動Activity
  • 狀態Status
  • 目標Target
  • 啟動者 (執行者)Initiated by (Actor)
  • 日期範圍Date range

稽核記錄檔Audit logs

服務篩選器可讓您選取從下拉式清單中的下列服務:The Service filter allows you to select from a dropdown of the following services:

  • 全部All
  • 存取權檢閱Access Reviews
  • 帳戶佈建Account Provisioning
  • 應用程式 SSOApplication SSO
  • 驗證方法Authentication Methods
  • B2CB2C
  • 條件式存取Conditional Access
  • 核心目錄Core Directory
  • 權利管理Entitlement Management
  • 身分識別保護Identity Protection
  • 受邀的使用者Invited Users
  • PIMPIM
  • 自助式群組管理Self-service Group Management
  • 自助服務 Passord 管理Self-service Passord Management
  • 使用條款Terms of Use

分類篩選條件可讓您選取其中一個下列的篩選器:The Category filter enables you to select one of the following filters:

  • 全部All
  • AdministrativeUnitAdministrativeUnit
  • ApplicationManagementApplicationManagement
  • AuthenticationAuthentication
  • AuthorizationAuthorization
  • 連絡人Contact
  • 裝置Device
  • DeviceConfigurationDeviceConfiguration
  • DirectoryManagementDirectoryManagement
  • EntitlementManagementEntitlementManagement
  • GroupManagementGroupManagement
  • 其他Other
  • 原則Policy
  • ResourceManagementResourceManagement
  • RoleManagementRoleManagement
  • UserManagementUserManagement

活動篩選根據類別和活動資源類型的選擇。The Activity filter is based on the category and activity resource type selection you make. 您可以選取您想要查看的特定活動或選擇全部。You can select a specific activity you want to see or choose all.

您可以使用圖形 API https://graph.windows.net/ $tenantdomain/activities/auditActivityTypes?api-version=beta 來取得所有稽核活動的清單 (其中,$tenantdomain 是網域名稱),或請參閱稽核報告事件一文。You can get the list of all Audit Activities using the Graph API https://graph.windows.net/$tenantdomain/activities/auditActivityTypes?api-version=beta, where $tenantdomain = your domain name or refer to the article audit report events.

狀態篩選器可讓您篩選稽核作業的狀態為基礎。The Status filter allows you to filter based on the status of an audit operation. 狀態可以是下列其中一項:The status can be one of the following:

  • 全部All
  • 成功Success
  • 失敗Failure

目標篩選器可讓您依名稱或使用者主體名稱 (UPN) 搜尋特定的目標。The Target filter allows you to search for a particular target by name or user principal name (UPN). UPN 與目標名稱會區分大小寫。The target name and UPN are case-sensitive.

篩選條件可讓您定義執行者的名稱或通用主要名稱 (UPN)。The Initiated by filter enables you to define an actor's name or a universal principal name (UPN). UPN 與名稱會區分大小寫。The name and UPN are case-sensitive.

日期範圍篩選條件可讓您定義傳回資料的時間範圍。The Date range filter enables to you to define a timeframe for the returned data.
可能的值包括:Possible values are:

  • 1 個月1 month
  • 7 天7 days
  • 24 小時24 hours
  • 自訂Custom

當您選取自訂時間範圍時,可以設定開始時間和結束時間。When you select a custom timeframe, you can configure a start time and an end time.

您也可以選擇下載已篩選的資料,最多 250,000 記錄,方法是選取下載 按鈕。You can also choose to download the filtered data, upto 250,000 records, by selecting the Download button. 您可以選擇下載 CSV 或 JSON 格式記錄。You may choose to download the logs in either CSV or JSON format. 您可以下載的記錄數目會受限於 Azure Active Directory 報告保留原則The number of records you can download is constrained by the Azure Active Directory report retention policies.

稽核記錄檔Audit logs

稽核記錄快速鍵Audit logs shortcuts

除了 Azure Active Directory 之外,Azure 入口網站可提供您稽核資料的兩個額外進入點︰In addition to Azure Active Directory, the Azure portal provides you with two additional entry points to audit data:

  • 使用者和群組Users and groups
  • 企業應用程式Enterprise applications

使用者和群組稽核記錄Users and groups audit logs

透過以使用者和群組為基礎的稽核報告,可以取得下列問題的解答︰With user and group-based audit reports, you can get answers to questions such as:

  • 使用者已套用哪些類型的更新?What types of updates have been applied the users?

  • 有多少使用者已變更?How many users were changed?

  • 有多少密碼已變更?How many passwords were changed?

  • 系統管理員已在目錄中執行哪些作業?What has an administrator done in a directory?

  • 已新增的群組為何?What are the groups that have been added?

  • 群組有成員資格變更嗎?Are there groups with membership changes?

  • 群組的擁有者已變更嗎?Have the owners of group been changed?

  • 指派給群組或使用者的授權為何?What licenses have been assigned to a group or a user?

如果您只想檢閱與使用者相關的稽核資料,您可以找到篩選過的檢視之下稽核記錄檔活動一節使用者 索引標籤。此進入點UserManagement做為預先選取的類別目錄。If you just want to review auditing data that is related to users, you can find a filtered view under Audit logs in the Activity section of the Users tab. This entry point has UserManagement as preselected category.

稽核記錄檔Audit logs

如果您只想檢閱與群組相關的稽核資料,您可以找到篩選過的檢視之下稽核記錄檔活動一節群組 索引標籤。此進入點GroupManagement做為預先選取的類別目錄。If you just want to review auditing data that is related to groups, you can find a filtered view under Audit logs in the Activity section of the Groups tab. This entry point has GroupManagement as preselected category.

稽核記錄檔Audit logs

企業應用程式稽核記錄Enterprise applications audit logs

透過以應用程式為基礎的稽核報告,可以取得下列問題的解答︰With application-based audit reports, you can get answers to questions such as:

  • 已新增或更新的應用程式為何?What applications have been added or updated?
  • 已移除的應用程式為何?What applications have been removed?
  • 應用程式的服務原則已變更嗎?Has a service principal for an application changed?
  • 應用程式的名稱已變更嗎?Have the names of applications been changed?
  • 誰已同意應用程式?Who gave consent to an application?

如果您想檢閱應用程式相關的稽核資料,可以在 [企業應用程式] 刀鋒視窗的 [活動] 區段中的 [稽核記錄] 之下找到篩選過的檢視。If you want to review audit data related to your applications, you can find a filtered view under Audit logs in the Activity section of the Enterprise applications blade. 此進入點企業應用程式預先選取作為應用程式類型This entry point has Enterprise applications preselected as the Application Type.

稽核記錄檔Audit logs

Office 365 活動記錄Office 365 activity logs

您可以檢視從 Office 365 活動記錄Microsoft 365 系統管理中心You can view Office 365 activity logs from the Microsoft 365 admin center. 即使 Office 365 活動和 Azure AD 活動記錄共用許多目錄資源,只在 Microsoft 365 系統管理中心會提供 Office 365 活動記錄檔的完整檢視。Even though Office 365 activity and Azure AD activity logs share a lot of the directory resources, only the Microsoft 365 admin center provides a full view of the Office 365 activity logs.

您也可以透過使用 Office 365 管理 API,以程式設計的方式存取 Office 365 活動記錄。You can also access the Office 365 activity logs programmatically using the Office 365 Management APIs.

後續步驟Next steps