How to Collect Azure AD Audit Logs | Directory Changes & Admin Actions

Step-by-step guide to ingesting Azure AD directory audit logs using Microsoft Graph API. Monitor admin actions, user management changes, application registrations, and group modifications.

3 minute read

Overview

Azure AD directory audit logs capture administrative actions and configuration changes in your Azure Active Directory. Use this guide to monitor user management operations, application registrations, group changes, role assignments, and policy modifications.

Common Use Cases:

Track user creation, deletion, and property changes
Monitor application registrations and permission grants
Audit group membership modifications
Review role assignments and privileged access changes
Detect unauthorized administrative actions

Version Requirements: HTTP Pull requires Edge Delta Agent v2.6.0 or higher.

Prerequisites

Before configuring Edge Delta, complete the Azure AD application setup:

Register an Azure AD application with Application permissions (not Delegated)
Grant the AuditLog.Read.All permission and obtain admin consent
Create a client secret and note your Tenant ID, Client ID, and Client Secret

For detailed setup instructions, see Microsoft Graph API Integration.

Configuration

Basic Directory Audit Collection

nodes:
- name: azure_ad_directory_audits
  type: http_pull_input
  endpoint: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
  method: GET
  pull_interval: 5m

  authorization:
    strategy: oauth_client_credentials
    client_credentials:
      token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
      client_id: YOUR_CLIENT_ID
      client_secret: YOUR_CLIENT_SECRET
      scopes:
        - https://graph.microsoft.com/.default
      header_templates:
        - header: Authorization
          value: Bearer $ACCESS_TOKEN

  parameters:
    - name: "$orderby"
      value: "activityDateTime asc"
    - name: "$top"
      value: "50"

  parameter_expressions:
    - name: "$filter"
      value_expression: Concat(["activityDateTime ge ", FormatTime(Now() - Duration("5m10s"), "%Y-%m-%dT%H:%M:%SZ")], "")

Monitor User Management Actions

Filter for user-related administrative changes:

nodes:
- name: user_management_audits
  type: http_pull_input
  endpoint: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
  method: GET
  pull_interval: 5m

  authorization:
    strategy: oauth_client_credentials
    client_credentials:
      token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
      client_id: YOUR_CLIENT_ID
      client_secret: YOUR_CLIENT_SECRET
      scopes:
        - https://graph.microsoft.com/.default
      header_templates:
        - header: Authorization
          value: Bearer $ACCESS_TOKEN

  parameters:
    - name: "$orderby"
      value: "activityDateTime asc"
    - name: "$top"
      value: "100"
    - name: "$filter"
      value: "category eq 'UserManagement'"

Monitor Application Changes

Track application registrations and permission changes:

nodes:
- name: application_audits
  type: http_pull_input
  endpoint: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
  method: GET
  pull_interval: 5m

  authorization:
    strategy: oauth_client_credentials
    client_credentials:
      token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
      client_id: YOUR_CLIENT_ID
      client_secret: YOUR_CLIENT_SECRET
      scopes:
        - https://graph.microsoft.com/.default
      header_templates:
        - header: Authorization
          value: Bearer $ACCESS_TOKEN

  parameters:
    - name: "$orderby"
      value: "activityDateTime asc"
    - name: "$top"
      value: "50"
    - name: "$filter"
      value: "category eq 'ApplicationManagement'"

Audit Categories

Use these categories in the $filter parameter:

Category	Description
`UserManagement`	User creation, updates, deletions, password changes
`GroupManagement`	Group creation, membership changes, deletions
`ApplicationManagement`	App registrations, permissions, service principals
`RoleManagement`	Role assignments, privileged access changes
`DirectoryManagement`	Tenant settings, domain management
`Policy`	Conditional access, authentication policies

OData Filter Examples

Filter	Description
`category eq 'UserManagement'`	User-related changes only
`activityDisplayName eq 'Add user'`	Specific operation
`result eq 'success'`	Successful operations only
`result eq 'failure'`	Failed operations only
`initiatedBy/user/userPrincipalName eq 'admin@company.com'`	Actions by specific admin

Combine multiple conditions:

$filter: "category eq 'UserManagement' and result eq 'success' and activityDateTime ge 2024-01-01T00:00:00Z"

Sample Directory Audit Log

{
  "id": "Directory_ABCD1234_20240101_001",
  "category": "UserManagement",
  "activityDateTime": "2024-01-01T10:00:00Z",
  "activityDisplayName": "Add user",
  "operationType": "Add",
  "result": "success",
  "resultReason": "User successfully created",
  "initiatedBy": {
    "user": {
      "userPrincipalName": "admin@company.com",
      "displayName": "Admin User",
      "id": "user-guid-here"
    }
  },
  "targetResources": [
    {
      "displayName": "john.doe@company.com",
      "type": "User",
      "userPrincipalName": "john.doe@company.com",
      "id": "new-user-guid"
    }
  ],
  "additionalDetails": [
    {
      "key": "UserType",
      "value": "Member"
    }
  ]
}

Key Fields for Analysis

Field	Description	Use Case
`category`	Type of resource affected	Filter by resource type
`activityDisplayName`	Human-readable operation name	Identify specific actions
`result`	success or failure	Detect failed admin operations
`initiatedBy.user`	Who performed the action	Track admin activity
`targetResources`	What was affected	Identify impacted objects

High-Value Operations to Monitor

These operations often indicate security-relevant changes:

Operation	Risk Level	Description
`Add member to role`	High	Privileged access granted
`Add owner to application`	High	App ownership changed
`Consent to application`	Medium	Permission grant
`Reset user password`	Medium	Credential change
`Delete user`	Medium	Account removal
`Update application`	Low	App configuration change

Troubleshooting

Issue	Solution
401 Unauthorized	Verify tenant ID, client ID, and secret are correct
403 Forbidden	Ensure `AuditLog.Read.All` permission has admin consent
Empty results	Directory audits may have 2-15 minute processing delay
Missing categories	Some categories require specific Azure AD licenses

Microsoft Graph API Overview - Complete API reference
Azure AD Sign-In Logs - Authentication monitoring
Microsoft Security Alerts - Defender security events

How to Collect Azure AD Audit Logs | Directory Changes & Admin Actions

Overview

Prerequisites

Configuration

Basic Directory Audit Collection

Monitor User Management Actions

Monitor Application Changes

Audit Categories

OData Filter Examples

Sample Directory Audit Log

Key Fields for Analysis

High-Value Operations to Monitor

Troubleshooting

Related Pages

Edge Delta AI Assistant

Quick Topics

Recent Questions

Hi! I'm your Edge Delta AI Assistant

Current Context