Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Auditing Power-Users and Administrative Tasks with non-repudiation - Does it exist?

Copper Contributor

I am trying to to track down what one would seem to be a seemingly basic task - When and Who created a particular user in AAD? I believe I have been able to answer part of the question, the when. I see a timestamp in the AuditLogs specific to the 'Add User' OperationName - Excellent!

 

The other part however leaves me wondering if the data exists or if its hidden somewhere in Azure and does not qualify to make into the standard AuditLogs. Who clicked the buttons to enable the user account? What I see is the following: 

 

InitiatedBy
{"app":{"displayName":"Microsoft Substrate Management","servicePrincipalName":null,"servicePrincipalId":"ad#4b51d9-dqw5-87d9-827c-t9c07s4284#31","appId":null}​}

 

I have randomized the servicePrincipalId

 

So safe to say this was likely a service/process or script that kicked off to create the user account in AAD. The question is, who set the script in motion? Does anyone have any experience with this and is there a way to prove non-repudiation for this type of event? Many Thanks!

3 Replies

@TheriumSec 

 

I'm not sure If I solved this, but I did save this query

 

 AuditLogs
| where OperationName   == "Add user"
| extend displayName_   = tostring(parse_json(tostring(InitiatedBy.user)).displayName)
| extend id_            = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend ipAddress_     = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend roles_         = tostring(parse_json(tostring(parse_json(tostring(InitiatedBy.user)).roles)))
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| join
    (
        SigninLogs
        | project UserId, UserPrincipalName, UserDisplayName
    ) on $left.id_ == $right.UserId
| summarize by id_, userPrincipalName_,  UserPrincipalName //, UserId



You could also look at the Workbook called "Azure AD Auditlogs" for the KQL it uses?

Did you ever manage to get to the bottom of this?
We have similar instance in our tenant.
Thank You

If it helps anyone else, I finally got an answer on this from MS Support:

 

if something shows up as Microsoft Substrate Management it means the provisioning was done through automation using a service principal on our end. This typically happens if a user gets created on EXO portal or a Group is created using teams. The Recipient Display Type for this user is set to 18. Which means this is a scheduling mailbox created through Microsoft Bookings. To know more visit https://techcommunity.microsoft.com/t5/microsoft-bookings-blog/microsoft-bookings-behind-the-scenes/... This explains the behavior on how such users get created.