Jan 25 2017 03:19 AM
Hi,
Does anyone know if there is an Admin audit log for AADConnect?
i'm looking for something that logs when an admin has, for example, made a change to the sync, such as adding or removing an OU from the sync scope, manually triggering an initial or delta sync, opening the admin tools or opening the connectors in edit mode?
i am seeing a lot of clients systems whereby AAD Connect spends a lot of its time complaining about the need for an initial sync, I suspect a lot of these cases are where an admin has opened the sync and OK'd, or even cancelled out, but it seems to have marked the connector as changed.
it seems odd that there is no evident admin audit log for something as critical, and security sensitive, as AAD Connect, if there isnt.
if it relies on logging to event viewer only, then is there any guidance or documentation (i haven't managed to find any) to identify which event IDs would correlate to the above activities, trawling the logs so far i havent found anything identifying when a connector has been changed or, frankly, when an admin has opened or used the tools (MIISClient or Azure AD Connect app/tool)
Thanks in advance for your input.
Pete
Feb 07 2017 02:00 AM
having done some testing, and some further googling the view i have come to is:
I'm really hoping i'm wrong about this!
in my lab, i performed a number of tasks:
All of these could result in sync failure, intentionally or accidentally, and nothing is logged anywhere. surely this is quite a big void in security, auditing, and oversight?
if anyone could chime in and point me towards conflicting information i would be very happy.
Thanks
Jun 19 2018 03:54 AM
We too have issues and unable to resolve them. Logs would be useful.
Jun 18 2020 09:09 AM
@Peter Holland For version 1.5.30.0 onwards, every time a user makes a change to the AADConnect configuration using the Wizard, a time-stamped snapshot of the changed configuration is saved. Comparing these snapshots will show the exact changes that were made, including who made the changes.
Soon, customers will be able to use these snapshots to restore a server or build a copy of a server by specifying the snapshot file in the installer process.
Jun 18 2020 09:12 AM
@Rob de Jong thanks for the reply.
That sounds pretty flipping awesome!
Jun 18 2020 09:21 AM
@Peter Holland Yeah, right? I'm super hyped about this! We're aiming for public preview of the "import" side of this feature in a couple of weeks - where we will also release a feature to make a configuration snapshot of an older (pre 1.5) version which can be used to create an upgraded copy of the older server.
Jus think about all the possibilities once we have this in place...
Nov 09 2020 02:04 PM
@Rob de Jonghi there, is this currently available already? where can I access information like this?
We had a recent issue with sync for something that should have been enabled and I found out that it wasn't, essentially re-running the config and manually configuring our sync items again.
Nov 25 2020 06:34 AM
@Rob de Jong If there is a snapshot, it seems like it would be rather trivial for a third party tool like AD Audit to alert when there is a change. Similar to how they monitor changes to group policies now.
Nov 25 2020 08:56 AM
@notaproadmin Yes, this is available - documentation is here: How to import and export Azure AD Connect configuration settings | Microsoft Docs
Aug 17 2021 03:38 PM
Aug 17 2021 03:54 PM
(17 minutes later) @AGomes what features would you need?
Aug 18 2021 07:09 AM
Thanks @Rob de Jong!
I am receiving a lot of "Information" events each sync, I would like to disable the unimportant, and enable again when I got any problem.
Thanks again for your attention!
Aug 18 2021 07:36 AM
Oct 04 2021 02:28 PM
Sorry @Rob de Jong, missed your reply.
I am complaining about the Event Log in the server where Azure AD Connect is running.
Oct 04 2021 02:37 PM
@AGomes We do not offer a way to configure the granularity of the event logging functionality, but the Event Viewer allows to filter out events that you do not find significant, such as the informational events. Wouldn't that work for you?
Oct 06 2021 09:56 PM
Thanks @Rob de Jong!
I will have to filter out these events every time I want a quick assessment, and I archive all logs, so I am archiving a lot of useless entries... no, not being able to configure the level of logging is bad for me.
But thanks for your attention and help!
Jan 20 2022 10:35 AM
Jul 21 2022 12:48 AM
@Rob de Jong I know (and use) the import/export feature, but I don't know how to find which AADC admin has made a change on AADC config (like changing OUs, switch staging mode...) and when.
Is there a way of knowing that ?
Thank you
Nov 19 2022 01:16 AM
@Rob de Jong could you please share the steps to extract/export the snapshot and check the logs.