List of Azure Active Directory Audit Activities


Hi all,

Audit logs in Azure Active Directory help customers to gain visibility about users and group management, managed applications and directory activities in their cloud-based Active Directory.

Using the logs you can detect and investigate security incidents, and review important configuration changes.

By using the Graph API, which provides programmatic access to Azure AD, you can get a detailed list of all auditing activities. Because the access to Graph API is based on REST API calls you can use PowerShell scripts.

I wrote a quick script, based on Paulo Marques's post

Script code is here, just remember to change YOUR_Domain_Name

The full list is here (updated on 12/2/2018 and probably subject to change)

category activityResourceType activity
Account Provisioning Application process escrow
Account Provisioning Application administration
Account Provisioning Application directory operation
Account Provisioning Application synchronization rule action
Account Provisioning Application import
Account Provisioning Application export
Account Provisioning Application other
Application Proxy Application update application
Application Proxy Application delete application
Application Proxy Application add application
Application Proxy Application update application single sign-on mode
Application Proxy Directory enable desktop sso for a specific domain
Application Proxy Directory enable application proxy
Application Proxy Directory disable desktop sso
Application Proxy Directory disable passthrough authentication
Application Proxy Directory enable desktop sso
Application Proxy Directory disable desktop sso for a specific domain
Application Proxy Directory disable application proxy
Application Proxy Directory enable passthrough authentication
Application Proxy Resource register connector
Application Proxy Resource add application ssl certificate
Application Proxy Resource delete ssl binding
Automated Password Rollover Application automated password rollover
B2C Application get v1 and v2 applications
B2C Application retrieve v2 application permissions grants
B2C Application get v2 applications
B2C Application add v2 application permissions
B2C Application delete v2 application permission grant
B2C Application update v2 application permission grant
B2C Application delete v1 application
B2C Application create v2 application
B2C Application retrieve v2 application service principals
B2C Application update v2 application
B2C Application get v1 application
B2C Application update v1 application
B2C Application retrieve v2 application service principals in the current tenant
B2C Application get v2 application
B2C Application delete v2 application
B2C Application get v1 applications
B2C Application create v1 application
B2C Authorization get all certificates
B2C Authorization user authorization: access is denied
B2C Authorization gettenantprovisioninginfo
B2C Authorization create certificate
B2C Authorization retrieve v2 application service principals
B2C Authorization create admin policy
B2C Authorization adminpolicydatas-removeresources
B2C Authorization gettenantinfo
B2C Authorization getkeysets
B2C Authorization get list of tags for all admin flows for all users
B2C Authorization user authorization: user granted 'cpimservice admins' access rights
B2C Authorization adminuserjourneys-removeresources
B2C Authorization get tenant policy list
B2C Authorization get the details of an admin flow
B2C Authorization get tenant defined idp list
B2C Authorization delete a b2c directory resource
B2C Authorization get tenant defined local idp list
B2C Authorization get allowed application claims for user journey
B2C Authorization get the set of available supported cultures for cpim
B2C Authorization create new idp
B2C Authorization user authorization: user was granted 'authenticated users' access rights
B2C Authorization get trustframework policy as xml
B2C Authorization gets a cpim key container in jwk format
B2C Authorization add v2 application permissions
B2C Authorization get b2c directory resources in a resource group
B2C Authorization validate move resources
B2C Authorization create a custom domains in the tenant
B2C Authorization get user journey list
B2C Authorization create trustframework policy with configurable prefix
B2C Authorization deleteidentityprovider
B2C Authorization deleteoutputclaim
B2C Authorization gets cpim key as a certificate
B2C Authorization linkidentityprovider
B2C Authorization deleteinputclaim
B2C Authorization getinputclaims
B2C Authorization create trustframework policy to store
B2C Authorization gettrustframeworkwithouttenantobjectid
B2C Authorization updatetrustframeworkswithtenantobjectid
B2C Authorization recoverarchivedtenantwithtenantobjectid
B2C Authorization put ief policy
B2C Authorization get admin flows list
B2C Authorization delete trustframework policy from store
B2C Authorization adminpolicydatas-getresources
B2C Authorization get custom idp
B2C Authorization getb2cuserattributes
B2C Authorization create identityprovider
B2C Authorization getb2cpolicies
B2C Authorization getiefpolicies
B2C Authorization set ssl operation status for the custom domains operations in the tenant
B2C Authorization get resource properties of a tenant
B2C Authorization get policy
B2C Authorization get supported idp list of the user journey
B2C Authorization get user attribute
B2C Authorization delete idp
B2C Authorization create policy
B2C Authorization get tenant details for a user for resource creation
B2C Authorization get localized resource json
B2C Authorization update local idp
B2C Authorization get v1 application
B2C Authorization adminuserjourneys-getresources
B2C Authorization adminuserjourneys-setresources
B2C Authorization get trustframework policy
B2C Authorization verify if b2c feature is enabled
B2C Authorization gets the type of tenant
B2C Authorization get certificates
B2C Authorization getiefpolicy
B2C Authorization user authorization: user granted access as 'tenant admin'
B2C Authorization delete identityprovider
B2C Authorization update custom idp
B2C Authorization delete policy
B2C Authorization getkeyset
B2C Authorization create a new adminuserjourney
B2C Authorization enable b2c feature
B2C Authorization retrieve v2 application service principals in the current tenant
B2C Authorization get tenant allowed features
B2C Authorization get idp
B2C Authorization get v2 applications
B2C Authorization get the default supported culture for cpim
B2C Authorization get allowed self-asserted claims of policy
B2C Authorization create user attribute
B2C Authorization update idp
B2C Authorization update v2 application
B2C Authorization get list of tenants for a user
B2C Authorization create v2 application
B2C Authorization delete a cpim key container
B2C Authorization add a key based on ascii secret to a cpim key container
B2C Authorization move resources
B2C Authorization get the list of userjourneys for this tenant
B2C Authorization get user attributes
B2C Authorization get list of all admin flows
B2C Authorization getidentityproviders
B2C Authorization restore a cpim key container backup
B2C Authorization create v1 application
B2C Authorization creates or update an new adminuserjourney
B2C Authorization get and download certificate
B2C Authorization link inputclaim
B2C Authorization gettenants
B2C Authorization patch identityprovider
B2C Authorization get list of policies
B2C Authorization user authorization: api is disabled for tenant featureset
B2C Authorization get trustframework ids from store
B2C Authorization createtrustframeworkpolicy
B2C Authorization get idps for a specific admin flow
B2C Authorization delete v1 application
B2C Authorization authorization: the action is not allowed to make changes to config tenant
B2C Authorization migratetenantmetadata
B2C Authorization user authorization: user login tenant is different from target tenant
B2C Authorization get a b2c drectory resource
B2C Authorization get available output claims list
B2C Authorization verify if feature is enalbed
B2C Authorization get policies
B2C Authorization get tenant list
B2C Authorization get tenant info
B2C Authorization retrieve v2 application permissions grants
B2C Authorization get content definitions for user journey
B2C Authorization get b2c directory resources in a subscription
B2C Authorization get local accounts' self-asserted claims
B2C Authorization get supported idp list
B2C Authorization create trustframework policy
B2C Authorization update policy
B2C Authorization delete trustframework policy
B2C Authorization delete user attribute
B2C Authorization update subscription status
B2C Authorization delete v2 application permission grant
B2C Authorization update v2 application permission grant
B2C Authorization upload a cpim encrypted key
B2C Authorization add a key to a cpim key container
B2C Authorization get v1 applications
B2C Authorization get a user journey
B2C Authorization update v1 application
B2C Authorization user authorization: tenantid parameter is missing in request
B2C Authorization delete certificate
B2C Authorization create b2cuserattribute
B2C Authorization link outputclaim
B2C Authorization create ief policy
B2C Authorization getb2cpolicy
B2C Authorization get certificate
B2C Authorization get trustframework policy as xml from store
B2C Authorization get a specific admin flow
B2C Authorization adminpolicydatas-setresources
B2C Authorization get admin policy
B2C Authorization puttrustframeworkpolicy
B2C Authorization getidentityprovider
B2C Authorization gettrustframeworkpolicy
B2C Authorization create new custom idp
B2C Authorization get tenantdomains
B2C Authorization remove a user journey
B2C Authorization create or update a b2c directory resource
B2C Authorization get v1 and v2 applications
B2C Authorization get operations of microsoft.azureactivedirectory resource provider
B2C Authorization get v2 application
B2C Authorization get allowed self-asserted claims for user journey
B2C Authorization update user attribute
B2C Authorization gets list of key containers in the tenant
B2C Authorization delete v2 application
B2C Authorization get key container active key metadata in jwk
B2C Authorization create localized resource json
B2C Authorization get a list of custom domains in the tenant
B2C Authorization update a b2c directory resource
B2C Authorization get tenant defined custom idp list
B2C Directory enable b2c feature
B2C Directory get a list of custom domains in the tenant
B2C Directory get resource properties of a tenant
B2C Directory create a custom domains in the tenant
B2C Directory gettenantprovisioninginfo
B2C Directory set ssl operation status for the custom domains operations in the tenant
B2C Directory gets the type of tenant
B2C Directory get tenant list
B2C Directory verify if feature is enalbed
B2C Directory get tenant info
B2C Directory get tenant allowed features
B2C Directory verify if b2c feature is enabled
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid idtokensigningkeycontainer
B2C Key list all keys
B2C Key gets a cpim key container in jwk format
B2C Key add a key based on ascii secret to a cpim key container
B2C Key maintenance key container. revoke first true, revoke last false, cleanup true, operation 'undefined', kid undefined
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid twaj4qpb-l30fa0kc3nuaesy_z6ukvptiwvvyine-cw
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid j-yzdgvppiwfgjsgdmsucbcisdegkllfksiz51ulejs
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid x7kahnrq5gnu4eujwqqot_1jhlchwcetleimhdkdywg
B2C Key write new generated key container
B2C Key maintenance key container. revoke first false, revoke last false, cleanup false, operation 'rollback', kid undefined
B2C Key gets list of key containers in the tenant
B2C Key get key container active key metadata in jwk
B2C Key upload a cpim encrypted key
B2C Key gets cpim key as a certificate
B2C Key get certificates
B2C Key delete key container
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid key0
B2C Key add a key to a cpim key container
B2C Key get and download certificate
B2C Key create certificate
B2C Key save key container
B2C Key restore a cpim key container backup
B2C Key delete certificate
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid t8zpabofkcj9b-nfjzzyiikjgsjaka2p08ykwry_1ao
B2C Key maintenance key container. revoke first false, revoke last false, cleanup true, operation 'revoke', kid idtokensigningkeycontainer.v2
B2C Key get key container metadata
B2C Key get certificate
B2C Key change protection scheme
B2C Key delete a cpim key container
B2C Other issue an authorization code to the application
B2C Other issue an id_token to the application
B2C Resource recoverarchivedtenantwithtenantobjectid
B2C Resource gettenants
B2C Resource linkidentityprovider
B2C Resource link outputclaim
B2C Resource link inputclaim
B2C Resource getb2cpolicies
B2C Resource put ief policy
B2C Resource patch identityprovider
B2C Resource get admin flows list
B2C Resource get admin policy
B2C Resource delete trustframework policy from store
B2C Resource createtrustframeworkpolicy
B2C Resource adminuserjourneys-removeresources
B2C Resource getiefpolicies
B2C Resource get tenant defined idp list
B2C Resource get tenant defined local idp list
B2C Resource get supported idp list
B2C Resource create new idp
B2C Resource get the default supported culture for cpim
B2C Resource create trustframework policy
B2C Resource delete trustframework policy
B2C Resource create policy
B2C Resource get tenant details for a user for resource creation
B2C Resource get the list of userjourneys for this tenant
B2C Resource getidentityprovider
B2C Resource update custom idp
B2C Resource gettenantinfo
B2C Resource getkeyset
B2C Resource create identityprovider
B2C Resource get the details of an admin flow
B2C Resource create or update a b2c directory resource
B2C Resource get idp
B2C Resource get allowed application claims for user journey
B2C Resource get allowed self-asserted claims of policy
B2C Resource get allowed self-asserted claims for user journey
B2C Resource create user attribute
B2C Resource update idp
B2C Resource update user attribute
B2C Resource update subscription status
B2C Resource get b2c directory resources in a resource group
B2C Resource create localized resource json
B2C Resource validate move resources
B2C Resource get localized resource json
B2C Resource update a b2c directory resource
B2C Resource adminuserjourneys-getresources
B2C Resource get user attributes
B2C Resource create trustframework policy to store
B2C Resource create b2cuserattribute
B2C Resource deleteinputclaim
B2C Resource deleteoutputclaim
B2C Resource deleteidentityprovider
B2C Resource gettrustframeworkwithouttenantobjectid
B2C Resource get trustframework policy as xml from store
B2C Resource get list of policies
B2C Resource get a specific admin flow
B2C Resource get list of tags for all admin flows for all users
B2C Resource gettrustframeworkpolicy
B2C Resource create new custom idp
B2C Resource migratetenantmetadata
B2C Resource creates or update an new adminuserjourney
B2C Resource get a b2c drectory resource
B2C Resource get operations of microsoft.azureactivedirectory resource provider
B2C Resource get b2c directory resources in a subscription
B2C Resource get policy
B2C Resource get local accounts' self-asserted claims
B2C Resource get supported idp list of the user journey
B2C Resource update policy
B2C Resource get trustframework policy as xml
B2C Resource get tenant defined custom idp list
B2C Resource update local idp
B2C Resource create trustframework policy with configurable prefix
B2C Resource get tenant policy list
B2C Resource getb2cpolicy
B2C Resource delete identityprovider
B2C Resource create admin policy
B2C Resource adminpolicydatas-setresources
B2C Resource get trustframework ids from store
B2C Resource adminpolicydatas-getresources
B2C Resource delete policy
B2C Resource getkeysets
B2C Resource getidentityproviders
B2C Resource get idps for a specific admin flow
B2C Resource get list of all admin flows
B2C Resource remove a user journey
B2C Resource delete a b2c directory resource
B2C Resource delete idp
B2C Resource get list of tenants for a user
B2C Resource get trustframework policy
B2C Resource getinputclaims
B2C Resource getb2cuserattributes
B2C Resource updatetrustframeworkswithtenantobjectid
B2C Resource create ief policy
B2C Resource getiefpolicy
B2C Resource adminpolicydatas-removeresources
B2C Resource get custom idp
B2C Resource puttrustframeworkpolicy
B2C Resource create a new adminuserjourney
B2C Resource get available output claims list
B2C Resource get policies
B2C Resource get content definitions for user journey
B2C Resource get the set of available supported cultures for cpim
B2C Resource get user attribute
B2C Resource delete user attribute
B2C Resource move resources
B2C Resource adminuserjourneys-setresources
B2C Resource get a user journey
B2C Resource get user journey list
Core Directory Application add service principal
Core Directory Application update service principal
Core Directory Application update application
Core Directory Application remove service principal
Core Directory Application delete application
Core Directory Application add service principal credentials
Core Directory Application remove app role assignment from service principal
Core Directory Application remove owner from application
Core Directory Application consent to application
Core Directory Application add application
Core Directory Application add owner to service principal
Core Directory Application remove oauth2permissiongrant
Core Directory Application add oauth2permissiongrant
Core Directory Application add app role assignment to service principal
Core Directory Application remove service principal credentials
Core Directory Application remove owner from service principal
Core Directory Application add owner to application
Core Directory Application revoke consent
Core Directory Device add registered owner to device
Core Directory Device add registered users to device
Core Directory Device update device configuration
Core Directory Device remove registered owner from device
Core Directory Device delete device configuration
Core Directory Device update device
Core Directory Device add device
Core Directory Device add device configuration
Core Directory Device remove registered users from device
Core Directory Device delete device
Core Directory Directory update domain
Core Directory Directory remove partner from company
Core Directory Directory remove verified domain
Core Directory Directory add unverified domain
Core Directory Directory add verified domain
Core Directory Directory set dirsyncenabled flag
Core Directory Directory set directory feature on tenant
Core Directory Directory create company settings
Core Directory Directory update company settings
Core Directory Directory set company allowed data location
Core Directory Directory delete company settings
Core Directory Directory set company multinational feature enabled
Core Directory Directory update external secrets
Core Directory Directory set rights management properties
Core Directory Directory update company
Core Directory Directory verify domain
Core Directory Directory remove unverified domain
Core Directory Directory set domain authentication
Core Directory Directory set password policy
Core Directory Directory add partner to company
Core Directory Directory promote company to partner
Core Directory Directory set partnership
Core Directory Directory set accidental deletion threshold
Core Directory Directory demote partner
Core Directory Directory set company information
Core Directory Directory set federation settings on domain
Core Directory Directory create company
Core Directory Directory verify email verified domain
Core Directory Directory set dirsync feature
Core Directory Directory purge rights management properties
Core Directory Group add app role assignment to group
Core Directory Group start applying group based license to users
Core Directory Group delete group settings
Core Directory Group remove member from group
Core Directory Group set group license
Core Directory Group create group settings
Core Directory Group add member to group
Core Directory Group add group
Core Directory Group update group
Core Directory Group add owner to group
Core Directory Group finish applying group based license to users
Core Directory Group remove app role assignment from group
Core Directory Group set group to be managed by user
Core Directory Group delete group
Core Directory Group remove owner from group
Core Directory Group update group settings
Core Directory Policy update policy
Core Directory Policy add policy to service principal
Core Directory Policy delete policy
Core Directory Policy remove policy credentials
Core Directory Policy remove policy from service principal
Core Directory Policy add policy
Core Directory User update role
Core Directory User add role from template
Core Directory User update user
Core Directory User delete user
Core Directory User add user
Core Directory User convert federated user to managed
Core Directory User create application password for user
Core Directory User set license properties
Core Directory User restore user
Core Directory User remove member from role
Core Directory User remove app role assignment from user
Core Directory User remove scoped member from role
Core Directory User change user license
Core Directory User change user password
Core Directory User reset user password
Core Directory User add app role assignment grant to user
Core Directory User add member to role
Core Directory User set user manager
Core Directory User delete application password for user
Core Directory User update user credentials
Core Directory User add scoped member to role
Identity Protection Directory update alert settings
Identity Protection Directory update weekly digest settings
Identity Protection Directory onboarding
Identity Protection Other set user risk policy
Identity Protection Other download a single risk event type
Identity Protection Other set mfa registration policy
Identity Protection Other download all risk event types
Identity Protection Other download users flagged for risk
Identity Protection Other download free user risk events
Identity Protection Other admin dismisses/resolves/reactivates risk event
Identity Protection Other set sign-in risk policy
Identity Protection Other download admins and status of weekly digest opt-in
Identity Protection Policy set mfa registration policy
Identity Protection Policy set sign-in risk policy
Identity Protection Policy set user risk policy
Identity Protection User admin generates a temporary password
Identity Protection User admins requires the user to reset their password
Invited Users Other batch invites processed
Invited Users Other batch invites uploaded
Invited Users User viral tenant creation
Invited Users User invite external user
Invited Users User email not sent, user unsubscribed
Invited Users User assign external user to application
Invited Users User redeem external user invite
Invited Users User viral user creation
MIM Service Group create group
MIM Service Group remove member
MIM Service Group add member
MIM Service Group delete group
MIM Service Group update group
MIM Service User user password registration
MIM Service User user password reset
Self-service Group Management Group delete a pending request to join a group
Self-service Group Management Group set dynamic group properties
Self-service Group Management Group update lifecycle management policy
Self-service Group Management Group approve a pending request to join a group
Self-service Group Management Group request to join a group
Self-service Group Management Group create lifecycle management policy
Self-service Group Management Group reject a pending request to join a group
Self-service Group Management Group cancel a pending request to join a group
Self-service Group Management Group renew group
Self-service Password Management User reset password (self-service)
Self-service Password Management User unlock user account (self-service)
Self-service Password Management User reset password (by admin)
Self-service Password Management User self-serve password reset flow activity progress
Self-service Password Management User change password (self-service)
Self-service Password Management User user registered for self-service password reset
Self-service Password Management User blocked from self-service password reset
Terms Of Use Policy decline terms of use
Terms Of Use Policy accept terms of use
Terms Of Use Policy edit terms of use
Terms Of Use Policy unpublish terms of use
Terms Of Use Policy create terms of use
Terms Of Use Policy publish terms of use
Terms Of Use Policy delete terms of use
Comments (3)

  1. Jeff Walzer says:

    Moti,

    Is it possible to pull the Azure AD Identity Protection – Risk events into a SIEM like Splunk?

    Thx,
    Jeff

    1. Moti Bani says:

      Hi Jeff, you can using Azure Security Center and Splunk connector

  2. Dave Rendón says:

    Thanks Moti, very useful script!

Skip to main content