cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Differences between S&C Compliance Center Audit Logs and Azure AD Audit Logs

Dean Gross
Silver Contributor

‎Mar 16 2018 12:40 PM - last edited on ‎Feb 19 2021 04:52 AM by

‎Mar 16 2018 12:40 PM - last edited on ‎Feb 19 2021 04:52 AM by

Differences between S&C Compliance Center Audit Logs and Azure AD Audit Logs

I am seeing inconsistencies between these 2 sets of logs. For example, Azure AD shows me that Office Groups were recently created and these activities don't show up in the Unified Log in the S&C Center. The S&C Center is showing me that the Site Collection and Team were created, just not the associated Office Group. This lack of consistency is concerning and requires me to look in 2 places, which totally defeats the stated purpose of the Unified Logs.

I also notice that the presentation of the attributes for each activity is much easier to understand in the Azure AD log and I would like to request that the S&C logs adopt their model.

One specific example is that Azure AD log shows the Actor that initiated an event (service name and the UPN) whereas the S&C log shows a service account instead of the users UPN which makes compliance verification much more difficult

Labels:
2,507 Views
0 Likes
1 Reply
Reply
1 Reply
Vasil Michev

‎Mar 17 2018 11:07 AM

‎Mar 17 2018 11:07 AM

Re: Differences between S&C Compliance Center Audit Logs and Azure AD Audit Logs

In general the AAD logs are the "source of authority", and there is some background process that funnels them into the SCC audit logs. The process is known to break, often. Our folks collect tons of these as part of the reporting product, and we're always running into issues.

 

And yes, they also use different schemas, as you've noticed.

0 Likes
Reply