cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Unknown User - Azure AD Audit Log Workbook

Dean Gross
Silver Contributor

‎Dec 17 2021 06:19 AM

‎Dec 17 2021 06:19 AM

Unknown User - Azure AD Audit Log Workbook

Can anyone help me understand why the Azure AD Audit Log workbook would be showing an unknow user for Add service principal and Update service principal activities?

2,606 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by VI_Migration (Silver Contributor)
m_zorich

‎Dec 19 2021 07:45 PM

‎Dec 19 2021 07:45 PM

Solution

Re: Unknown User - Azure AD Audit Log Workbook

@Dean Gross 

 

Hey Dean, looking at the query under the hood it looks a like this

 

let data = AuditLogs
where "{Result:lable}" == "All" or Result in ({Result})
extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != "", tostring(InitiatedBy.user.userPrincipalName), "unknown")
 
So when a UserPrincipalName is found in the 'InitiatedBy' column you will see it, when it isn't there it comes back as unknown. If you go an look at the AuditLogs table manually for 'Add service principal' and 'Update service principal' activities, for the ones coming back as unknown I would guess that they are being created or updated by other means other than your users actually doing it manually. For instance if you add a managed identity to a virtual machine or a logic app, it will create a service principal for you, but you won't have a UserPrincipalName in the InitiatedBy field. Or if you use something like Terraform to create service principals you will have the same issue.
1 Like
Reply
Dean Gross

‎Dec 20 2021 06:03 AM

‎Dec 20 2021 06:03 AM

Re: Unknown User - Azure AD Audit Log Workbook

Thanks for the detailed and accurate explanation. You pointed me in the right direction and reminded me of some good ways to investigate issues like this in the future.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
m_zorich

‎Dec 19 2021 07:45 PM

‎Dec 19 2021 07:45 PM

Solution

Re: Unknown User - Azure AD Audit Log Workbook

@Dean Gross 

 

Hey Dean, looking at the query under the hood it looks a like this

 

let data = AuditLogs
where "{Result:lable}" == "All" or Result in ({Result})
extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != "", tostring(InitiatedBy.user.userPrincipalName), "unknown")
 
So when a UserPrincipalName is found in the 'InitiatedBy' column you will see it, when it isn't there it comes back as unknown. If you go an look at the AuditLogs table manually for 'Add service principal' and 'Update service principal' activities, for the ones coming back as unknown I would guess that they are being created or updated by other means other than your users actually doing it manually. For instance if you add a managed identity to a virtual machine or a logic app, it will create a service principal for you, but you won't have a UserPrincipalName in the InitiatedBy field. Or if you use something like Terraform to create service principals you will have the same issue.

View solution in original post

1 Like
Reply