Forum Discussion
Azure AD Powershell module logs in sentinel
Hello Team, As a part of clean up activity, our SOC has been assigned a task to find list of regular users who are using Azure AD Powershell and what activities they're performing as we want that to ...
May consider KQL query to find the operations logs associated with AAD through PowerShell:
AuditLogs
| where OperationName startswith "Add" or OperationName startswith "Set" or OperationName startswith "Remove"
| where Category == "UserManagement" or Category == "GroupManagement"
| where Result == "success"
| project TimeGenerated, OperationName, TargetResources, InitiatedBy, Result
| order by TimeGenerated desc