Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Active directory activities - Understanding the meaning

Copper Contributor

All,

We are trying to setup alerts for activities performed at Azure AD level to audit the tenant. However we are not able to understand the meaning of few activities recorded in the audit logs. Two of them as below:

 

  1. Add app role assignment grant to user
  2. Add delegated permission grant

I did some practical and understood "Add app role assignment grant to user" is recorded when an Enterprise app is assigned to a user but need to check if there are more scenarios.

Also no idea about "Add delegated permission grant".

 

I tried to refer link as below but not much helpful:

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activitie...

 

Any response will help me a lot. Thanks in advance.

3 Replies

@vivek_neonate 

 

Add app role assignment grant to user = when you add application persmission to an app registration. For example, when you add delegated Graph API permissions

 

Add delegated permission grant =  when you add delegated persmission to an app registration. For example, when you add application Graph API permissions

 

55-28-06-2020.png

 

Consent to application = when you add admin consent to that application

 

56-28-06-2020.png

 

 

@JanBakkerOrphaned 

 

Thank you for the response. However when I performed the mentioned activities in my subscription, I could see they are tracked as below:

 

vivek_neonate_0-1593626587008.png

 

"Update Service principal" OR "Update Application"

 

What I want to see is the activity performed when it is tracked as below:

 

vivek_neonate_1-1593626691294.png

I have checked one scenario but other possibilities I can't reproduce.

 

Thanks 

@vivek_neonate 

 

Finally I was able to reproduce the issue. Below are my findings for these AD logs:

 

Add app role assignment grant to user is generated when an app is assigned to a user from the Enterprise app blade. User can access these assigned apps from myapp portal.

 

Add delegated permission grant can be seen when user tries to access the app from myapp portal and get a consent page. User clicks on "allow" and an entry will recorded in the AD Audit logs. A delegated Graph permission is granted from App registration's API permission tab. Eg:

 

vivek_neonate_0-1594821015791.png