![]() One thing to keep in mind is that currently, service principal sign-in events are not returned by default. ![]() We can then compare the Graph API entry against the Azure AD blade entry, which is easily done by filtering on the correlationId value:ĭon’t forget that entries in the Azure AD blade UI are aggregated together, so you might need to adjust the aggregation window (shouldn’t matter when filtering for specific correlationId though). ![]() Which is a good thing, don’t get me wrong – it allows you to fetch all the relevant data in a single query. ![]() The screenshot above is trimmed, as you can expect the full set of details/properties corresponding to the sign-in event to be returned, and there are a lot of these. If those requirements are met, you can query the same endpoint via the Graph explorer tool: The request itself requires both and permissions, and if you are using the Delegate permissions model, the user needs to also be assigned a role with sufficient permissions to access the Azure AD sign-in logs. Without further ado, here’s how a query that filters only service principal sign-in events looks like: GET $top=1&$filter=createdDateTime ge and createdDateTime le and signInEventTypes/any(t:t eq 'servicePrincipal') Do note that the use of the $filter operator seems to require the /beta endpoint currently, and only works with an “eq” statement. For this scenario, we are interested in the “ servicePrincipal” value. The available values for said property are: interactiveUser, nonInteractiveUser, servicePrincipal, managedIdentity, and unknownFutureValue. In a nutshell, all you need to do is add a filter on the signInEventTypes property. If you are already using the /auditLogs endpoint, chances are you will need minimal code changes in order to start collecting service principal sign-ins. Now, we get to explore them via the Graph API! At that time, the sign-in logs were only available as part of the Azure AD blade, but there were hints that Microsoft will make them available via other endpoints too. A while back, Microsoft released one of the most important feature updates, finally allowing us to monitor service principal sign-ins.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |