MicrosoftDocs
diff --git a/‎articles/role-based-access-control/elevate-access-global-admin.md
Lines changed: 41 additions & 4 deletions b/‎articles/role-based-access-control/elevate-access-global-admin.md
Lines changed: 41 additions & 4 deletions
diff --git a/‎articles/role-based-access-control/media/elevate-access-global-admin/entra-id-audit-logs-download.png
66.1 KB b/‎articles/role-based-access-control/media/elevate-access-global-admin/entra-id-audit-logs-download.png
66.1 KB
diff --git a/‎articles/role-based-access-control/media/elevate-access-global-admin/entra-id-audit-logs-elevated-details.png
120 KB b/‎articles/role-based-access-control/media/elevate-access-global-admin/entra-id-audit-logs-elevated-details.png
120 KB
diff --git a/‎articles/role-based-access-control/media/elevate-access-global-admin/entra-id-audit-logs-filter.png
72.5 KB b/‎articles/role-based-access-control/media/elevate-access-global-admin/entra-id-audit-logs-filter.png
72.5 KB
@@ -5,7 +5,7 @@ author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 12/10/2024
+ms.date: 01/22/2025
 ms.author: rolyon
 ms.custom: devx-track-azurecli
 ---
@@ -383,9 +383,44 @@ If you have users with elevated access, you should take immediate action and rem
 
 1. To remove elevated access for users, add a check mark next to the user and select **Remove**.
 
-## View elevate access log entries in the Directory Activity logs
+## View elevate access log entries
 
-When access is elevated, an entry is added to the logs. As a Global Administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
+When access is elevated or removed, an entry is added to the logs. As an administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it.
+
+Elevate access log entries appear in both the Microsoft Entra directory audit logs and the Azure activity logs. Elevated access log entries for directory audit logs and activity logs include similar information. However, the directory audit logs are easier to filter and export. Also, the export capability enables you to stream access events, which can be used for your alert and detection solutions, such as Microsoft Sentinel or other systems. For information about how to send logs to different destinations, see [Configure Microsoft Entra diagnostic settings for activity logs](/entra/identity/monitoring-health/howto-configure-diagnostic-settings).
+
+This section describes different ways that you can view the elevate access log entries.
+
+# [Microsoft Entra audit logs](#tab/entra-audit-logs)
+
+> [!IMPORTANT]
+> Elevate access log entries in the Microsoft Entra directory audit logs is currently in preview.
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
+
+1. Browse to **Microsoft Entra ID** > **Monitoring** > **Audit logs**.
+
+1. In the **Service** filter, select **Azure RBAC (Elevated Access)** and then select **Apply**.
+
+    Elevated access logs are displayed.
+
+    :::image type="content" source="./media/elevate-access-global-admin/entra-id-audit-logs-filter.png" alt-text="Screenshot of directory audit logs with Service filter set to Azure RBAC (Elevated Access)." lightbox="./media/elevate-access-global-admin/entra-id-audit-logs-filter.png":::
+
+1. To view details when access was elevated or removed, select these audit log entries.
+
+    `User has elevated their access to User Access Administrator for their Azure Resources`
+
+    `The role assignment of User Access Administrator has been removed from the user`
+
+    :::image type="content" source="./media/elevate-access-global-admin/entra-id-audit-logs-elevated-details.png" alt-text="Screenshot of directory audit logs that shows audit log details when access is elevated." lightbox="./media/elevate-access-global-admin/entra-id-audit-logs-elevated-details.png":::
+
+1. To download and view the payload of the log entries in JSON format, select **Download** and **JSON**.
+
+    :::image type="content" source="./media/elevate-access-global-admin/entra-id-audit-logs-download.png" alt-text="Screenshot of directory audit logs that shows the Download Audit Logs pane to download logs." lightbox="./media/elevate-access-global-admin/entra-id-audit-logs-download.png":::
+
+# [Azure activity logs](#tab/azure-activity-logs)
 
 ### View elevate access log entries using the Azure portal
 
@@ -399,7 +434,7 @@ When access is elevated, an entry is added to the logs. As a Global Administrato
 
     `Assigns the caller to User Access Administrator role`
 
-    ![Screenshot showing directory activity logs in Monitor.](./media/elevate-access-global-admin/monitor-directory-activity.png)
+    ![Screenshot that shows activity logs for the directory in Azure Monitor.](./media/elevate-access-global-admin/monitor-directory-activity.png)
 
 ### View elevate access log entries using Azure CLI
 
@@ -458,6 +493,8 @@ A user in the group can now periodically run the [az rest](/cli/azure/reference-
 az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00:00Z'" > output.txt
 ```
 
+---
+
 ## Next steps
 
 - [Understand the different roles](rbac-and-directory-admin-roles.md)