Understanding audit reports about changes to Azure AD administrative roles

Summary
In Microsoft Azure Active Directory (Azure AD), multiple audit reports within the Azure Management Portal (manage.windowsazure.com) can provide basic information about changes to directory data for a tenant. However, those reports may not provide a complete view of why those changes are occurring. 

You can find additional information about such changes in additional feature and service specific audit trails. For example, Azure AD Privileged Identity Management (PIM) manages just-in-time (JIT) user role assignments. If you want to learn about changes to user role assignments that originate in Azure AD PIM, the Audit History report from the Azure AD PIM user experience in the Azure portal (portal.azure.com) provides information beyond what is available in the Azure audit trail.

The Actor that is listed in audit reports from the Azure Management Portal represents the user or service principal that makes the change in Azure AD. In Azure AD PIM, the service principal is named "MSPIM." By examining the Audit History log in the Azure AD PIM user experience, you can find additional information about role changes that are started through the Azure AD PIM service. Other services and third-party products have their own service principal.

Therefore, if you are using Azure AD PIM, we recommend that you also collect audit reports about changes in administrator roles from the Audit History in the Azure AD PIM user experience in the Azure portal (portal.azure.com). Similarly, other services in Microsoft Online Services may generate their own audit trail in addition to the log that is generated by Azure AD. Third-party products and services may also change user role assignments.
More information
When you add a member to a role or remove a member from a role in the Azure Management Portal, the following user role assignment events are recorded in the Azure audit reports:

  • Add member to role

    • A user who is eligible for an Azure AD management role sets her role to Active in the PIM experience.
    • A Privileged Role Administrator changes a user's role from Eligible to Permanent in the PIM experience.
  • Remove member from role

    • A user deactivates his role assignment, reverting it to Eligible for activation.
    • A user role assignment expires and reverts to Eligible for activation.
    • A Privileged Role Administrator changes a user's role from Permanent to Eligible.
Azure Active Directory AD AzureAD AAD Privileged Identity Management PIM
Properties

Article ID: 3175279 - Last Review: 07/01/2016 22:17:00 - Revision: 1.1

Microsoft Azure Active Directory

  • KB3175279
Feedback