Azure AD

How to Audit Entra ID Application Operations in Microsoft 365

When your organization integrates a new productivity application into Azure AD, it can enhance workflows and efficiency. However, new configurations and permissions can inadvertently expose sensitive data or create security vulnerabilities like unauthorized access or compliance issues. This guide will show you how to efficiently audit Azure AD application activities in Microsoft 365 to boost both productivity and security.

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required

View-Only Audit Logs role Least Privilege

Global Admin Most Privilege

Navigate to the Audit tab under the Solutions section in the Microsoft Purview portal.
Set the Date and time range for your search.
Select all the Azure AD app operations under 'Application administration activities' in the Activities - friendly names dropdown.
Click Search to initiate the search for Azure AD app-related activities performed during the specified time frame.

Using Microsoft Purview Compliance Portal

Once the search is completed, you can view the results of Azure AD app activities. Be sure to name your search for easy reference. You can then export the insights as a CSV file.

Using Windows PowerShell

Microsoft 365 Permission Required

View-Only Audit Logs role Least Privilege

Global Admin Most Privilege

Connect to Exchange Online PowerShell module.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the below cmdlet to review all the Azure AD app operations in the Microsoft 365 for the specified time range.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate "<MM/DD/YYYY>" -EndDate "<MM/DD/YYYY>" -Operations "*service principal*", "*app*", "*application*", "*delegated permission grant" -RecordType AzureActiveDirectory |ft

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Open the AdminDroid Office 365 reporter.
Navigate to the All App Operations report under Audit»Azure AD»Application Audit.

AdminDroid Microsoft 365 Application Auditing

Precisely audit all the enterprise application operations in Microsoft Entra ID!

AdminDroid’s Microsoft 365 application auditing provides comprehensive details for tracking activities within the organization, including additions, deletions, changes, user consents, role assignments, and more. Administrators can easily identify the Azure AD app operations using this single tool for effective management.

Track Azure App Delegation Changes

Monitor all delegation entry changes in Azure applications to track authentication modifications by Microsoft 365 users and reduce the risk of undesired app delegation changes.

Monitor Azure AD Application modifications

Gain comprehensive visibility into all updates to Azure AD applications, such as adding or removing members or owners, and track who made the changes.

Get Alerts on Service Principal Credential additions

Receive immediate alerts whenever new credentials are added to a service principal in your Microsoft 365 organization with AdminDroid’s advanced alerting feature.

Customizable Report Export on App Operations

Customize the 'All Azure AD App Operations' report and export in various formats like HTML, PDF, CSV, XLS, and XLSX using column customization.

Azure App Role Assignments Audit

Get a clear view of all app role assignments granted to an Office 365 user or service principal, which helps in tracking the owners of Azure applications.

Manage Non-Interactive App Sign-ins

Monitoring non-interactive sign-ins helps detect unauthorized access and ensures secure app interactions.

In summary, AdminDroid's Azure AD management tool goes beyond basic application audit logs by categorizing third-party applications and offering unparalleled visibility. This empowers admins to stay informed about application activities and manage their organization’s resources more effectively.

Explore a full range of reporting options

Download Live Demo

Important Tips

Ensure your users are restricted from accessing the Entra ID portal to confirm they do not have permission to modify or add Azure AD applications, preventing data exposure.

Restore deleted application registrations and service principals by regularly auditing application activities to prevent accidental data loss.

Apply Conditional Access policies to applications within Entra ID to enforce strong authentication and authorization controls, thereby enhancing your security posture.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while dealing with tracking Entra ID application activity.

Error Get-MgBetaOauth2PermissionGrant : Filter is invalid. PrincipalId Status: 400 (BadRequest).

This error occurs when you enter an invalid object ID for a user.

Fix Double-check the user’s object ID for accuracy, ensuring there are no typos or incorrect characters.

Error Audit log search argument startDate (05/05/2024 00:00:00) is later than endDate (04/04/2024 00:00:00).

This issue occurs when the specified end date is earlier than the start date.

Fix Ensure that the date format is correct, and that the end date is later than the start date.

Error String was not recognized as a valid DateTime.

This error occurs when the start and end dates are not correctly specified when executing the 'Search-UnifiedAuditLog' cmdlet in the PowerShell.

Fix Verify that the start and end dates are in the 'MM/DD/YYYY' format.

Error The provided scope is insufficient to perform the requested operation.

If you don't provide the necessary permissions when running the Connect-MgGraph cmdlet in PowerShell, you'll encounter this error.

Fix Ensure that you include the 'DelegatedPermissionGrant.ReadWrite.All' scope when running the 'Connect-MgGraph' cmdlet.

Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All"

Azure AD

Frequently Asked Questions

Audit Enterprise Application Operations in Azure AD to Enhance Microsoft 365 Security

How to register an application in Azure Active Directory?

How to manage user consent to applications in Microsoft 365?

How to monitor service principal changes in Microsoft 365?

How to track the deletion of Azure AD applications in Microsoft 365?

1. How to register an application in Azure Active Directory?

Registering an application in Azure AD allows your app to securely access Microsoft 365 resources and services. This integration enhances user experiences and enables secure connections to multiple APIs. Here’s a breakdown of steps to register an application in Microsoft 365:

Navigate to Identity»Applications»App registrations»New registration in the Microsoft Entra admin center.
Provide the app name, select the supported account types, platform, and add a redirect URI if necessary.
Finally, hit the Register button to register an app with Azure Active Directory. You will then be redirected to the Overview page of the registered application in Microsoft Entra ID.

Note: Creating an Azure AD application registration via the portal results in the automatic generation of the application and the corresponding service principal objects. Contrastingly, utilizing Microsoft Graph APIs for application registration requires the manual creation of a service principal object.

AdminDroid streamlines the auditing of registered applications in Microsoft 365, providing detailed insights into who added them and ensuring secure management.

The Added Applications report shows all registered applications in your Microsoft 365 environment, including names, who added them, and when.
AdminDroid offers visual analytics to identify trends in application registrations, such as the frequency of additions and the popularity of applications, thereby enhancing both monitoring and management.

2. How to manage user consent to applications in Microsoft 365?

When a Microsoft 365 user signs in to an Azure AD application, the application may request permissions that govern its access to resources. These permission grants fall into two types: user consent and admin consent:

User consent: OAuth 2.0 permission grant allows an application to access a user’s personal Microsoft 365 data, such as email, files, or calendar entries.
Admin consent: This OAuth 2.0 permission grant, provided by an administrator, allows an application to access resources on behalf of the entire organization. Unlike user consent, it grants permissions for organizational-level access rather than individual user data.

Revoke the admin consent to an application

Go to Enterprise applications»All applications»Select the Respective application in Entra portal.
Click on Permissions to see a list of permissions granted for your organization.
Move to the ellipsis associated with the desired permission and hit Revoke Permission.

Revoke user consent for Azure AD app

While the Entra admin center allows for the revocation of admin grants, it does not provide a method to revoke individual user consents directly from the Azure AD application. To revoke all permissions of a user across all service principals, use the following cmdlet in MS Graph PowerShell, specifying the user's ObjectID.

Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All"
$Id = (Get-MgBetaOauth2PermissionGrant -Filter "principalId eq '<UserObjectID>'").Id
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $Id

Replace <UserObjectID> with the actual object ID of the user.

Note: To prevent illicit grant consent attacks within the Microsoft 365, where a malicious actor creates an Azure-registered application to request permissions, block user consent for applications in Microsoft 365.

AdminDroid has a dedicated report that consolidates all users' application consents into a single view.

The Consent to Applications Report simplifies tracking consents across your organization by clearly showing both admin and user permissions granted to each application, all consolidated together.

admindroid-consent-to-application-report

Tip: Since attackers steal the sensitive data using different patterns, you should always ensure to follow the essential steps to configure and manage app permissions in Microsoft 365.

3. How to monitor service principal changes in Microsoft 365?

A Service Principal in Microsoft 365 is a security identity that an application or service uses to access specific resources. Think of it as an account that the application uses to authenticate and access resources, authorize and delegate permissions securely.

When you register an app in Azure AD, it creates an application object as a global representation. To access resources in a tenant, however, a service principal object is created within that tenant. To know exactly what the service principal is, you must know the difference between the 'App Registration' and 'Enterprise Applications'.

App registration vs enterprise applications in Microsoft 365

App registration: This involves creating an application object, which serves as a template that defines the application's identity configuration, permissions, and settings. This is used primarily by developers to register their applications.
Enterprise applications: These are service principal objects derived from application objects existing in the tenant where the application is used. They manage the app's permissions, access, and operational scope within that specific tenant.

Monitor service principal changes using the Microsoft Purview portal

Navigate to the Audit section in the M365 Purview portal
Choose all the activities related to service principals under 'Activities-friendly names' and click Search.
Wait for some time for the search to be completed and click on the respective audit search to see the service principal changes.

monitor-service-principal-changes-result

Monitor all service principal changes in your tenant effortlessly with AdminDroid.

The Service Principal Changes Report tracks all changes to service principals, including who performed those actions and on which enterprise applications.
The 'Result Status' column helps quickly identify whether the operation is successful or failed, it aids in efficient troubleshooting.

Pro Tip: Utilize the Schedule option to receive the service principal changes report periodically to your mailbox.

4. How to track the deletion of Azure AD applications in Microsoft 365?

By keeping track of application deletions in Microsoft 365, admins can respond to potential security breaches and ensure that critical applications are not removed without proper authorization. This proactive approach helps safeguard the integrity of the IT environment and supports the organization's overall security posture.

Microsoft Entra offers a recycle bin functionality for certain deleted objects, including applications. To ensure that you can track deleted applications in Microsoft 365 effectively, follow these steps:

Track deleted app registrations using the Entra portal

In Microsoft Entra admin center, navigate to Identity»Application»App registrations.
Switch to the 'Deleted applications' tab to get all Azure AD applications deleted within the last 30 days.

Find deleted Azure AD app registrations using PowerShell

Run the below PowerShell cmdlet to retrieve a list of all deleted applications in Azure AD.

Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Delete application'" | Format-Table userPrincipalName, activityDisplayName, activityDateTime, targetResources

Effortlessly track all Entra ID application deletion with AdminDroid's detailed report.

The Deleted Applications report provides a detailed audit of all application deletions within Microsoft 365, including who deleted the apps and the exact time of deletion.
This helps admins track and review removed applications to ensure no unauthorized or accidental deletions occur.

Tip: Set up AdminDroid alerts for this report to receive immediate notifications about deleted applications in your organization.