Jul 27 2022 09:16 AM
All,
I'm working on the AADServicePrincipalSignInLogs table and can't find a way to get the actual resource a given Service Principal signed into. According to https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs there's a ResourceIdentity column but that seams to reference a default ID (I guess Key Vault is registered across all Azure tenants with the same ID). There's also ResourceServicePrincipalId (description: Service Principal Id of the resource) but for me it is empty. All I can deduct from the log is the type of the target resource:
How can I deterimne whether the target resource changed, a new was added etc. ? Am I missing something ?
thanks !