Organizations understand that monitoring administrative actions is crucial for ensuring compliance, strengthening security, and maintaining transparency within an organization. Below, we will explore various methods that organizations can utilize to effectively track, analyze, and interpret administrative activities, providing actionable insights to safeguard their operations related to Microsoft Defender.
Authentication
Microsoft Defender relies heavily on Entra for its Identity and Access Management (IAM) framework, ensuring secure authentication and access control across the platform. While organizations have the flexibility to configure third-party Identity Providers (IDPs) for specific authorization processes, Entra is a requirement to facilitate access to the service. Entra’s seamless integration into Microsoft Defender ensures robust identity management, granting administrators the ability to maintain precise control over user access and uphold stringent security policies.
For this article, Entra is the primary IDP and we won’t cover third party integration. Given the extensive and well-documented resources available on Entra, we will avoid a detailed focus on Entra and its logging mechanisms in this discussion. Instead, our emphasis will shift towards broader auditing strategies within Microsoft Defender, ensuring a comprehensive understanding of administrative activity monitoring beyond identity-centric frameworks.
Multi Tenant Management
Microsoft introduced Defender Multi-Tenant Management support that assists external organizations/ MSSP with accessing other organizations Defender instances. This means part of the Authentication logs will be stored in the “home” tenant and the “target” tenant. For organizations that are being accessed (target), Entra offers a unified view of sign-on logs, showcasing activity from both tenants, in this case a .US tenant and the .com tenant within the same Entra log interface. This centralized approach is invaluable for organizations, as it consolidates authentication data into a single location. By doing so, it enables administrators to discern whether a user accessing the Defender Portal to initiate administrative actions belongs to the organization or is outside of their specific tenant.
For additional correlation and retention, the Sign-in logs can be sent to a third-party tool or Microsoft Sentinel which is now a part of the Unified Defender portal. Later in the article we will discuss kql and creating alert rules based on admin activity.
Note: for the rest of the blog examples would be the same for the multi-Tenant interface where the logs and configuration are stored in the target tenant(s) logs.
Image1. Entra Sign-In Logs for cross tenant access .US to .COMEntra Log’s interest
Entra provides several logs that can be used to monitor authentication to Microsoft Defender. This is key depending on how the tenant is being accessed via a user account or Service Principle.
Image 2: Entra Sign-in logs available
Image 2: Entra Sign-in logs available
- User sign-ins (interactive)
- User sign-ins(non-interactive)
- Service Principal Sign-ins
- Managed Identity sign-ins
For more information on Entra logs refer to this article Access activity logs in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Microsoft Defender Role Based Access Control (RBAC)
Microsoft Defender does not rely on Entra roles for access control. Instead, it implements a custom Role-Based Access Control (RBAC) model tailored to meet the specific needs of organizations. This model allows administrators to define and configure roles with precision, enabling fine-grained access control to various features and functionalities within Microsoft Defender. With this flexible approach, organizations can ensure that users only have access to resources and actions pertinent to their responsibilities, enhancing both security and operational efficiency.
While the process of creating RBAC roles in Defender is undoubtedly important, this blog will not delve into the specifics of role creation. Instead, the focus will be on the ability to audit the creation and configuration of roles, ensuring transparency and accountability in access management. This capability is vital for organizations aiming to maintain robust security practices and streamline administrative oversight.
For information on how to create an manage Defender RBAC please refer to this article: Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn
Microsoft Defender Auditing
Over the years, the methods for accessing auditing logs have evolved significantly, reflecting the growing complexity and demands of modern cybersecurity frameworks. From legacy systems with basic logging capabilities to today’s advanced platforms like Microsoft Defender, organizations now have a multitude of tools and locations to monitor administrative activity effectively. This section will explore the diverse auditing solutions available in Defender, emphasizing how they empower administrators to track and manage access with precision while ensuring transparency in role-based activity.
Action Center
Action Center has been a staple feature in Defender for Endpoint for some time, serving as a hub for monitoring automated actions and certain administrative actions. It provides a dedicated location for tracking automation processes like Defender Automation Incident Response (AIRS) actions and some administrative activities, ensuring streamlined oversight and efficiency.
Limits:
- Manual Export Only
- No API to send Audit data to a Security Information and Event Management (SIEM) systems
- Limited ability to search/hunt activities
- Limited type of activities available (primarily Live Response & Automation Actions)
Benefits:
- Native auditing solution
- No additional cost
- Stores history for 6 months
- Provides images of command and command actions
- On by default
For more information on action center refer the following link Go to the Action center to view and approve your automated investigation and remediation tasks - Microsoft Defender XDR | Microsoft Learn
Image 3: Action Center logs
Purview Audit Logs
Microsoft has expanded the capabilities of Unified Audit Logs (UAL), commonly referred to as Purview Audit Logs. By integrating Defender auditing functionalities, Microsoft enhances its ability to surface critical insights and empower organizations with precise event tracking and analysis. This evolution reflects Microsoft's dedication to unifying tools for enriched visibility and proactive threat management across diverse environments.
Since 2023, the Purview Audit Logs have been enabled by default with a retention of 6 months with options to extend retention up to 10 years. This includes the audit logs for the Defender service
For a list of all the Audit Actives for Defender XDR refer to this link Search the audit log for events in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
Purview audit logs offer versatile access methods to suit various operational needs. They can be accessed via PowerShell, providing robust scripting capabilities for automation and bulk event retrieval. Alternatively, the graphical user interface (GUI) allows users to navigate and search logs intuitively, ideal for quick checks and visual analysis. For advanced integration, the API method empowers developers to query audit logs programmatically, enabling seamless incorporation into custom workflows and third-party tools.
Limits:
- Each access method has limits refer to this blog for information Discovering Microsoft 365 Logs within your Organization [ Part 1] - Microsoft Tech Community
- Using the GUI is a passive search job that takes time before access
- Limited search and query capabilities via the GUI
Benefits:
- Provides native 6+ Months of retention
- On by default
- Support longer term retention
- No additional cost*
- Can be exported to a SIEM
- Native Connector to Microsoft Defender for Cloud Apps
- Provide multiple access methods
- Powershell
- API
- GUI
*Note: Purview Audit logs and retention is included in various licensing with some licensing offering additional logs and retention.
Tips:
- Attempt to focus the search as much as possible
- Scope the activities
- Scope the date and time
- Export larger searches via the CSV export for more granular searching
- Best practice to ingest data into a SIEM or big data solution
Purview Audit Log GUI
This support administrator ability to create a search job for specific activities that can be exported via a CSV.
Image 4: Purview Audit Log Result exampleImage 5: Purview Audit Log examplePurview Audit Logs PowerShell
Using PowerShell to connect to Purview Audit logs an administrator can use the Search-UnifedAuditLog command to query for activity related to Defender XDR. Below you can see the following command that was run and two examples of XDR audit logs that are returned.
Search-UnifiedAuditLog -StartDate "2025-05-15 20:21:00" -EndDate "2025-05-15 20:22:00" | Where-Object { $_.RecordType -like "*MSDE*" }
In the result we have two items: MSDERResponseActions and MSDEIndicatorSettings which matches the record type we see in the Purview Audit Logs.
Image 6: Live Response Audit Logs
Image 7: Delete Indicator Audit Log
Purview Audit Log API (Office Management API)
The Purview Audit logs are exposed in the Office Management Activity API and in some environments the Microsoft Graph providing organizations with a robust solution to extract audit log data from Microsoft 365 environments and integrate it seamlessly into third-party tools like Security Information and Event Management (SIEM) systems. By leveraging this API, organizations can streamline the ingestion of critical activity logs, including administrative actions and user activity, ensuring centralized visibility and improved security posture. This integration allows for advanced threat detection, real-time monitoring, and compliance reporting by correlating Office 365 events with other data sources within the SIEM, enabling proactive response to potential risks.
The API endpoint per Microsoft Cloud
Enterprise plan
- https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}
GCC government plan
- https://manage-gcc.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}
GCC High government plan
- https://manage.office365.us/api/v1.0/{tenant_id}/activity/feed/{operation}
DoD government plan
- https://manage.protection.apps.mil/api/v1.0/{tenant_id}/activity/feed/{operation}
Limits:
- Limited to last 7 days of history
- API provides event details for a log you must download the data to implement additional queries
- Limited to 2,000 requests per minute however G/E5 customer will get twice as much bandwidth allocated
Benefits:
- No cost to pull data via API
Tips:
- For busy tenants, page content using a logical loop and check the NextPageUrl header value
- Push data into a tool like Azure Sentinel or other data lakes for better search ability
Defender Email Notifications
Microsoft Defender provides organizations with the ability to configure email notifications for threat analytics, vulnerabilities, and administrative actions, ensuring proactive communication and swift responses to critical events. These notifications can be tailored to alert specific teams, on specific admin actions enhancing coordination and efficiency in managing security measures.
Limits:
- Can’t scope which users trigger the event notification but all admin actions will trigger the alerts
- Not all admin actions are available for notification
Benefits:
- Robust set of actions can be configured
- Built in with no additional cost
- Simple configuration
- Can be configured with a workflow to automate additional activities
Image 8: Admin Action options
Image 9: example email notificationMicrosoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps provides a native connector to Microsoft 365, enabling seamless integration with various services, including the Purview Audit logs. This integration surfaces critical data within the Defender Advanced Hunting tables, offering administrators a robust platform to craft custom detection rules tailored to monitor and respond to administrative activities with precision.
Limits:
- By default, 30 days of history in AH (can be extended with Sentinel)
- Requires an additional license for Microsoft Defender for Cloud Apps
- Simple Configuration required
Benefits:
- Included with specific licensing
- Supports KQL query language
- Provides 30 days of AH data that can be extended with Microsoft Sentinel
- Native ability to write custom detection rules (CDRs) to create alert triggers
- Query can be run in the Defender Multi Tenant interface to query multiple tenants.
Image 10: Query of Defender activities
Example KQL Query:
CloudAppEvents
| extend ParsedData = parse_json(RawEventData)
| project
ActionType,
CreationTime = tostring(ParsedData.CreationTime),
Id = tostring(ParsedData.Id),
//UserId = tostring(ParsedData.UserId),
Operation = tostring(ParsedData.Operation),
Workload = tostring(ParsedData.Workload),
OrganizationId = tostring(ParsedData.OrganizationId)
| where Workload contains "Defender"
*Note: there are additional data fields in the RawEventsData that are not in the example query.
Additionally, the query can be used to create a detection rule to trigger an alert anytime there is an administrative action that you wish to monitor.
Image 11: Detection Rule Notification
Links:
Purview audit logs
- Get started with auditing solutions | Microsoft Learn
- Turn auditing on or off | Microsoft Learn
- Increased security visibility through new Standard Logs in Microsoft Purview Audit | Microsoft Community Hub
- Introducing the Microsoft Purview Audit Search Graph API | Microsoft Community Hub
- Search the audit log for events in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
- machineAction resource type - Microsoft Defender for Endpoint | Microsoft Learn
Office Management Activity API
- Office 365 Management Activity API reference | Microsoft Learn
- Troubleshooting the Office 365 Management Activity API | Microsoft Learn
Microsoft Defender
- Get incident notifications by email - Microsoft Defender XDR | Microsoft Learn
- Search the audit log for events in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
- Go to the Action center to view and approve your automated investigation and remediation tasks - Microsoft Defender XDR | Microsoft Learn
Entra