Auditing for WAAD (Office 365) is now in Preview!

This is certainly one of the best news I have heard in a while. To read the announcement, check out the Active Directory Team Blog.

The first question that come to my mind, before even reviewing what kind of reports will be provided, was the ‘what it will cost us’ question. Unfortunately, the guys at Microsoft are making this functionality available only via the Azure portal, at least at this time. And on top of everything, they are again introducing multiple subscription types and making a total marketing mess. You get the Azure AD free included with your Office 365 and other Microsoft Online Services subscriptions, Azure AD Basic can be purchased via VL channels, and Azure AD Premium can be purchased/trialed directly from the Azure Portal. Why am I providing you all that information? Because currently it’s not really clear what kind of subscription you will actually need in order to access the audit reports. Some of the reports are included with the Free offering, others will require Premium subscription it seems (not clear if license is needed for every user, hopefully we will get free Premium licenses for every admin user). The most important ones however, the Audit report, will be included for free (Azure subscription still required).

Here’s how it looks like from the Azure Portal (with Free subscription):


Once you enable Premium for an Active Directory however, some of the reports will change category (I’ve only highlighted the relevant ones):


Anyway, the good news is that you can get this set up and tested without having to pay anything, and you can follow for example the steps here to achieve this. And you can take advantage of the ‘pay as you go’ options as well. Since I have an Azure subscription and I am currently in trial for Azure AD Premium as well, I took the opportunity to explore the feature in details. Well, at least as many details as you can get from a single-user Office 365 subscription. And a number of other trial subscriptions I use for testing stuff.

Let’s start with the Audit tab. In case you are wondering why I am skipping all the sign-in related reports, those have been available for a while now. So, the Audit report. It should give us the date, user and action performed for any of the sensitive WAAD related cmdlets. This includes, but it’s not limited to:

  • Changes in role membership (user elevation to GA or any other admin role or removal from the said role)
  • Password changes (does not include self-service password changes, you get separate report for that)
  • Username changes (the Set-MsolUserPrincipalName cmdlet)
  • Domain management (add, remove, verify, change authentication/federation settings)
  • User management (add, remove, restore, update a user)
  • Adding or removing licenses (oh how long have I been waiting for that one!)
  • Updating the company settings (Set-MsolCompanySettings for example)
  • Changes performed from the Azure Portal (i.e. assigning the AD Premium license)

There are certain limitations however, for example changing an attribute will only log an entry that the said object has been changed, but it will not show you what the new and changed values are. Thus there is currently no way to confirm if all attribute changes are actually audited, or only specific ones (well unless you try changing them one at a time I guess). The results are available for time period of 30 days and can also be downloaded to a CSV file if needed. As mentioned in the blog post by the AD team, the team is aware of those limitations and will improve on them!

Here’s how the report looks like on the Azure Portal:


Next on the list are the ‘Password reset activity’ and the ‘Password reset registration activity’ reports. Those include only the self-service password reset, admin actions are filed in the Audit report we discussed above. You will need Premium licenses in order to use these, but you also need Premium licenses in order for your users to actually be able to do the password reset. It’s a bit unclear where Basic stands at this time, as it allows for password resets, however accessing the reports from the Azure portal specifically asks for Premium subscription.

Unfortunately, the ‘Password reset’ reports are both empty for my tenants as I’ve not done any changes in the past month. Screenshots are available in the original post however.

Lastly, we have the Group activity reports. This report is not available under the Reports tab, instead it’s presented individually for each group. To access the report, go back to the Groups tab, select the Group in question and open the Activity tab. It will show you any membership changes occurred in the past 30 days. Again, no entries in this log for my tenants, but I will update with screenshots once the newly performed actions are synced with the Azure logs.

UPDATE 12/10/2014: Either I am missing something (like an activation switch) or this functionality is simply still not rolled out to my tenant. I am not able to see any of the actions I perform from either the Office 365 admin center or PowerShell reflected back in the Audit logs. In contrast, changing the Last Name of a user directly from the Azure portal appeared in the logs 30 mins later or so. Same goes for the Group activity reports, no entries are visible there even though the updated membership status is immediately shown on the Azure Portal. So, no additional screenshots for now 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.