AZURE User Access Administrator where can I see the assignment of the role

%3CLINGO-SUB%20id%3D%22lingo-sub-1622778%22%20slang%3D%22en-US%22%3EAZURE%20User%20Access%20Administrator%20where%20can%20I%20see%20the%20assignment%20of%20the%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1622778%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20to%20identify%20the%20assignment%20of%20the%20User%20Access%20Administrator%20role%20within%20my%20subscription's%20Activity%20Logs%20with%20no%20luck.%20I%20can%20see%20the%20role%20has%20been%20assigned%20in%20the%20azure%20subscription%20blade%20under%20Role%20Assignments%20and%20in%20Azure%20AD%20however%20I%20cannot%20see%20the%20event%20to%20assigned%20the%20role%20in%20the%20Activity%20Logs.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Foverview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20when%20reviewing%20the%20audit%20logs%20(AD)%20the%20only%20event%20I%20see%20around%20the%20role%26nbsp%3BUser%20Access%20Administrator%20being%20assigned%20is%20%22Set%20Company%20Information%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Felevate-access-global-admin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Felevate-access-global-admin%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advice%20on%20how%20I%20would%20isolate%20the%20activity%20around%20the%20assignment%20of%20the%20role%20other%20that%20%22Set%20Company%20Information%22%20Thanks%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1624452%22%20slang%3D%22en-US%22%3ERe%3A%20AZURE%20User%20Access%20Administrator%20where%20can%20I%20see%20the%20assignment%20of%20the%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624452%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F776774%22%20target%3D%22_blank%22%3E%40Mark121Le%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20try%20this%20Query%20and%20check%20if%20you%20will%20find%20it%20in%20the%20Events%20coming%20back%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EAuditLogs%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%26nbsp%3BRole%26nbsp%3BChanges%26nbsp%3Bin%26nbsp%3BAAD%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BSourceSystem%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Azure%26nbsp%3BAD%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BOperationName%26nbsp%3Bcontains%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Add%26nbsp%3Bmember%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BCategory%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22RoleManagement%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BTargetResources%26nbsp%3B!%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22*%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eago%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E14%3C%2FSPAN%3E%3CSPAN%3Ed%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BIdentity%2C%26nbsp%3BTimeGenerated%2C%26nbsp%3BCategory%2C%26nbsp%3BOperationName%2C%26nbsp%3BResult%2C%26nbsp%3BAffectedUser%26nbsp%3B%3D%26nbsp%3BTargetResources.%5B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%5D.displayName%2C%26nbsp%3BAffectedRole%26nbsp%3B%3D%26nbsp%3BTargetResources.%5B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%5D.modifiedProperties.%5B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%5D.newValue%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Blimit%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E50%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bsort%26nbsp%3Bby%26nbsp%3BTimeGenerated%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Edesc%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EKInd%20Regards%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EPeter%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Looking to identify the assignment of the User Access Administrator role within my subscription's Activity Logs with no luck. I can see the role has been assigned in the azure subscription blade under Role Assignments and in Azure AD however I cannot see the event to assigned the role in the Activity Logs. 

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

 

Also when reviewing the audit logs (AD) the only event I see around the role User Access Administrator being assigned is "Set Company Information"

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

 

Any advice on how I would isolate the activity around the assignment of the role other that "Set Company Information" Thanks 

 

1 Reply

Hi @Mark121Le,

 

Maybe try this Query and check if you will find it in the Events coming back:

 

AuditLogs
// Role Changes in AAD
| where SourceSystem == "Azure AD"
| where OperationName contains "Add member"
| where Category == "RoleManagement"
| where TargetResources != "*"
| where TimeGenerated >= ago(14d)
| project Identity, TimeGenerated, Category, OperationName, Result, AffectedUser = TargetResources.[1].displayName, AffectedRole = TargetResources.[0].modifiedProperties.[1].newValue
| limit 50
| sort by TimeGenerated desc
 
KInd Regards, Peter