Forum Discussion
Azure AD Powershell module logs in sentinel
Hello Team, As a part of clean up activity, our SOC has been assigned a task to find list of regular users who are using Azure AD Powershell and what activities they're performing as we want that to be limited to only Admin account to manage azure resources.
I was able to find sign in activities for many users to "Azure Active Directory PowerShell" but I'm unable to find what activities they have performed using powershell. Looked under audit logs and other few tables. Can some one tell me under which table or what KQL can I run to see operations logs associated with Azure AD Powershell. Thank in advance.
1 Reply
May consider KQL query to find the operations logs associated with AAD through PowerShell:
AuditLogs | where OperationName startswith "Add" or OperationName startswith "Set" or OperationName startswith "Remove" | where Category == "UserManagement" or Category == "GroupManagement" | where Result == "success" | project TimeGenerated, OperationName, TargetResources, InitiatedBy, Result | order by TimeGenerated desc
