Quick Reference Guide

Azure AD Auditing
This quick reference guide shows how to track changes and sign-ins in Azure AD.

Overview
Auditing in Azure AD is enabled by default and cannot be disabled. Sign-in Properties:
There are two main areas of Azure AD auditing:

Sign-in activity Information about the usage of managed applications User Name Name of the user
and user sign-in activity. account that is signing in
Audit logs System activity information about users and group
management, your managed applications, and directory activities. Application Which application
was used to perform the login
Sign-in Activity Auditing Login Status Whether the sign-in
was successful or failed
The user sign-in graph shows weekly aggregations of sign-ins for all
users in a given time period. The default time period is 30 days. You
Time Interval Sign-in time
can view this graph by navigating to the Enterprise applications IP Address IP address from
overview page. When you click on a day in the sign-in graph, you get a which the sign-in was made
detailed list of the sign-in activities.
Client What operating system
You can also view Sign-in table by navigating to the Azure Active
Directory portal > Sign-ins. You can export this data by clicking the the device is using
Download button. Location The location from
which the sign-in was performed
Change Auditing
The auditing logs in Azure Active Directory provide records of system
activities. There are three main categories for auditing-related
Audit Event
activities in the Azure portal: Properties:
Users and groups
Applications Date and Time The date and
Directory time that the audit event occurred

Your entry point to all auditing data is Audit logs in the Activity section Actor The user or service
of Azure Active Directory. principal that performed the action
An audit log has a list view that shows the actors (who), the activities
Action The action that was
(action) and the targets (what).
performed
By clicking an item in the list view, you can get more details about it.
Events in the Azure AD Audit report are retained for a maximum of Target The user or service
180 days. For customers interested in storing their audit events for principal that the action was
longer retention periods, the Reporting API can be used to regularly performed on
pull audit events into a separate data store.

Gain #completevisibility into all activity in Azure Active Directory with

Netwrix Auditor for Azure AD: netwrix.com/go/trial-azuread

Corporate Headquarters: Phone: 1-949-407-5125 Int'l: 1-949-407-5125

300 Center Drive, Suite 1100, Irvine, CA 92618 Toll-free: 888-638-9749 EMEA: 44 (0) 203-588-3023 netwrix.com/social