Audit Logs Report

An Audit Log in Microsoft Entra ID is a detailed record of all the activities (changes and operations) that occur within Microsoft Entra environment. It captures who performed an action, what the action was, when it happened, and the target of that action. The Audit Logs report helps administrators figure out what activities have been registered, who has initiated the activity either the user or process?, the status of the activity whether it has failed or succeeded?, and the time at which the activity has been recorded.

To generate the report, do the following:

  1. Select the Audit Logs option from the Compliance sub node by following the menu sequence: REPORTS BY FUNCTION -> Domain-specific Reports -> Microsoft Entra ID.

  2. Figure 1 then appears. In Figure 1, select a criteria for analysis from the Analyze By list box.

    Figure 1 : Specifying the criteria for generating the Audit Logs report

  3. Using this report, you can analyze the audit log activities on one/more managed components, or those that are part of a zone, service or segment. The options provided by the Analyze By list box are discussed hereunder:

    • Component: Select this option to choose the component(s) from across all the managed components in the environment.
    • Zone: To generate a report for one/more components that are included in a zone, pick the Zone option. A Zone drop-down list will then appear, from which you would have to select the zone to which the components of interest to you belong. A Sub zone flag also appears. Indicate whether the components present within the sub-zones of the chosen zone are also to be to be considered for report generation, by setting the Sub zone flag to Yes.
    • Segment: If you want to generate a report for one/more chosen components that belong to a segment, select the Segment option from Analyze By list box, and then pick the Segment from the drop-down list that appears.
    • Service: If you want to generate a report for one/more components involved in the delivery of a service, select the Service option from Analyze By, and then pick the required Service from the drop-down list that appears.
  4. Choose a Component Type for which the report is to be generated.
  5. The Components list will now be populated with all the components that are managed in your environment for the chosen component type. If the Components list consists of too many components, then viewing all the components and selecting the ones you need for report generation could require endless scrolling. To avoid this, you can click the button next to the Components list. A Components pop up window will then appear using which you can view almost all the components in a single interface and Select the ones to be included in this report.

  6. By default, All Categories option is specified in the Category list indicating that this report will be generated based on all categories. A category is a classification, that groups audit events by the type of action or change recorded within your tenant. Each category corresponds to a set of related administrative activities, such as Application Management, Authorization, Device, Group Management, Resource Management, and User Management. However, if you want to generate the audit log report based on any one of those categories, then, you can specify the category in this list.

  7. By default, Total option is specified in the Status list indicating that this report will be generated based on total statuses. A status indicates the outcome of an audited event or activity that shows whether the action that triggered the log entry was successful, failed, or timed out. However, if you want to generate the audit log report based on any one of those statuses, then, you can specify the status in this list.

  8. By default, All Services option is specified in the Service list indicating that this report will be generated based on all services. A service refers to the specific area or component of the Entra ID system where an activity or change took place. It categorizes the logged event by the functional domain it relates to, such as Core Directory, Device Registration Service, and Self-service Password Management. However, if you want to generate the audit log report based on any one of those services, then, you can specify the service in this list.

  9. By default, All Activity Names option is specified in the Activity Name list indicating that this report will be generated based on all activities. An activity refers to a specific recorded action or change performed within the tenant such as adding device, adding registered owner/user to device, change self/user password, reset password, update device, etc., However, if you want to generate the audit log report based on any one of those activities, then, you can specify the activity name in this list.

  10. By default, * option is specified in the Initiated By text box indicating that this report will be generated based on the user/process who/that has initiated the action. The initiator is the entity (user/process) responsible for executing the action logged in the audit event, such as creating a user, modifying a group, or changing policy settings. However, if you want to generate the report with a specific initiator, then, you can specify the initiator in this text box.

  11. Then, specify the Timeline for generating this report. You can either provide a fixed time line such as 1 hour, 2 days, etc., or select the Any option from the list to provide a From and To date/time for report generation.

    Note:

    For every user registered with the eG Enterprise system, the administrator can indicate the maximum timeline for which that user can generate a report. Once the maximum timeline is set for a user, then, whenever that user logs into eG Reporter and attempts to generate a report, the Timeline list box in the report page will display options according to the maximum timeline setting of that user. For instance, if a user can generate a report for a maximum period of 3 days only, then 3 days will be the highest option displayed in the Timeline list - i.e., 3 days will be the last option in the fixed Timeline list. Similarly, if the user chooses the Any option from the Timeline list and proceeds to provide a start date and end date for report generation using the From and To specifications, eG Enterprise will first check if the user's Timeline specification conforms to his/her maximum timeline setting. If not, report generation will fail. For instance, for a user who is allowed to generate reports spanning over a maximum period of 3 days only, the difference between the From and To dates should never be over 3 days. If it is, then, upon clicking the Run Report button a message box will appear, prompting the user to change the From and To specification.

  12. In addition to the settings discussed above, this report comes with a set of default specifications. These settings are hidden by default. If you do not want to disturb these default settings, then you can proceed to generate the report by clicking the Run Report button soon after you pick one/more components for report generation. However, if you want to view and then alter these settings (if required), click on the icon. The default settings will then appear in the MORE OPTIONS drop down window (See Figure 2). The steps below discuss each of these settings and how they can be customized.

    Figure 2 : The default settings for generating the report

  13. Next, indicate the report Time period.

    Note:

    By default, the Time period is set to 24 hours. Accordingly, the From and To parameters in the [timeframe] section of the eg_report.ini file (in the <eg_install_dir>\manager\config directory) are set to 00:00 and 24:00 respectively. If need be, you can override this default setting by configuring a different timeframe against the From and/or To parameters. 

  14. In large environments, reports generated using months of data can take a long time to complete. Administrators now have the option of generating reports on-line or in the background. When a report is scheduled for background generation, administrators can proceed with their other monitoring, diagnosis, and reporting tasks, while the eG manager is processing the report. This saves the administrator valuable time. To schedule background processing of a report, you can either select the Background Save - PDF option from the Report Generation list. To process reports in the foreground, select the Foreground Generation - HTML option from this list.

    Note:

    • The Report Generation list will appear only if the EnableBackgroundReport flag in the [BACKGROUND_PROCESS] section of the eg_report.ini file (in the <EG_INSTALL_DIR>\manager\config directory) is set to Yes.
    • The default selection in the Report Generation list will change according to the Timeline specified for the report. If the Timeline set is greater than or equal to the number of days specified against the MinDurationForReport parameter in the [BACKGROUND_PROCESS] section of the eg_report.ini file, then the default selection in the Report Generation list will be Background Save - PDF. On the other hand, if the Timeline set for the report is lesser than the value of the MinDurationForReport parameter, then the default selection in the Report Generation list will be Foreground. This is because, the MinDurationForReport setting governs when reports are to be processed in the background. By default, this parameter is set to 2 weeks - this indicates that by default, reports with a timeline of 2 weeks and above will be processed in the background.
  15. Click the Done button if any changes were made to the More Options drop down window.
  16. Finally, click the Run Report button to generate the report.

  17. If the Report type is Foreground Generation - HTML, then Figure 3 will appear as soon as you click the Run Report button.

    Figure 3 : The generated Audit Logs report for Total activity

    The generated report (see Figure 3) will display the following sections:

    • The Overview section reveals the total number of activities, success activities, failure activities, timeout activities, unknown future activities, and other activities that were logged recently in the Audit Log.

    • The Audit Log Detail - Total Activities section reveals the following log entries based on the selected timeline:

      • the category in which the activity was recorded in Audit Log;
      • the status of the activity on whether the activity has failed and the reason highlighting the status;
      • the time at which the activity was recorded in Audit Log;
      • the service under which the activity was involved;
      • the initiation type on whether it is a user/process and who has initiated the activity;
      • the IP address which the activity is related to;
      • the details on whether user/process has targeted the activity;
      • the modification details from old property to new property;
      • the Correlation ID related to the activity.

    Based on the statuses selected from Status list (for our example, Total is selected), expanding each row in the generated report (see Figure 4), administrators can figure out which property has been modified from old to new value for the modified properties. Property refers to a specific data field within an audit log entry that captures details about an audited activity or event. Each audit log record contains a set of properties that describe what happened, who performed the action, when it occurred, and other relevant contextual data.

    Figure 4 : The expanded row in Audit Logs report for Total activity status

  18. Figure 5 represents the Audit Log Detail - Failure Activities section. This section reveals the same set of details as highlighted for Audit Log Detail - Total Activities section (discussed above). Based on the statuses selected from Status list (for our example, Failure is selected), expanding each row in the generated report (see Figure 5), administrators can figure out which property has been modified from old to new value for the modified properties.

    Figure 5 : The expanded row in Audit Logs report for Failure activity status

    Similar reports will be displayed when the Status list is selected with different statuses such as success, timeout, etc.,