Audit Entra ID Applications in M365

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

View-Only Audit Logs role

Highest Privilege

Global Admin

Option 1 Using Microsoft Purview Compliance Portal

Navigate to the Audit tab under the Solutions section in the Microsoft Purview portal.
Set the Date and time range for your search.
Select all the Azure AD app operations under 'Application administration activities' in the Activities - friendly names dropdown.
Click Search to initiate the search for Azure AD app-related activities performed during the specified time frame.

Once the search is completed, you can view the results of Azure AD app activities. Be sure to name your search for easy reference. You can then export the insights as a CSV file.

Option 2 Using Windows PowerShell

Connect to Exchange Online PowerShell module.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the below cmdlet to review all the Azure AD app operations in the Microsoft 365 for the specified time range.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate "<MM/DD/YYYY>" -EndDate "<MM/DD/YYYY>" -Operations "*service principal*", "*app*", "*application*", "*delegated permission grant" -RecordType AzureActiveDirectory |ft

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Open the AdminDroid Office 365 reporter.
Navigate to the All App Operations report under Audit»Azure AD»Application Audit.

This report provides a comprehensive audit of application operations in Microsoft 365, including the timestamp, the user who performed the operation, the target application, and the result status.

Use the built-in graphical charts to visually depict the count of Azure AD app activities performed by each user. Navigating through the respective user counts will provide details of each user's app activity.

Explore a full range of reporting options

Streamline Entra ID application auditing in M365

Enhance your Entra ID application audit with AdminDroid - Review operations performed by enterprise apps in Azure AD and gain valuable insights to optimize application configurations.

Witness the report in action using the

Live Demo

Important Tips

Ensure your users are restricted from accessing the Entra ID portal to confirm they do not have permission to modify or add Azure AD applications, preventing data exposure.

Restore deleted application registrations and service principals by regularly auditing application activities to prevent accidental data loss.

Apply Conditional Access policies to applications within Entra ID to enforce strong authentication and authorization controls, thereby enhancing your security posture.

Azure AD Audit Enterprise Application Operations in Azure AD to Enhance Microsoft 365 Security

Showing 1 of 4

How to register an application in Azure Active Directory? How to manage user consent to applications in Microsoft 365? How to monitor service principal changes in Microsoft 365? How to track the deletion of Azure AD applications in Microsoft 365?

How to register an application in Azure Active Directory?

Registering an application in Azure AD allows your app to securely access Microsoft 365 resources and services. This integration enhances user experiences and enables secure connections to multiple APIs. Here’s a breakdown of steps to register an application in Microsoft 365:

Navigate to Identity»Applications»App registrations»New registration in the Microsoft Entra admin center.
Provide the app name, select the supported account types, platform, and add a redirect URI if necessary.
Finally, hit the Register button to register an app with Azure Active Directory. You will then be redirected to the Overview page of the registered application in Microsoft Entra ID.

Note: Creating an Azure AD application registration via the portal results in the automatic generation of the application and the corresponding service principal objects. Contrastingly, utilizing Microsoft Graph APIs for application registration requires the manual creation of a service principal object.

AdminDroid streamlines the auditing of registered applications in Microsoft 365, providing detailed insights into who added them and ensuring secure management.

The Added Applications report shows all registered applications in your Microsoft 365 environment, including names, who added them, and when.
AdminDroid offers visual analytics to identify trends in application registrations, such as the frequency of additions and the popularity of applications, thereby enhancing both monitoring and management.

How to manage user consent to applications in Microsoft 365?

When a Microsoft 365 user signs in to an Azure AD application, the application may request permissions that govern its access to resources. These permission grants fall into two types: user consent and admin consent:

User consent: OAuth 2.0 permission grant allows an application to access a user’s personal Microsoft 365 data, such as email, files, or calendar entries.
Admin consent: This OAuth 2.0 permission grant, provided by an administrator, allows an application to access resources on behalf of the entire organization. Unlike user consent, it grants permissions for organizational-level access rather than individual user data.

Revoke the admin consent to an application

Go to Enterprise applications»All applications»Select the Respective application in Entra portal.
Click on Permissions to see a list of permissions granted for your organization.
Move to the ellipsis associated with the desired permission and hit Revoke Permission.

Revoke user consent for Azure AD app

While the Entra admin center allows for the revocation of admin grants, it does not provide a method to revoke individual user consents directly from the Azure AD application. To revoke all permissions of a user across all service principals, use the following cmdlet in MS Graph PowerShell, specifying the user's ObjectID.

Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All"
$Id = (Get-MgBetaOauth2PermissionGrant -Filter "principalId eq '<UserObjectID>'").Id
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $Id

Replace <UserObjectID> with the actual object ID of the user.

Note: To prevent illicit grant consent attacks within the Microsoft 365, where a malicious actor creates an Azure-registered application to request permissions, block user consent for applications in Microsoft 365.

AdminDroid has a dedicated report that consolidates all users' application consents into a single view.

The Consent to Applications Report simplifies tracking consents across your organization by clearly showing both admin and user permissions granted to each application, all consolidated together.

admindroid-consent-to-application-report

Tip: Since attackers steal the sensitive data using different patterns, you should always ensure to follow the essential steps to configure and manage app permissions in Microsoft 365.

How to monitor service principal changes in Microsoft 365?

A Service Principal in Microsoft 365 is a security identity that an application or service uses to access specific resources. Think of it as an account that the application uses to authenticate and access resources, authorize and delegate permissions securely.

When you register an app in Azure AD, it creates an application object as a global representation. To access resources in a tenant, however, a service principal object is created within that tenant. To know exactly what the service principal is, you must know the difference between the 'App Registration' and 'Enterprise Applications'.

App registration vs enterprise applications in Microsoft 365

App registration: This involves creating an application object, which serves as a template that defines the application's identity configuration, permissions, and settings. This is used primarily by developers to register their applications.
Enterprise applications: These are service principal objects derived from application objects existing in the tenant where the application is used. They manage the app's permissions, access, and operational scope within that specific tenant.

Monitor service principal changes using the Microsoft Purview portal

Navigate to the Audit section in the M365 Purview portal
Choose all the activities related to service principals under 'Activities-friendly names' and click Search.
Wait for some time for the search to be completed and click on the respective audit search to see the service principal changes.

monitor-service-principal-changes-result

Monitor all service principal changes in your tenant effortlessly with AdminDroid.

The Service Principal Changes Report tracks all changes to service principals, including who performed those actions and on which enterprise applications.
The 'Result Status' column helps quickly identify whether the operation is successful or failed, it aids in efficient troubleshooting.

Pro Tip: Utilize the Schedule option to receive the service principal changes report periodically to your mailbox.

How to track the deletion of Azure AD applications in Microsoft 365?

By keeping track of application deletions in Microsoft 365, admins can respond to potential security breaches and ensure that critical applications are not removed without proper authorization. This proactive approach helps safeguard the integrity of the IT environment and supports the organization's overall security posture.

Microsoft Entra offers a recycle bin functionality for certain deleted objects, including applications. To ensure that you can track deleted applications in Microsoft 365 effectively, follow these steps:

Track deleted app registrations using the Entra portal

In Microsoft Entra admin center, navigate to Identity»Application»App registrations.
Switch to the 'Deleted applications' tab to get all Azure AD applications deleted within the last 30 days.

Find deleted Azure AD app registrations using PowerShell

Run the below PowerShell cmdlet to retrieve a list of all deleted applications in Azure AD.

Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Delete application'" | Format-Table userPrincipalName, activityDisplayName, activityDateTime, targetResources

Effortlessly track all Entra ID application deletion with AdminDroid's detailed report.

The Deleted Applications report provides a detailed audit of all application deletions within Microsoft 365, including who deleted the apps and the exact time of deletion.
This helps admins track and review removed applications to ensure no unauthorized or accidental deletions occur.

Tip: Set up AdminDroid alerts for this report to receive immediate notifications about deleted applications in your organization.

AdminDroid Microsoft 365 Application AuditingPrecisely audit all the enterprise application operations in Microsoft Entra ID!

AdminDroid’s Microsoft 365 application auditing provides comprehensive details for tracking activities within the organization, including additions, deletions, changes, user consents, role assignments, and more. Administrators can easily identify the Azure AD app operations using this single tool for effective management.

A Quick Summary

Track Azure App Delegation Changes

Monitor all delegation entry changes in Azure applications to track authentication modifications by Microsoft 365 users and reduce the risk of undesired app delegation changes.

Monitor Azure AD Application modifications

Gain comprehensive visibility into all updates to Azure AD applications, such as adding or removing members or owners, and track who made the changes.

Get Alerts on Service Principal Credential additions

Receive immediate alerts whenever new credentials are added to a service principal in your Microsoft 365 organization with AdminDroid’s advanced alerting feature.

Customizable Report Export on App Operations

Customize the 'All Azure AD App Operations' report and export in various formats like HTML, PDF, CSV, XLS, and XLSX using column customization.

Azure App Role Assignments Audit

Get a clear view of all app role assignments granted to an Office 365 user or service principal, which helps in tracking the owners of Azure applications.

Manage Non-Interactive App Sign-ins

Monitoring non-interactive sign-ins helps detect unauthorized access and ensures secure app interactions.

In summary, AdminDroid's Azure AD management tool goes beyond basic application audit logs by categorizing third-party applications and offering unparalleled visibility. This empowers admins to stay informed about application activities and manage their organization’s resources more effectively.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps While Tracking Overall Azure AD App Operations in Microsoft 365

The following are possible errors and troubleshooting hints while dealing with tracking Entra ID application activity.

Error: Get-MgBetaOauth2PermissionGrant : Filter is invalid. PrincipalId Status: 400 (BadRequest).

This error occurs when you enter an invalid object ID for a user.

Troubleshooting hint :Double-check the user’s object ID for accuracy, ensuring there are no typos or incorrect characters.

Error: Audit log search argument startDate (05/05/2024 00:00:00) is later than endDate (04/04/2024 00:00:00).

This issue occurs when the specified end date is earlier than the start date.

Troubleshooting hint :Ensure that the date format is correct, and that the end date is later than the start date.

Error: String was not recognized as a valid DateTime.

This error occurs when the start and end dates are not correctly specified when executing the 'Search-UnifiedAuditLog' cmdlet in the PowerShell.

Troubleshooting hint :Verify that the start and end dates are in the 'MM/DD/YYYY' format.

Error: The provided scope is insufficient to perform the requested operation.

If you don't provide the necessary permissions when running the Connect-MgGraph cmdlet in PowerShell, you'll encounter this error.

Troubleshooting hint :Ensure that you include the 'DelegatedPermissionGrant.ReadWrite.All' scope when running the 'Connect-MgGraph' cmdlet.

Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All"

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Audit Entra ID Application Operations in Microsoft 365