Jun 27 2020
- last edited on
Jan 14 2022
We are trying to setup alerts for activities performed at Azure AD level to audit the tenant. However we are not able to understand the meaning of few activities recorded in the audit logs. Two of them as below:
I did some practical and understood "Add app role assignment grant to user" is recorded when an Enterprise app is assigned to a user but need to check if there are more scenarios.
Also no idea about "Add delegated permission grant".
I tried to refer link as below but not much helpful:
Any response will help me a lot. Thanks in advance.
Jun 28 2020 12:57 PM
Add app role assignment grant to user = when you add application persmission to an app registration. For example, when you add delegated Graph API permissions
Add delegated permission grant = when you add delegated persmission to an app registration. For example, when you add application Graph API permissions
Consent to application = when you add admin consent to that application
Jul 01 2020 11:05 AM
Thank you for the response. However when I performed the mentioned activities in my subscription, I could see they are tracked as below:
"Update Service principal" OR "Update Application"
What I want to see is the activity performed when it is tracked as below:
I have checked one scenario but other possibilities I can't reproduce.
Jul 15 2020 06:51 AM
Finally I was able to reproduce the issue. Below are my findings for these AD logs:
Add app role assignment grant to user is generated when an app is assigned to a user from the Enterprise app blade. User can access these assigned apps from myapp portal.
Add delegated permission grant can be seen when user tries to access the app from myapp portal and get a consent page. User clicks on "allow" and an entry will recorded in the AD Audit logs. A delegated Graph permission is granted from App registration's API permission tab. Eg: