AZURE User Access Administrator where can I see the assignment of the role

Mark121Le · ‎Aug 31 2020

Looking to identify the assignment of the User Access Administrator role within my subscription's Activity Logs with no luck. I can see the role has been assigned in the azure subscription blade under Role Assignments and in Azure AD however I cannot see the event to assigned the role in the Activity Logs.

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Also when reviewing the audit logs (AD) the only event I see around the role User Access Administrator being assigned is "Set Company Information"

https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Any advice on how I would isolate the activity around the assignment of the role other that "Set Company Information" Thanks

Peter_Beckendorf · ‎Aug 31 2020

Hi @Mark121Le,

Maybe try this Query and check if you will find it in the Events coming back:

AuditLogs

// Role Changes in AAD

| where SourceSystem == "Azure AD"

| where OperationName contains "Add member"

| where Category == "RoleManagement"

| where TargetResources != "*"

| where TimeGenerated >= ago(14d)

| project Identity, TimeGenerated, Category, OperationName, Result, AffectedUser = TargetResources.[1].displayName, AffectedRole = TargetResources.[0].modifiedProperties.[1].newValue

| limit 50

| sort by TimeGenerated desc

KInd Regards, Peter

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

AZURE User Access Administrator where can I see the assignment of the role