Forum Discussion

Peter Holland's avatar
Peter Holland
Iron Contributor
Jan 25, 2017

Azure AD Connect Admin Audit log

Hi,

 

Does anyone know if there is an Admin audit log for AADConnect?

i'm looking for something that logs when an admin has, for example, made a change to the sync, such as adding or removing an OU from the sync scope, manually triggering an initial or delta sync, opening the admin tools or opening the connectors in edit mode?

 

i am seeing a lot of clients systems whereby AAD Connect spends a lot of its time complaining about the need for an initial sync, I suspect a lot of these cases are where an admin has opened the sync and OK'd, or even cancelled out, but it seems to have marked the connector as changed.

 

it seems odd that there is no evident admin audit log for something as critical, and security sensitive, as AAD Connect, if there isnt.

 

if it relies on logging to event viewer only, then is there any guidance or documentation (i haven't managed to find any) to identify which event IDs would correlate to the above activities, trawling the logs so far i havent found anything identifying when a connector has been changed or, frankly, when an admin has opened or used the tools (MIISClient or Azure AD Connect app/tool)

 

Thanks in advance for your input.

 

Pete

22 Replies

  • thenags's avatar
    thenags
    Copper Contributor
    Any updates to this? Trying to track some changes that were made.
  • AGomes's avatar
    AGomes
    Copper Contributor
    Four and a half years later... is there now any management/control/settings related to logging?

    Thank you all!
      • AGomes's avatar
        AGomes
        Copper Contributor

        Thanks Rob de Jong!

         

        I am receiving a lot of "Information" events each sync, I would like to disable the unimportant, and enable again when I got any problem. 

         

        Thanks again for your attention! 

  • Peter Holland For version 1.5.30.0 onwards, every time a user makes a change to the AADConnect configuration using the Wizard, a time-stamped snapshot of the changed configuration is saved. Comparing these snapshots will show the exact changes that were made, including who made the changes.
    Soon, customers will be able to use these snapshots to restore a server or build a copy of a server by specifying the snapshot file in the installer process.

    • darkbug's avatar
      darkbug
      Copper Contributor

      Rob de Jong do you know where these snapshots are saved?  my preferred domain controller has somehow changed to an old decomissioned DC?  and due to the lack of auditing I have no way of knowing if this was done by the system or an admin?

       

       

    • NandishNM's avatar
      NandishNM
      Copper Contributor

      Rob de Jong  could you please share the steps to extract/export the snapshot and check the logs.

       

    • LaurentFra's avatar
      LaurentFra
      Brass Contributor

      Rob de Jong I know (and use) the import/export feature, but I don't know how to find which AADC admin has made a change on AADC config (like changing OUs, switch staging mode...) and when.

       

      Is there a way of knowing that ?

       

      Thank you

  • having done some testing, and some further googling the view i have come to is:

     

    • There are no separate AADConnect log files outside of event viewer
    • AADConnect only logs the information/warning/error messages as stated here: https://support.microsoft.com/en-gb/help/2684395/how-to-troubleshoot-azure-active-directory-sync-tool-installation-and-configuration-wizard-errors
    • AADConnect does not log ANY configuration changes, administrative actions, or other useful information beyond the sync issue type errors above
    • AADConnect has no management/control/settings related to logging.

    I'm really hoping i'm wrong about this!

     

    in my lab, i performed a number of tasks:

    • enabled the logs for AADConnect operational and debug
    • edited connectors
    • edited OU selection
    • changed security credentials in use

    All of these could result in sync failure, intentionally or accidentally, and nothing is logged anywhere. surely this is quite a big void in security, auditing, and oversight?

     

    if anyone could chime in and point me towards conflicting information i would be very happy.

     

    Thanks

     

    • Joshua Bines's avatar
      Joshua Bines
      Iron Contributor

      Peter Holland 

       

      https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37426342-admin-audit-function-for-azure-ad-connect-synchron

    • Gary Smith's avatar
      Gary Smith
      Brass Contributor

      We too have issues and unable to resolve them.  Logs would be useful.

Resources