Mar 16 2018
- last edited on
Feb 19 2021
I am seeing inconsistencies between these 2 sets of logs. For example, Azure AD shows me that Office Groups were recently created and these activities don't show up in the Unified Log in the S&C Center. The S&C Center is showing me that the Site Collection and Team were created, just not the associated Office Group. This lack of consistency is concerning and requires me to look in 2 places, which totally defeats the stated purpose of the Unified Logs.
I also notice that the presentation of the attributes for each activity is much easier to understand in the Azure AD log and I would like to request that the S&C logs adopt their model.
One specific example is that Azure AD log shows the Actor that initiated an event (service name and the UPN) whereas the S&C log shows a service account instead of the users UPN which makes compliance verification much more difficult
Mar 17 2018 11:07 AM
In general the AAD logs are the "source of authority", and there is some background process that funnels them into the SCC audit logs. The process is known to break, often. Our folks collect tons of these as part of the reporting product, and we're always running into issues.
And yes, they also use different schemas, as you've noticed.