Public Sector Blog

9 MIN READ

Auditing Admin activities in Microsoft Defender Endpoint

Microsoft

Jun 11, 2025

Organizations understand that monitoring administrative actions is crucial for ensuring compliance, strengthening security, and maintaining transparency within an organization. Below, we will explore various methods that organizations can utilize to effectively track, analyze, and interpret administrative activities, providing actionable insights to safeguard their operations related to Microsoft Defender.

Authentication

Microsoft Defender relies heavily on Entra for its Identity and Access Management (IAM) framework, ensuring secure authentication and access control across the platform. While organizations have the flexibility to configure third-party Identity Providers (IDPs) for specific authorization processes, Entra is a requirement to facilitate access to the service. Entra’s seamless integration into Microsoft Defender ensures robust identity management, granting administrators the ability to maintain precise control over user access and uphold stringent security policies.

For this article, Entra is the primary IDP and we won’t cover third party integration. Given the extensive and well-documented resources available on Entra, we will avoid a detailed focus on Entra and its logging mechanisms in this discussion. Instead, our emphasis will shift towards broader auditing strategies within Microsoft Defender, ensuring a comprehensive understanding of administrative activity monitoring beyond identity-centric frameworks.

Multi Tenant Management

Microsoft introduced Defender Multi-Tenant Management support that assists external organizations/ MSSP with accessing other organizations Defender instances. This means part of the Authentication logs will be stored in the “home” tenant and the “target” tenant. For organizations that are being accessed (target), Entra offers a unified view of sign-on logs, showcasing activity from both tenants, in this case a .US tenant and the .com tenant within the same Entra log interface. This centralized approach is invaluable for organizations, as it consolidates authentication data into a single location. By doing so, it enables administrators to discern whether a user accessing the Defender Portal to initiate administrative actions belongs to the organization or is outside of their specific tenant.

For additional correlation and retention, the Sign-in logs can be sent to a third-party tool or Microsoft Sentinel which is now a part of the Unified Defender portal. Later in the article we will discuss kql and creating alert rules based on admin activity.

Note: for the rest of the blog examples would be the same for the multi-Tenant interface where the logs and configuration are stored in the target tenant(s) logs.

Image1. Entra Sign-In Logs for cross tenant access .US to .COM

Entra Log’s interest

Entra provides several logs that can be used to monitor authentication to Microsoft Defender. This is key depending on how the tenant is being accessed via a user account or Service Principle.

Image 2: Entra Sign-in logs available

User sign-ins (interactive)
User sign-ins(non-interactive)
Service Principal Sign-ins
Managed Identity sign-ins

For more information on Entra logs refer to this article Access activity logs in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

Microsoft Defender Role Based Access Control (RBAC)

Microsoft Defender does not rely on Entra roles for access control. Instead, it implements a custom Role-Based Access Control (RBAC) model tailored to meet the specific needs of organizations. This model allows administrators to define and configure roles with precision, enabling fine-grained access control to various features and functionalities within Microsoft Defender. With this flexible approach, organizations can ensure that users only have access to resources and actions pertinent to their responsibilities, enhancing both security and operational efficiency.

While the process of creating RBAC roles in Defender is undoubtedly important, this blog will not delve into the specifics of role creation. Instead, the focus will be on the ability to audit the creation and configuration of roles, ensuring transparency and accountability in access management. This capability is vital for organizations aiming to maintain robust security practices and streamline administrative oversight.

For information on how to create an manage Defender RBAC please refer to this article: Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn

Microsoft Defender Auditing

Over the years, the methods for accessing auditing logs have evolved significantly, reflecting the growing complexity and demands of modern cybersecurity frameworks. From legacy systems with basic logging capabilities to today’s advanced platforms like Microsoft Defender, organizations now have a multitude of tools and locations to monitor administrative activity effectively. This section will explore the diverse auditing solutions available in Defender, emphasizing how they empower administrators to track and manage access with precision while ensuring transparency in role-based activity.

Action Center

Action Center has been a staple feature in Defender for Endpoint for some time, serving as a hub for monitoring automated actions and certain administrative actions. It provides a dedicated location for tracking automation processes like Defender Automation Incident Response (AIRS) actions and some administrative activities, ensuring streamlined oversight and efficiency.

Limits:

Manual Export Only
1. No API to send Audit data to a Security Information and Event Management (SIEM) systems
Limited ability to search/hunt activities
Limited type of activities available (primarily Live Response & Automation Actions)

Benefits:

Native auditing solution
No additional cost
Stores history for 6 months
Provides images of command and command actions
On by default

For more information on action center refer the following link Go to the Action center to view and approve your automated investigation and remediation tasks - Microsoft Defender XDR | Microsoft Learn

Image 3: Action Center logs

Purview Audit Logs

Microsoft has expanded the capabilities of Unified Audit Logs (UAL), commonly referred to as Purview Audit Logs. By integrating Defender auditing functionalities, Microsoft enhances its ability to surface critical insights and empower organizations with precise event tracking and analysis. This evolution reflects Microsoft's dedication to unifying tools for enriched visibility and proactive threat management across diverse environments.

Since 2023, the Purview Audit Logs have been enabled by default with a retention of 6 months with options to extend retention up to 10 years. This includes the audit logs for the Defender service

For a list of all the Audit Actives for Defender XDR refer to this link Search the audit log for events in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn

Purview audit logs offer versatile access methods to suit various operational needs. They can be accessed via PowerShell, providing robust scripting capabilities for automation and bulk event retrieval. Alternatively, the graphical user interface (GUI) allows users to navigate and search logs intuitively, ideal for quick checks and visual analysis. For advanced integration, the API method empowers developers to query audit logs programmatically, enabling seamless incorporation into custom workflows and third-party tools.

Limits:

Each access method has limits refer to this blog for information Discovering Microsoft 365 Logs within your Organization [ Part 1] - Microsoft Tech Community
Using the GUI is a passive search job that takes time before access
Limited search and query capabilities via the GUI

Benefits:

Provides native 6+ Months of retention
On by default
Support longer term retention
No additional cost*
Can be exported to a SIEM
Native Connector to Microsoft Defender for Cloud Apps
Provide multiple access methods
1. Powershell
2. API
3. GUI

*Note: Purview Audit logs and retention is included in various licensing with some licensing offering additional logs and retention.

Increased security visibility through new Standard Logs in Microsoft Purview Audit | Microsoft Community Hub

Tips: 

Attempt to focus the search as much as possible 
Scope the activities 
Scope the date and time 
Export larger searches via the CSV export for more granular searching  
Best practice to ingest data into a SIEM or big data solution

Purview Audit Log GUI

This support administrator ability to create a search job for specific activities that can be exported via a CSV.

Image 4: Purview Audit Log Result exampleImage 5: Purview Audit Log example

Purview Audit Logs PowerShell

Using PowerShell to connect to Purview Audit logs an administrator can use the Search-UnifedAuditLog command to query for activity related to Defender XDR. Below you can see the following command that was run and two examples of XDR audit logs that are returned.

Search-UnifiedAuditLog -StartDate "2025-05-15 20:21:00" -EndDate "2025-05-15 20:22:00" | Where-Object { $_.RecordType -like "*MSDE*" }

In the result we have two items: MSDERResponseActions and MSDEIndicatorSettings which matches the record type we see in the Purview Audit Logs.

Image 6: Live Response Audit Logs

Image 7: Delete Indicator Audit Log

Purview Audit Log API (Office Management API)

The Purview Audit logs are exposed in the Office Management Activity API and in some environments the Microsoft Graph providing organizations with a robust solution to extract audit log data from Microsoft 365 environments and integrate it seamlessly into third-party tools like Security Information and Event Management (SIEM) systems. By leveraging this API, organizations can streamline the ingestion of critical activity logs, including administrative actions and user activity, ensuring centralized visibility and improved security posture. This integration allows for advanced threat detection, real-time monitoring, and compliance reporting by correlating Office 365 events with other data sources within the SIEM, enabling proactive response to potential risks.

The API endpoint per Microsoft Cloud

Enterprise plan

https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}

GCC government plan

https://manage-gcc.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}

GCC High government plan

https://manage.office365.us/api/v1.0/{tenant_id}/activity/feed/{operation}

DoD government plan

https://manage.protection.apps.mil/api/v1.0/{tenant_id}/activity/feed/{operation}

Limits:

Limited to last 7 days of history 
API provides event details for a log you must download the data to implement additional queries 
Limited to 2,000 requests per minute however G/E5 customer will get twice as much bandwidth allocated

Benefits:

No cost to pull data via API

Tips: 

For busy tenants, page content using a logical loop and check the NextPageUrl header value  
Push data into a tool like Azure Sentinel or other data lakes for better search ability

Defender Email Notifications

Microsoft Defender provides organizations with the ability to configure email notifications for threat analytics, vulnerabilities, and administrative actions, ensuring proactive communication and swift responses to critical events. These notifications can be tailored to alert specific teams, on specific admin actions enhancing coordination and efficiency in managing security measures.

Limits:

Can’t scope which users trigger the event notification but all admin actions will trigger the alerts
Not all admin actions are available for notification

Benefits:

Robust set of actions can be configured
Built in with no additional cost
Simple configuration
Can be configured with a workflow to automate additional activities

Image 8: Admin Action options

Image 9: example email notification

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps provides a native connector to Microsoft 365, enabling seamless integration with various services, including the Purview Audit logs. This integration surfaces critical data within the Defender Advanced Hunting tables, offering administrators a robust platform to craft custom detection rules tailored to monitor and respond to administrative activities with precision.

Limits:

By default, 30 days of history in AH (can be extended with Sentinel)
Requires an additional license for Microsoft Defender for Cloud Apps
Simple Configuration required

Benefits:

Included with specific licensing
Supports KQL query language
Provides 30 days of AH data that can be extended with Microsoft Sentinel
Native ability to write custom detection rules (CDRs) to create alert triggers
Query can be run in the Defender Multi Tenant interface to query multiple tenants.

Image 10: Query of Defender activities

Example KQL Query:

CloudAppEvents

| extend ParsedData = parse_json(RawEventData)

| project

ActionType,

CreationTime = tostring(ParsedData.CreationTime),

Id = tostring(ParsedData.Id),

//UserId = tostring(ParsedData.UserId),

Operation = tostring(ParsedData.Operation),

Workload = tostring(ParsedData.Workload),

OrganizationId = tostring(ParsedData.OrganizationId)

| where Workload contains "Defender"

*Note: there are additional data fields in the RawEventsData that are not in the example query.

Additionally, the query can be used to create a detection rule to trigger an alert anytime there is an administrative action that you wish to monitor.