Forum Discussion
Azure AD Connect Admin Audit log
Hi,
Does anyone know if there is an Admin audit log for AADConnect?
i'm looking for something that logs when an admin has, for example, made a change to the sync, such as adding or removing an OU from the sync scope, manually triggering an initial or delta sync, opening the admin tools or opening the connectors in edit mode?
i am seeing a lot of clients systems whereby AAD Connect spends a lot of its time complaining about the need for an initial sync, I suspect a lot of these cases are where an admin has opened the sync and OK'd, or even cancelled out, but it seems to have marked the connector as changed.
it seems odd that there is no evident admin audit log for something as critical, and security sensitive, as AAD Connect, if there isnt.
if it relies on logging to event viewer only, then is there any guidance or documentation (i haven't managed to find any) to identify which event IDs would correlate to the above activities, trawling the logs so far i havent found anything identifying when a connector has been changed or, frankly, when an admin has opened or used the tools (MIISClient or Azure AD Connect app/tool)
Thanks in advance for your input.
Pete
22 Replies
Yes, I have had a quick look and seems not such item:
Using Azure AD Connect Health with AD FS - Microsoft Entra | Microsoft Learn
- Any updates to this? Trying to track some changes that were made.
- Four and a half years later... is there now any management/control/settings related to logging?
Thank you all!(17 minutes later) AGomes what features would you need?
Thanks Rob de Jong!
I am receiving a lot of "Information" events each sync, I would like to disable the unimportant, and enable again when I got any problem.
Thanks again for your attention!
Peter Holland For version 1.5.30.0 onwards, every time a user makes a change to the AADConnect configuration using the Wizard, a time-stamped snapshot of the changed configuration is saved. Comparing these snapshots will show the exact changes that were made, including who made the changes.
Soon, customers will be able to use these snapshots to restore a server or build a copy of a server by specifying the snapshot file in the installer process.Rob de Jong do you know where these snapshots are saved? my preferred domain controller has somehow changed to an old decomissioned DC? and due to the lack of auditing I have no way of knowing if this was done by the system or an admin?
Rob de Jong could you please share the steps to extract/export the snapshot and check the logs.
Rob de Jong I know (and use) the import/export feature, but I don't know how to find which AADC admin has made a change on AADC config (like changing OUs, switch staging mode...) and when.
Is there a way of knowing that ?
Thank you
having done some testing, and some further googling the view i have come to is:
- There are no separate AADConnect log files outside of event viewer
- AADConnect only logs the information/warning/error messages as stated here: https://support.microsoft.com/en-gb/help/2684395/how-to-troubleshoot-azure-active-directory-sync-tool-installation-and-configuration-wizard-errors
- AADConnect does not log ANY configuration changes, administrative actions, or other useful information beyond the sync issue type errors above
- AADConnect has no management/control/settings related to logging.
I'm really hoping i'm wrong about this!
in my lab, i performed a number of tasks:
- enabled the logs for AADConnect operational and debug
- edited connectors
- edited OU selection
- changed security credentials in use
All of these could result in sync failure, intentionally or accidentally, and nothing is logged anywhere. surely this is quite a big void in security, auditing, and oversight?
if anyone could chime in and point me towards conflicting information i would be very happy.
Thanks
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37426342-admin-audit-function-for-azure-ad-connect-synchron
We too have issues and unable to resolve them. Logs would be useful.
