Forum Discussion

Copper Contributor

Jun 18, 2020

Auditing Power-Users and Administrative Tasks with non-repudiation - Does it exist?

I am trying to to track down what one would seem to be a seemingly basic task - When and Who created a particular user in AAD? I believe I have been able to answer part of the question, the when. I s...

CliveWatson

Former Employee

Jun 18, 2020

TheriumSec

I'm not sure If I solved this, but I did save this query

 AuditLogs
| where OperationName   == "Add user"
| extend displayName_   = tostring(parse_json(tostring(InitiatedBy.user)).displayName)
| extend id_            = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend ipAddress_     = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend roles_         = tostring(parse_json(tostring(parse_json(tostring(InitiatedBy.user)).roles)))
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| join
    (
        SigninLogs
        | project UserId, UserPrincipalName, UserDisplayName
    ) on $left.id_ == $right.UserId
| summarize by id_, userPrincipalName_,  UserPrincipalName //, UserId

You could also look at the Workbook called "Azure AD Auditlogs" for the KQL it uses?