Home

Azure AD Connect Admin Audit log

%3CLINGO-SUB%20id%3D%22lingo-sub-41349%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41349%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20there%20is%20an%20Admin%20audit%20log%20for%20AADConnect%3F%3C%2FP%3E%3CP%3Ei'm%20looking%20for%20something%20that%20logs%20when%20an%20admin%20has%2C%20for%20example%2C%20made%20a%20change%20to%20the%20sync%2C%20such%20as%20adding%20or%20removing%20an%20OU%20from%20the%20sync%20scope%2C%20manually%20triggering%20an%20initial%26nbsp%3Bor%20delta%20sync%2C%20opening%20the%20admin%20tools%20or%20opening%20the%20connectors%20in%20edit%20mode%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20seeing%20a%20lot%20of%20clients%20systems%20whereby%20AAD%20Connect%20spends%20a%20lot%20of%20its%20time%20complaining%20about%20the%20need%20for%20an%20initial%20sync%2C%20I%20suspect%20a%20lot%20of%20these%20cases%20are%20where%20an%20admin%20has%20opened%20the%20sync%20and%20OK'd%2C%20or%20even%20cancelled%20out%2C%20but%20it%20seems%20to%20have%20marked%20the%20connector%20as%20changed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20seems%20odd%20that%20there%20is%20no%20evident%20admin%20audit%20log%20for%20something%20as%20critical%2C%20and%20security%20sensitive%2C%26nbsp%3Bas%20AAD%20Connect%2C%20if%20there%20isnt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20it%20relies%20on%20logging%20to%20event%20viewer%20only%2C%20then%20is%20there%20any%20guidance%20or%20documentation%20(i%20haven't%20managed%20to%20find%20any)%20to%20identify%20which%20event%20IDs%20would%20correlate%20to%20the%20above%20activities%2C%20trawling%20the%20logs%20so%20far%20i%20havent%20found%20anything%20identifying%20when%20a%20connector%20has%20been%20changed%20or%2C%20frankly%2C%20when%20an%20admin%20has%20opened%20or%20used%20the%20tools%20(MIISClient%20or%20Azure%20AD%20Connect%20app%2Ftool)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20input.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPete%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-41349%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-205600%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-205600%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20too%20have%20issues%20and%20unable%20to%20resolve%20them.%26nbsp%3B%20Logs%20would%20be%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-44494%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-44494%22%20slang%3D%22en-US%22%3E%3CP%3Ehaving%20done%20some%20testing%2C%20and%20some%20further%20googling%20the%20view%20i%20have%20come%20to%20is%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EThere%20are%20no%20separate%20AADConnect%20log%20files%20outside%20of%20event%20viewer%3C%2FLI%3E%3CLI%3EAADConnect%20only%20logs%20the%20information%2Fwarning%2Ferror%20messages%20as%20stated%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F2684395%2Fhow-to-troubleshoot-azure-active-directory-sync-tool-installation-and-configuration-wizard-errors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F2684395%2Fhow-to-troubleshoot-azure-active-directory-sync-tool-installation-and-configuration-wizard-errors%3C%2FA%3E%3C%2FLI%3E%3CLI%3EAADConnect%20does%20not%20log%20ANY%20configuration%20changes%2C%20administrative%20actions%2C%20or%20other%20useful%20information%20beyond%20the%20sync%20issue%20type%20errors%20above%3C%2FLI%3E%3CLI%3EAADConnect%20has%20no%20management%2Fcontrol%2Fsettings%20related%20to%20logging.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20really%20hoping%20i'm%20wrong%20about%20this!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20my%20lab%2C%20i%20performed%20a%20number%20of%20tasks%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eenabled%20the%20logs%20for%20AADConnect%20operational%20and%20debug%3C%2FLI%3E%3CLI%3Eedited%20connectors%3C%2FLI%3E%3CLI%3Eedited%20OU%20selection%3C%2FLI%3E%3CLI%3Echanged%20security%20credentials%20in%20use%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAll%20of%20these%20could%20result%20in%20sync%20failure%2C%20intentionally%20or%20accidentally%2C%20and%20nothing%20is%20logged%20anywhere.%20surely%20this%20is%20quite%20a%20big%20void%20in%20security%2C%20auditing%2C%26nbsp%3Band%20oversight%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20anyone%20could%20chime%20in%20and%20point%20me%20towards%20conflicting%20information%20i%20would%20be%20very%20happy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742255%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3396%22%20target%3D%22_blank%22%3E%40Peter%20Holland%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F37426342-admin-audit-function-for-azure-ad-connect-synchron%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F37426342-admin-audit-function-for-azure-ad-connect-synchron%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Peter Holland
Contributor

Hi,

 

Does anyone know if there is an Admin audit log for AADConnect?

i'm looking for something that logs when an admin has, for example, made a change to the sync, such as adding or removing an OU from the sync scope, manually triggering an initial or delta sync, opening the admin tools or opening the connectors in edit mode?

 

i am seeing a lot of clients systems whereby AAD Connect spends a lot of its time complaining about the need for an initial sync, I suspect a lot of these cases are where an admin has opened the sync and OK'd, or even cancelled out, but it seems to have marked the connector as changed.

 

it seems odd that there is no evident admin audit log for something as critical, and security sensitive, as AAD Connect, if there isnt.

 

if it relies on logging to event viewer only, then is there any guidance or documentation (i haven't managed to find any) to identify which event IDs would correlate to the above activities, trawling the logs so far i havent found anything identifying when a connector has been changed or, frankly, when an admin has opened or used the tools (MIISClient or Azure AD Connect app/tool)

 

Thanks in advance for your input.

 

Pete

3 Replies

having done some testing, and some further googling the view i have come to is:

 

I'm really hoping i'm wrong about this!

 

in my lab, i performed a number of tasks:

  • enabled the logs for AADConnect operational and debug
  • edited connectors
  • edited OU selection
  • changed security credentials in use

All of these could result in sync failure, intentionally or accidentally, and nothing is logged anywhere. surely this is quite a big void in security, auditing, and oversight?

 

if anyone could chime in and point me towards conflicting information i would be very happy.

 

Thanks

 

We too have issues and unable to resolve them.  Logs would be useful.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies