Merge pull request #88545 from mmacy/b2c-audit-log-edit-pass

[b2c][refresh] audit logs article

Author: ShannonLeavitt

articles/active-directory-b2c/active-directory-b2c-reference-audit-logs.md

@@ -16,95 +16,123 @@ ms.custom: fasttrack-edit
 
 # Accessing Azure AD B2C audit logs
 
-Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, issued tokens, and administrator access. This article provides a brief overview of the information available through audit logs and instructions on how to access this data for your Azure AD B2C tenant.
+Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, tokens issued, and administrator access. This article provides a brief overview of the information available in audit logs and instructions on how to access this data for your Azure AD B2C tenant.
 
-> [!IMPORTANT]
-> Audit logs are only retained for seven days. Plan to download and store your logs using one of the methods shown below if you require a longer retention period.
+Audit log events are only retained for **seven days**. Plan to download and store your logs using one of the methods shown below if you require a longer retention period.
 
 > [!NOTE]
-> You cannot see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Azure Active Directory** or **Azure AD B2C** blades. The sign-ins there will show user activity, but cannot be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article.
+> You can't see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Azure Active Directory** or **Azure AD B2C** pages in the Azure portal. The sign-in events there show user activity, but can't be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article.
 
 ## Overview of activities available in the B2C category of audit logs
 
 The **B2C** category in audit logs contains the following types of activities:
 
 |Activity type |Description  |
 |---------|---------|
-|Authorization |Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies)         |
-|Directory |Activities related to directory attributes retrieved when an administrator signs in using the Azure portal |
-|Application | CRUD operations on B2C applications |
-|Key |CRUD operations on keys stored in B2C key container |
-|Resource |CRUD operations on B2C resources (for example, policies and identity providers)
-|Authentication |Validation of user credentials and token issuance|
+|Authorization |Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies).         |
+|Directory |Activities related to directory attributes retrieved when an administrator signs in using the Azure portal. |
+|Application | Create, read, update, and delete (CRUD) operations on B2C applications. |
+|Key |CRUD operations on keys stored in a B2C key container. |
+|Resource |CRUD operations on B2C resources. For example, policies and identity providers.
+|Authentication |Validation of user credentials and token issuance.|
 
-> [!NOTE]
-> For user object CRUD activities, refer to the **Core Directory** category.
+For user object CRUD activities, refer to the **Core Directory** category.
 
 ## Example activity
 
-The example below shows the data captured when a user signs in with an external identity provider:
-    ![Example of Audit Log Activity Details page in Azure portal](./media/active-directory-b2c-reference-audit-logs/audit-logs-example.png)
+This example image from the Azure portal shows the data captured when a user signs in with an external identity provider, in this case, Facebook:
+
+![Example of Audit Log Activity Details page in Azure portal](./media/active-directory-b2c-reference-audit-logs/audit-logs-example.png)
 
 The activity details panel contains the following relevant information:
 
 |Section|Field|Description|
 |-------|-----|-----------|
-| Activity | Name | Which activity took place. For example, "Issue an id_token to the application" (which concludes the actual user sign-in). |
-| Initiated By (Actor) | ObjectId | The **Object ID** of the B2C application that the user is signing in to (this identifier is not visible in the Azure portal but it's accessible via the Graph API for example). |
+| Activity | Name | Which activity took place. For example, *Issue an id_token to the application*, which concludes the actual user sign-in. |
+| Initiated By (Actor) | ObjectId | The **Object ID** of the B2C application that the user is signing in to. This identifier is not visible in the Azure portal, but is accessible via the Microsoft Graph API. |
 | Initiated By (Actor) | Spn | The **Application ID** of the B2C application that the user is signing in to. |
 | Target(s) | ObjectId | The **Object ID** of the user that is signing in. |
 | Additional Details | TenantId | The **Tenant ID** of the Azure AD B2C tenant. |
 | Additional Details | PolicyId | The **Policy ID** of the user flow (policy) being used to sign the user in. |
 | Additional Details | ApplicationId | The **Application ID** of the B2C application that the user is signing in to. |
 
-## Accessing audit logs through the Azure portal
+## View audit logs in the Azure portal
 
-1. Go to the [Azure portal](https://portal.azure.com). Make sure you are in your B2C directory.
-2. Click on **Azure Active Directory** in the favorites bar on the left
+The Azure portal provides access to the audit log events in your Azure AD B2C tenant.
 
-    ![Azure Active Directory button highlighted in left-hand portal menu](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-aad.png)
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Switch to the directory that contains your Azure AD B2C tenant, and then browse to **Azure AD B2C**.
+1. Under **Activities** in the left menu, select **Audit logs**.
 
-1. Under **Activity**, click on **Audit Logs**
+A list of activity events logged over the last seven days is displayed.
 
-    ![Audit Logs button highlighted in Activity section of menu](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-section.png)
+![Example filter with two activity events in Azure portal](media/active-directory-b2c-reference-audit-logs/audit-logs-example-filter.png)
 
-2. In the **Category** dropbox, select **B2C**
-3. Click on **Apply**
+Several filtering options are available, including:
 
-    ![Category and Apply button highlighted in Audit Log filter](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-category.png)
+* **Activity Resource Type** - Filter by the activity types shown in the table in the [Overview of activities available](#overview-of-activities-available-in-the-b2c-category-of-audit-logs) section.
+* **Date** - Filter the date range of the activities shown.
 
-You will see a list of activities logged over the last seven days.
+If you select a row in the list, the activity details for the event are displayed.
 
-- Use the **Activity Resource Type** dropdown to filter by the activity types outlined above
-- Use the **Date Range** dropdown to filter the date range of the activities shown
-- If you click on a specific row in the list, a contextual box on the right will show you additional attributes associated with the activity
-- Click on **Download** to download the activities as a csv file
+To download the list of activity events in a comma-separated values (CSV) file, select **Download**.
 
-> [!NOTE]
-> You can also see the audit logs by navigating to **Azure AD B2C** rather than **Azure Active Directory** in the favorites bar on the left. Under **Activities**, click on **Audit logs**, where you will find the same logs with similar filtering capabilities.
-
-## Accessing audit logs through the Azure AD reporting API
+## Get audit logs with the Azure AD reporting API
 
 Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](https://docs.microsoft.com/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/concept-reporting-api.md).
 
-### Prerequisites
+### Enable reporting API access
+
+To allow script- or application-based access to the Azure AD reporting API, you need an Azure Active Directory application registered in your Azure AD B2C tenant with the following API permissions:
+
+* Microsoft Graph
+  * Application: Read all audit log data
+
+You can enable these permissions on an existing application registration within your B2C tenant, or create a new one specifically for use with audit log automation.
+
+To create a new application, assign the required API permissions, and create a client secret, perform the following steps:
+
+1. Register application
+    1. Sign in to the [Azure portal](https://portal.azure.com), switch to the directory that contains your Azure AD B2C tenant, and then browse to **Azure AD B2C**.
+    1. Under **Manage** in the left menu, select **App registrations (Legacy)**.
+    1. Select **New application registration**
+    1. Enter a name for the application. For example, *Audit Log App*.
+    1. Enter any valid URL in **Sign-on URL**. For example, *https://localhost*. This endpoint does not need to be reachable, but needs to be a valid URL.
+    1. Select **Create**.
+    1. Record the **Application ID** that appears on the **Registered app** page. You need this value for authentication in automation scripts like the example PowerShell script shown in a later section.
+1. Assign API access permissions
+    1. On the **Registered app** overview page, select **Settings**.
+    1. Under **API ACCESS**, select **Required permissions**.
+    1. Select **Add**, and then **Select an API**.
+    1. Select **Microsoft Graph**, and then **Select**.
+    1. Under **APPLICATION PERMISSIONS**, select **Read all audit log data**.
+    1. Select the **Select** button, and then select **Done**.
+    1. Select **Grant permissions**, and then select **Yes**.
+1. Create client secret
+    1. Under **API ACCESS**, select **Keys**.
+    1. Enter a description for the key in the **Key description** box. For example, *Audit Log Key*.
+    1. Select a validity **Duration**, then select **Save**.
+    1. Record the key's **VALUE**. You need this value for authentication in automation scripts like the example PowerShell script shown in a later section.
 
-To authenticate to the Azure AD reporting API you first need to register an application. Make sure to follow the steps in [Prerequisites to access the Azure AD reporting APIs](https://azure.microsoft.com/documentation/articles/active-directory-reporting-api-getting-started/).
+You now have an application with the required API access, an application ID, and a key that you can use in your automation scripts. See the PowerShell script section later in this article for an example of how you can get activity events with a script.
 
-### Accessing the API
+### Access the API
 
-To download the Azure AD B2C audit logs via the API, you'll want to filter the logs to the **B2C** category. To filter by category, use the query string parameter when calling the Azure AD reporting API endpoint, as shown below:
+To download Azure AD B2C audit log events via the API, filter the logs on the `B2C` category. To filter by category, use the `filter` query string parameter when you call the Azure AD reporting API endpoint.
 
 ```HTTP
-https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?filter=loggedByService eq 'B2C' and activityDateTime gt 2019-09-10T02:28:17Z
+https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=loggedByService eq 'B2C' and activityDateTime gt 2019-09-10T02:28:17Z
 ```
 
 ### PowerShell script
 
-The following script provides an example of using PowerShell to query the Azure AD reporting API and outputting the results to a JSON file:
+The following PowerShell script shows an example of how to query the Azure AD reporting API. After querying the API, it prints the logged events to standard output, then writes the JSON output to a file.
+
+You can try this script in the [Azure Cloud Shell](../cloud-shell/overview.md). Be sure to update it with your application ID, key, and the name of your Azure AD B2C tenant.
 
 ```powershell
-# This script requires the registration of a Web Application in Azure Active Directory (see https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-reporting-api)
+# This script requires the registration of a Web Application in Azure Active Directory:
+# https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-reporting-api
 
 # Constants
 $ClientID       = "your-client-application-id-here"       # Insert your application's Client ID, a GUID (registered by Global Admin)
@@ -144,3 +172,72 @@ if ($oauth.access_token -ne $null) {
     Write-Host "ERROR: No Access Token"
 }
 ```
+
+Here's the JSON representation of the example activity event shown earlier in the article:
+
+```JSON
+{
+    "id": "B2C_DQO3J_4984536",
+    "category": "Authentication",
+    "correlationId": "00000000-0000-0000-0000-000000000000",
+    "result": "success",
+    "resultReason": "N/A",
+    "activityDisplayName": "Issue an id_token to the application",
+    "activityDateTime": "2019-09-14T18:13:17.0618117Z",
+    "loggedByService": "B2C",
+    "operationType": "",
+    "initiatedBy": {
+        "user": null,
+        "app": {
+            "appId": "00000000-0000-0000-0000-000000000000",
+            "displayName": null,
+            "servicePrincipalId": null,
+            "servicePrincipalName": "00000000-0000-0000-0000-000000000000"
+        }
+    },
+    "targetResources": [
+        {
+            "id": "00000000-0000-0000-0000-000000000000",
+            "displayName": null,
+            "type": "User",
+            "userPrincipalName": null,
+            "groupType": null,
+            "modifiedProperties": []
+        }
+    ],
+    "additionalDetails": [
+        {
+            "key": "TenantId",
+            "value": "test.onmicrosoft.com"
+        },
+        {
+            "key": "PolicyId",
+            "value": "B2C_1A_signup_signin"
+        },
+        {
+            "key": "ApplicationId",
+            "value": "00000000-0000-0000-0000-000000000000"
+        },
+        {
+            "key": "Client",
+            "value": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
+        },
+        {
+            "key": "IdentityProviderName",
+            "value": "facebook"
+        },
+        {
+            "key": "IdentityProviderApplicationId",
+            "value": "0000000000000000"
+        },
+        {
+            "key": "ClientIpAddress",
+            "value": "127.0.0.1"
+        }
+    ]
+}
+```
+
+## Next steps
+
+You can automate other administration tasks, for example, [manage users with .NET](active-directory-b2c-devquickstarts-graph-dotnet.md).