Azure AD Connect Admin Audit log

%3CLINGO-SUB%20id%3D%22lingo-sub-41349%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41349%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20there%20is%20an%20Admin%20audit%20log%20for%20AADConnect%3F%3C%2FP%3E%3CP%3Ei'm%20looking%20for%20something%20that%20logs%20when%20an%20admin%20has%2C%20for%20example%2C%20made%20a%20change%20to%20the%20sync%2C%20such%20as%20adding%20or%20removing%20an%20OU%20from%20the%20sync%20scope%2C%20manually%20triggering%20an%20initial%26nbsp%3Bor%20delta%20sync%2C%20opening%20the%20admin%20tools%20or%20opening%20the%20connectors%20in%20edit%20mode%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20seeing%20a%20lot%20of%20clients%20systems%20whereby%20AAD%20Connect%20spends%20a%20lot%20of%20its%20time%20complaining%20about%20the%20need%20for%20an%20initial%20sync%2C%20I%20suspect%20a%20lot%20of%20these%20cases%20are%20where%20an%20admin%20has%20opened%20the%20sync%20and%20OK'd%2C%20or%20even%20cancelled%20out%2C%20but%20it%20seems%20to%20have%20marked%20the%20connector%20as%20changed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20seems%20odd%20that%20there%20is%20no%20evident%20admin%20audit%20log%20for%20something%20as%20critical%2C%20and%20security%20sensitive%2C%26nbsp%3Bas%20AAD%20Connect%2C%20if%20there%20isnt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20it%20relies%20on%20logging%20to%20event%20viewer%20only%2C%20then%20is%20there%20any%20guidance%20or%20documentation%20(i%20haven't%20managed%20to%20find%20any)%20to%20identify%20which%20event%20IDs%20would%20correlate%20to%20the%20above%20activities%2C%20trawling%20the%20logs%20so%20far%20i%20havent%20found%20anything%20identifying%20when%20a%20connector%20has%20been%20changed%20or%2C%20frankly%2C%20when%20an%20admin%20has%20opened%20or%20used%20the%20tools%20(MIISClient%20or%20Azure%20AD%20Connect%20app%2Ftool)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20input.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPete%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-41349%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-205600%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-205600%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20too%20have%20issues%20and%20unable%20to%20resolve%20them.%26nbsp%3B%20Logs%20would%20be%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-44494%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-44494%22%20slang%3D%22en-US%22%3E%3CP%3Ehaving%20done%20some%20testing%2C%20and%20some%20further%20googling%20the%20view%20i%20have%20come%20to%20is%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EThere%20are%20no%20separate%20AADConnect%20log%20files%20outside%20of%20event%20viewer%3C%2FLI%3E%3CLI%3EAADConnect%20only%20logs%20the%20information%2Fwarning%2Ferror%20messages%20as%20stated%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F2684395%2Fhow-to-troubleshoot-azure-active-directory-sync-tool-installation-and-configuration-wizard-errors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F2684395%2Fhow-to-troubleshoot-azure-active-directory-sync-tool-installation-and-configuration-wizard-errors%3C%2FA%3E%3C%2FLI%3E%3CLI%3EAADConnect%20does%20not%20log%20ANY%20configuration%20changes%2C%20administrative%20actions%2C%20or%20other%20useful%20information%20beyond%20the%20sync%20issue%20type%20errors%20above%3C%2FLI%3E%3CLI%3EAADConnect%20has%20no%20management%2Fcontrol%2Fsettings%20related%20to%20logging.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20really%20hoping%20i'm%20wrong%20about%20this!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20my%20lab%2C%20i%20performed%20a%20number%20of%20tasks%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eenabled%20the%20logs%20for%20AADConnect%20operational%20and%20debug%3C%2FLI%3E%3CLI%3Eedited%20connectors%3C%2FLI%3E%3CLI%3Eedited%20OU%20selection%3C%2FLI%3E%3CLI%3Echanged%20security%20credentials%20in%20use%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAll%20of%20these%20could%20result%20in%20sync%20failure%2C%20intentionally%20or%20accidentally%2C%20and%20nothing%20is%20logged%20anywhere.%20surely%20this%20is%20quite%20a%20big%20void%20in%20security%2C%20auditing%2C%26nbsp%3Band%20oversight%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20anyone%20could%20chime%20in%20and%20point%20me%20towards%20conflicting%20information%20i%20would%20be%20very%20happy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1474599%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1474599%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3396%22%20target%3D%22_blank%22%3E%40Peter%20Holland%3C%2FA%3E%26nbsp%3BFor%20version%201.5.30.0%20onwards%2C%20every%20time%20a%20user%20makes%20a%20change%20to%20the%20AADConnect%20configuration%20using%20the%20Wizard%2C%20a%20time-stamped%20snapshot%20of%20the%20changed%20configuration%20is%20saved.%20Comparing%20these%20snapshots%20will%20show%20the%20exact%20changes%20that%20were%20made%2C%20including%20who%20made%20the%20changes.%3CBR%20%2F%3ESoon%2C%20customers%20will%20be%20able%20to%20use%20these%20snapshots%20to%20restore%20a%20server%20or%20build%20a%20copy%20of%20a%20server%20by%20specifying%20the%20snapshot%20file%20in%20the%20installer%20process.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742255%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20Admin%20Audit%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3396%22%20target%3D%22_blank%22%3E%40Peter%20Holland%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F37426342-admin-audit-function-for-azure-ad-connect-synchron%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F37426342-admin-audit-function-for-azure-ad-connect-synchron%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

Does anyone know if there is an Admin audit log for AADConnect?

i'm looking for something that logs when an admin has, for example, made a change to the sync, such as adding or removing an OU from the sync scope, manually triggering an initial or delta sync, opening the admin tools or opening the connectors in edit mode?

 

i am seeing a lot of clients systems whereby AAD Connect spends a lot of its time complaining about the need for an initial sync, I suspect a lot of these cases are where an admin has opened the sync and OK'd, or even cancelled out, but it seems to have marked the connector as changed.

 

it seems odd that there is no evident admin audit log for something as critical, and security sensitive, as AAD Connect, if there isnt.

 

if it relies on logging to event viewer only, then is there any guidance or documentation (i haven't managed to find any) to identify which event IDs would correlate to the above activities, trawling the logs so far i havent found anything identifying when a connector has been changed or, frankly, when an admin has opened or used the tools (MIISClient or Azure AD Connect app/tool)

 

Thanks in advance for your input.

 

Pete

16 Replies

having done some testing, and some further googling the view i have come to is:

 

I'm really hoping i'm wrong about this!

 

in my lab, i performed a number of tasks:

  • enabled the logs for AADConnect operational and debug
  • edited connectors
  • edited OU selection
  • changed security credentials in use

All of these could result in sync failure, intentionally or accidentally, and nothing is logged anywhere. surely this is quite a big void in security, auditing, and oversight?

 

if anyone could chime in and point me towards conflicting information i would be very happy.

 

Thanks

 

We too have issues and unable to resolve them.  Logs would be useful.

@Peter Holland For version 1.5.30.0 onwards, every time a user makes a change to the AADConnect configuration using the Wizard, a time-stamped snapshot of the changed configuration is saved. Comparing these snapshots will show the exact changes that were made, including who made the changes.
Soon, customers will be able to use these snapshots to restore a server or build a copy of a server by specifying the snapshot file in the installer process.

@Rob de Jong thanks for the reply.

That sounds pretty flipping awesome!

@Peter Holland Yeah, right? I'm super hyped about this! We're aiming for public preview of the "import" side of this feature in a couple of weeks - where we will also release a feature to make a configuration snapshot of an older (pre 1.5) version which can be used to create an upgraded copy of the older server.

Jus think about all the possibilities once we have this in place...

@Rob de Jonghi there, is this currently available already? where can I access information like this?
We had a recent issue with sync for something that should have been enabled and I found out that it wasn't, essentially re-running the config and manually configuring our sync items again.

@Rob de Jong If there is a snapshot, it seems like it would be rather trivial for a third party tool like AD Audit to alert when there is a change. Similar to how they monitor changes to group policies now.  

Four and a half years later... is there now any management/control/settings related to logging?

Thank you all!

(17 minutes later) @AGomes what features would you need?

Thanks @Rob de Jong!

 

I am receiving a lot of "Information" events each sync, I would like to disable the unimportant, and enable again when I got any problem. 

 

Thanks again for your attention! 

I’m assuming you are referring to operations logging, not audit logging? Are you seeing too many events in the Events log?

Sorry @Rob de Jong, missed your reply.

 

I am complaining about the Event Log in the server where Azure AD Connect is running.  

@AGomes We do not offer a way to configure the granularity of the event logging functionality, but the Event Viewer allows to filter out events that you do not find significant, such as the informational events. Wouldn't that work for you?

Thanks @Rob de Jong

 

I will have to filter out these events every time I want a quick assessment, and I archive all logs, so I am archiving a lot of useless entries... no, not being able to configure the level of logging is bad for me.

 

But thanks for your attention and help!