Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Azure Active directory activities - Understanding the meaning

Copper Contributor


We are trying to setup alerts for activities performed at Azure AD level to audit the tenant. However we are not able to understand the meaning of few activities recorded in the audit logs. Two of them as below:


  1. Add app role assignment grant to user
  2. Add delegated permission grant

I did some practical and understood "Add app role assignment grant to user" is recorded when an Enterprise app is assigned to a user but need to check if there are more scenarios.

Also no idea about "Add delegated permission grant".


I tried to refer link as below but not much helpful:


Any response will help me a lot. Thanks in advance.

3 Replies



Add app role assignment grant to user = when you add application persmission to an app registration. For example, when you add delegated Graph API permissions


Add delegated permission grant =  when you add delegated persmission to an app registration. For example, when you add application Graph API permissions




Consent to application = when you add admin consent to that application







Thank you for the response. However when I performed the mentioned activities in my subscription, I could see they are tracked as below:




"Update Service principal" OR "Update Application"


What I want to see is the activity performed when it is tracked as below:



I have checked one scenario but other possibilities I can't reproduce.





Finally I was able to reproduce the issue. Below are my findings for these AD logs:


Add app role assignment grant to user is generated when an app is assigned to a user from the Enterprise app blade. User can access these assigned apps from myapp portal.


Add delegated permission grant can be seen when user tries to access the app from myapp portal and get a consent page. User clicks on "allow" and an entry will recorded in the AD Audit logs. A delegated Graph permission is granted from App registration's API permission tab. Eg: