SOLVED

Where is OAuth log for multi tenant app in Azure?

Copper Contributor

Hi,

 

I have a 3rd party vendor who has an app registered in their tenant and their setup process creates an enterprise app in my tenant. It's how the vendor access a particular OneDrive in my tenant. I have been trying to find the OAuth activities from the vendor but I could not find any trace of it in the enterprise app's sign-in logs page (user sign-ins interactive/non-interactive/service principal sign-ins/managed id sign-ins all empty). However, if I search the audit logs in the security/compliance portal, I do find OneDrive actions taken by the vendor and AuthType = OAuth. I guess I am unclear how multi-tenant app's OAuth flows and where the OAuth logs are to record such activities. 

 

Thanks.

2 Replies
best response confirmed by AZ365 (Copper Contributor)
Solution
Any "edit" operation performed by the app should be visible within the Unified audit log. Some "read" operations too, depending on the workload. If you want a comprehensive logging of everything, your only option is the Graph Activity logs: https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview

@AZ365 

In Azure, the OAuth logs for a multi-tenant app are typically found in the Azure Active Directory (Azure AD) portal. OAuth logs contain information related to authentication and authorization requests made to your multi-tenant application.

Here's how you can access OAuth logs for a multi-tenant app in Azure AD:

  1. Navigate to Azure AD Portal:

  2. Select the App Registrations:

    • In the left-hand navigation menu, click on "Azure Active Directory."
    • Under "Manage," select "App registrations."
  3. Choose Your App:

    • Locate and select your multi-tenant app from the list of registered applications.
  4. View Sign-Ins:

    • In the left-hand menu of your app registration, click on "Sign-ins."
    • Here, you can find sign-in activity, including OAuth requests, related to your multi-tenant app.
  5. Filter by Application:

    • If needed, you can filter the sign-ins specifically for your multi-tenant app by selecting the application name from the drop-down menu.
  6. Review Logs:

    • Browse through the sign-in logs to review details such as user names, IP addresses, and outcomes of the OAuth requests.

Please note that the exact steps and availability of OAuth logs may vary slightly based on the Azure AD portal's version and updates. Ensure that you have the necessary permissions to access the logs, as this information may be restricted to certain roles within Azure AD.

Additionally, if you need more detailed or advanced logging, consider using Azure Monitor or Azure Log Analytics, which provide a centralized platform for collecting, analyzing, and acting on telemetry from different Azure resources, including Azure AD.

1 best response

Accepted Solutions
best response confirmed by AZ365 (Copper Contributor)
Solution
Any "edit" operation performed by the app should be visible within the Unified audit log. Some "read" operations too, depending on the workload. If you want a comprehensive logging of everything, your only option is the Graph Activity logs: https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview

View solution in original post