Mixing
OIDC Application logging
Applications registered through AAD (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) are provisioned a client id and secret to access Azure resources via the MS Graph REST API using an Oauth flow.
There are currently no logs for these calls being emitted to the AAD sign-in or audit logs. I am not currently aware of any endpoint where I can obtain these external calls.
This means that if a client secret was ever leaked, I have no way to identify that there are calls being made.
I would like to see activities related to registered application/service principal:
• Event that shows when users register/change/remove AAD applications
• AAD application authentication events
As a POC, I have tried registering an application from App registration module and tried creating client ID and Secret but did not find any relevant audit logs for it.
azure-active-directory asked Jan 2 at 18:49
JimJim
52
add a comment |
Applications registered through AAD (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) are provisioned a client id and secret to access Azure resources via the MS Graph REST API using an Oauth flow.
There are currently no logs for these calls being emitted to the AAD sign-in or audit logs. I am not currently aware of any endpoint where I can obtain these external calls.
This means that if a client secret was ever leaked, I have no way to identify that there are calls being made.
I would like to see activities related to registered application/service principal:
• Event that shows when users register/change/remove AAD applications
• AAD application authentication events
As a POC, I have tried registering an application from App registration module and tried creating client ID and Secret but did not find any relevant audit logs for it.
azure-active-directory asked Jan 2 at 18:49
JimJim
52
add a comment |
Applications registered through AAD (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) are provisioned a client id and secret to access Azure resources via the MS Graph REST API using an Oauth flow.
There are currently no logs for these calls being emitted to the AAD sign-in or audit logs. I am not currently aware of any endpoint where I can obtain these external calls.
This means that if a client secret was ever leaked, I have no way to identify that there are calls being made.
I would like to see activities related to registered application/service principal:
• Event that shows when users register/change/remove AAD applications
• AAD application authentication events
As a POC, I have tried registering an application from App registration module and tried creating client ID and Secret but did not find any relevant audit logs for it.
azure-active-directory asked Jan 2 at 18:49
JimJim
52
Applications registered through AAD (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration) are provisioned a client id and secret to access Azure resources via the MS Graph REST API using an Oauth flow.
There are currently no logs for these calls being emitted to the AAD sign-in or audit logs. I am not currently aware of any endpoint where I can obtain these external calls.
This means that if a client secret was ever leaked, I have no way to identify that there are calls being made.
I would like to see activities related to registered application/service principal:
• Event that shows when users register/change/remove AAD applications
• AAD application authentication events
As a POC, I have tried registering an application from App registration module and tried creating client ID and Secret but did not find any relevant audit logs for it.
azure-active-directory azure-active-directory asked Jan 2 at 18:49
JimJim
52
asked Jan 2 at 18:49
JimJim
52
asked Jan 2 at 18:49
JimJim
52
asked Jan 2 at 18:49
JimJim
52
asked Jan 2 at 18:49
JimJim
52
52
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
To access the audit report, you should be the Security Admininistrator, Security Reader or Global Administrator roles.
All users (non-administrators) can only see their own audit activities. You could read this doc to know the details.
In my audit logs, I could get all the changes like the following:
About Sign-in activity reports. The sign-in user should be the Security Administrator, Security Reader, Report Reader role, or Global Administrator.
Any user (non-admins) can only access their own sign-ins. And your tenant must have an Azure AD Premium license associated with it. For the details, please read here.
And the information about the sign-in likes this:
Note: The sign-ins report only displays the interactive sign-ins, that
is, sign-ins where a user manually signs in using their username and
password. Non-interactive sign-ins, such as service-to-service
authentication, are not displayed in the sign-ins report.
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54011634%2foidc-application-logging%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To access the audit report, you should be the Security Admininistrator, Security Reader or Global Administrator roles.
All users (non-administrators) can only see their own audit activities. You could read this doc to know the details.
In my audit logs, I could get all the changes like the following:
About Sign-in activity reports. The sign-in user should be the Security Administrator, Security Reader, Report Reader role, or Global Administrator.
Any user (non-admins) can only access their own sign-ins. And your tenant must have an Azure AD Premium license associated with it. For the details, please read here.
And the information about the sign-in likes this:
Note: The sign-ins report only displays the interactive sign-ins, that
is, sign-ins where a user manually signs in using their username and
password. Non-interactive sign-ins, such as service-to-service
authentication, are not displayed in the sign-ins report.
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
add a comment |
To access the audit report, you should be the Security Admininistrator, Security Reader or Global Administrator roles.
All users (non-administrators) can only see their own audit activities. You could read this doc to know the details.
In my audit logs, I could get all the changes like the following:
About Sign-in activity reports. The sign-in user should be the Security Administrator, Security Reader, Report Reader role, or Global Administrator.
Any user (non-admins) can only access their own sign-ins. And your tenant must have an Azure AD Premium license associated with it. For the details, please read here.
And the information about the sign-in likes this:
Note: The sign-ins report only displays the interactive sign-ins, that
is, sign-ins where a user manually signs in using their username and
password. Non-interactive sign-ins, such as service-to-service
authentication, are not displayed in the sign-ins report.
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
add a comment |
To access the audit report, you should be the Security Admininistrator, Security Reader or Global Administrator roles.
All users (non-administrators) can only see their own audit activities. You could read this doc to know the details.
In my audit logs, I could get all the changes like the following:
About Sign-in activity reports. The sign-in user should be the Security Administrator, Security Reader, Report Reader role, or Global Administrator.
Any user (non-admins) can only access their own sign-ins. And your tenant must have an Azure AD Premium license associated with it. For the details, please read here.
And the information about the sign-in likes this:
Note: The sign-ins report only displays the interactive sign-ins, that
is, sign-ins where a user manually signs in using their username and
password. Non-interactive sign-ins, such as service-to-service
authentication, are not displayed in the sign-ins report.
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
To access the audit report, you should be the Security Admininistrator, Security Reader or Global Administrator roles.
All users (non-administrators) can only see their own audit activities. You could read this doc to know the details.
In my audit logs, I could get all the changes like the following:
About Sign-in activity reports. The sign-in user should be the Security Administrator, Security Reader, Report Reader role, or Global Administrator.
Any user (non-admins) can only access their own sign-ins. And your tenant must have an Azure AD Premium license associated with it. For the details, please read here.
And the information about the sign-in likes this:
Note: The sign-ins report only displays the interactive sign-ins, that
is, sign-ins where a user manually signs in using their username and
password. Non-interactive sign-ins, such as service-to-service
authentication, are not displayed in the sign-ins report.
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
edited Jan 9 at 2:10
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
answered Jan 3 at 2:05
SunnySunSunnySun
1,428118
1,428118
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
add a comment |
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
Thank you very much. I will test this at my end.
– Jim
Jan 4 at 17:59
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
@YuvrajKukar, if there is anything update, please feel free to let me know, thanks!
– SunnySun
Jan 8 at 5:01
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
I have verified that and confirm the changes you have mentioned are recorded in Audit Log. On the other hand, I am still not seeing app authentication event in SignIn Log. I am expecting to see an application authentication event in SignIn, that shows the appId was used successfully. However, I am not seeing any event in the SignIn Logs.
– Jim
Jan 8 at 19:58
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, I already update my answer here, please take a look. For the service to service authentication, I tried the client credentials, It indeed cannot display in the sign-ins.
– SunnySun
Jan 9 at 2:15
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
@YuvrajKukar, if there is anything update, please let me know. And if it is useful for you, please help make a mark, thanks.
– SunnySun
Jan 14 at 3:14
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54011634%2foidc-application-logging%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
