As you know, we turned on the public preview of the Azure AD admin experience with the new Azure portal just a couple months ago. At the time the preview went live, I promised we’d keep making improvements to create an experience with the all the capabilities of the classic portal and some exciting new enhancements as well.
So today I’m happy to let you know that we’ve added Azure Active Directory auditing features to the preview! These new capabilities are designed to help you meet your reporting and compliance needs by providing a rich way to view, investigate, and analyze audit and sign-in data.
And having all this information in one place creates a more efficient and streamlined work process that allows you to absorb and analyze more data faster. Want to know more? Read on!
Fig 1. Azure AD in the new Azure portal
Single view of all audit and sign-in logs: With the transition to the new portal, we’re making all audit logs available in a single view within the Azure Active Directory. You can see those logs by clicking “Audit logs” or “Sign-ins” in the left navigation menu.
Fig 2. Activity Logs in the Left Nav menu
Contextual audit and sign-in logs: You can also see audit logs within the context of the operation you’re performing in the portal. With this pre-filtered view, you can easily find out who did what to your resources. See pre-filtered audit and sign-in data in different areas, including:
- User Management blade: see User Activities
- Single user profile page: see which activities were done by/on the user
- Enterprise Applications blade: see App Activities
- Single app profile page: see the operations have been performed by/on the app in the past 30 days
Rich search & filtering experience: We’ve introduced new filters for audit and sign-in logs so you can easily search and filter for specific information. In the UX, click on the “Filters” button to get a list of all the new filters, including:
- Date and time
- Actor’s UPN (e.g. firstname.lastname@example.org or you can simply type Danny)
- Activity Type (E.g. User, Group, App, Policy, Domain, etc.)
- Activity (E.g. Add User, Add Application, Add Owner to App, etc.)
Below is a snapshot of the new filters available today:
Figure 3: Advanced filtering for Audit logs
Reporting data insights – Overview blade
The overview blade gives you access to everything you need in your directory, and now there will also be a visualization of your usage data in the context of your location within the Portal. For example, if you are in the “Enterprise applications” overview blade, you will see the top apps in your organization.
Figure 4: Top Apps in your organization
If you’re in the “Users and groups” blade, you will see all the user sign-in trends for the past 30 days.
Fig 5. User sign-in trends over last 30 days
Reporting data insights across all resources
One of the coolest features in the preview is the ability to look at activity not just per resource but across all resources in your tenant. All activity data is categorized as audit and sign-in data. For more detailed information about how you can view, search, and filter audit and sign-in activities, check out our reporting documentation.
Audit logs across all resources (Users, Apps, and Directory)
To see audit logs across resources, click on the Audit logs item in the resource menu of the directory – you’ll also find this option in the resource menu for “Enterprise applications” and on the “Users and groups” blade.
On the Audit logs page, you’ll see a list of recent audit events in your tenant. Use the search box to find the activity you’re interested in, and use the filter button to select audit events from a specific time interval.
Fig 6. Viewing changes made to apps by a specific user
Fig 7. List of all directory audit logs
Sign-ins across all resources (Users and Apps)
You can get similar insight into sign-ins by clicking Sign-ins in the resource menu of the directory, “Enterprise applications”, or “Users and groups” blade. There, you’ll see a list of recent sign-ins to applications. Like audit events, you can filter using the box right above the list or use the filter button in the command bar to scope the results to a time interval.
Click a row in the list to see details for an individual sign-in, like who signed in, when they signed in, from where, and from which device and IP address.
Fig 8. Viewing recent sign-ins to Office 365, and properties for one of those sign-ins
Fig 9. Viewing recent sign-ins for all users and search for specific information
Accessing report data programmatically
As part of the preview release, we’re providing two new APIs for accessing activity logs, which offer much richer filtering options. You will be able to access the same data you see in the portal using the APIs programmatically.
The new Audit API provides logs for all the audit events listed here. In addition, the new Audit API features a rich set of filters you can use to filter your activity logs through the API. You can filter by Activity Date, User Principal Name (UPN), Activity Type, Target Resource Type, Activity Name, Target Name, etc. Check out the Audit API reference guide for more information.
The new Sign-in API provides all the user sign-in information for your tenant. You can view detailed sign-in information like the status of sign-ins, device information, and IP address. In addition, you can use filters like Sign-in date, Sign-in status, User ID, Application ID, Application Name, and User Name. You can find more information in the Sign-in API reference guide.
We will continue working on and releasing new features, and will let you know right here on our blog. In the meantime, we hope you love using the preview experience. Keep the feedback coming! We want to hear about anything you love or hate, and ideas for continuing to improve the user experience.
There’s a lot of new stuff in this preview, and we’d love to get as much feedback as possible as we drive toward making the new portal experience generally available. Please share your thoughts with us in the ‘Admin Portal’ section of our feedback forum. We look forward to hearing from you!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division