Unit 3: Review and monitor Microsoft Entra audit logs

Microsoft Entra audit logs record who did what, when, and where across your directory. These logs are critical for compliance, investigations, and change tracking. Unlike sign-in logs, audit logs focus on administrative and system activities, not authentication attempts.

Audit logs help answer questions such as:

• What configuration changes occurred?
• Who made the change?
• Was the operation successful?
• Which object was affected?

Accessing audit logs

To access audit logs:

• Open the Microsoft Entra admin center.
• Select Microsoft Entra ID.
• Under Monitoring, select Audit logs.

Audit logs are available tenant-wide and are searchable directly from the portal.

Default audit log view

The default audit log list displays the following fields:

• Date and time of the activity.
• Service that logged the activity.
• Category and activity name (what happened).
• Status of the activity (Success or Failure).
• Target (object affected).
• Initiator / Actor (who performed the action).

This default view is designed for quick investigations, but it can be customized.

Customizing the audit log view

You can customize the audit log columns by selecting Columns in the toolbar.

Column customization capabilities

• Add additional fields for deeper visibility.
• Remove unnecessary fields to reduce noise.
• Tailor views for specific investigations or compliance checks.

This is especially useful when exporting logs or performing repeated reviews.

Viewing detailed audit log entries

Selecting an individual audit log entry opens a detailed view, which may include:

• Full activity description.
• Modified properties.
• Initiator details.
• Target resource details.
• Correlation identifiers.

This detailed view is essential for root-cause analysis and audit validation.

Filtering audit logs

Filtering allows you to quickly narrow large datasets into meaningful results.

Available audit log filters

You can filter audit data by:

• Service
• Category
• Activity
• Status
• Target
• Initiated by (Actor)
• Date range

Filters can be combined to create highly targeted queries.

Service filter

The Service filter identifies which Microsoft Entra or Microsoft service generated the audit event.

Common service values include:

• Microsoft Entra Management UX
• Access Reviews
• Account Provisioning
• Application Proxy
• Authentication Methods
• Conditional Access
• Core Directory
• Entitlement Management
• Identity Protection
• Invited Users
• Privileged Identity Management (PIM)
• Self-service Password Management
• Terms of Use

This filter is extremely useful when auditing specific identity governance features.

Category filter

The Category filter classifies audit events by functional area.

Common categories include:

• ApplicationManagement
• Authentication
• Authorization
• DirectoryManagement
• EntitlementManagement
• GroupManagement
• Policy
• RoleManagement
• UserManagement
• ResourceManagement

This filter is often used to separate security-relevant changes from routine updates.

Activity filter

The Activity filter is dependent on:

• The selected Category.
• The selected resource type.

You can:

• Select a specific activity.
• View all activities within the selected scope.

For a full list of audit activity types, Microsoft Graph can be used.

Status filter

The Status filter allows you to view:

• Success
• Failure
• All

This is especially useful when:

• Investigating failed administrative operations.
• Identifying misconfigurations or permission issues.

Target filter

The Target filter allows you to search for:

• Specific users.
• Groups.
• Applications.
• Other directory objects.

Important notes:

• Matching is based on the start of the name or UPN.
• Target names and UPNs are case-sensitive.

Initiated by (Actor) filter

This filter allows you to search for activities initiated by a specific user or service principal.

Key points:

• Uses name or UPN prefix matching.
• Case-sensitive.
• Essential for insider threat investigations or admin activity reviews.

Date range filter

The Date range filter allows you to define the time window for returned results.

Available options:

• Last 24 hours
• Last 7 days
• Custom range

For custom ranges:

• You can specify both start time and end time.

Downloading audit logs

You can export audit logs by selecting Download.

Download characteristics

• Maximum of 250,000 records per export.
• Supported formats:
• CSV
• JSON
• Retention is governed by Microsoft Entra log retention policies.

Downloading logs is commonly used for:

• Offline analysis.
• Compliance reporting.
• SIEM ingestion.

Audit log shortcuts in the Azure portal

In addition to the main Audit logs blade, the Azure portal provides contextual audit views.

Users and groups audit logs

User- and group-scoped audit views help answer questions such as:

• What changes were made to users?
• How many users were modified?
• Were passwords changed?
• What actions did administrators take?
• Were group memberships updated?
• Were group owners changed?
• Were licenses assigned or removed?

User audit logs

• Found under Users → Monitoring → Audit logs.
• Automatically filtered to UserManagement category.

Group audit logs

• Found under Groups → Monitoring → Audit logs.
• Automatically filtered to GroupManagement category.

These views reduce filtering effort for common investigations.

Enterprise applications audit logs

Application-based audit logs answer questions such as:

• Which applications were added or removed?
• Were application configurations updated?
• Did a service principal change?
• Who granted consent to an application?

Access path

• Enterprise applications → Activity → Audit logs
• Automatically scoped to Enterprise applications.

This view is critical for OAuth consent and app governance audits.

Microsoft 365 activity logs

Microsoft 365 activity logs:

• Share many directory resources with Microsoft Entra logs.
• Are fully accessible only via the Microsoft 365 admin center.

You can also access Microsoft 365 activity logs programmatically using:

• Office 365 Management APIs

These logs are often used for:

• Compliance investigations.
• Cross-service activity tracking.

Exam-focused summary (Unit 3)

• Audit logs track configuration and administrative changes.
• Sign-in logs ≠ audit logs.
• Audit logs answer who did what.
• Filtering by service and category is key.
• Downloads are limited to 250,000 records.
• Contextual audit views exist for:
• Users
• Groups
• Enterprise applications
• Microsoft 365 logs require the M365 admin center.