You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. Later, to see the range of dates held in your workspace, you can use the *Archived Log Date Range* workbook:
53
+
54
+
1. Select **Azure Active Directory** then click **Workbooks**.
55
+
56
+
1. Expand the section **Azure Active Directory Troubleshooting**, and click on **Archived Log Date Range**.
57
+
58
+
59
+
## View events for an access package
60
+
61
+
To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/platform/manage-access#manage-access-using-azure-permissions) for information) and in one of the following roles:
62
+
63
+
- Global administrator
64
+
- Security administrator
65
+
- Security reader
66
+
- Report reader
67
+
- Application administrator
68
+
69
+
Use the following procedure to view events:
70
+
71
+
1. In the Azure portal, select **Azure Active Directory** then click **Workbooks**. If you only have one subscription, move on to step 3.
72
+
73
+
1. If you have multiple subscriptions, select the subscription that contains the workspace.
74
+
75
+
1. Select the workbook named *Access Package Activity*.
76
+
77
+
1. In that workbook, select a time range (change to **All** if not sure), and select an access package Id from the drop-down list of all access packages that had activity during that time range. The events related to the access package that occurred during the selected time range will be displayed.
Each row includes the time, access package Id, the name of the operation, the object Id, UPN, and the display name of the user who started the operation. Additional details are included in JSON.
82
+
83
+
52
84
## Create custom Azure Monitor queries using the Azure portal
53
85
You can create your own queries on Azure AD audit events, including entitlement management events.
54
86
@@ -85,6 +117,7 @@ You can access logs through PowerShell after you've configured Azure AD to send
85
117
Make sure you, the user or service principal that will authenticate to Azure AD, are in the appropriate Azure role in the Log Analytics workspace. The role options are either Log Analytics Reader or the Log Analytics Contributor. If you're already in one of those roles, then skip to [Retrieve Log Analytics ID with one Azure subscription](#retrieve-log-analytics-id-with-one-azure-subscription).
86
118
87
119
To set the role assignment and create a query, do the following steps:
120
+
88
121
1. In the Azure portal, locate the [Log Analytics workspace](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces
89
122
).
90
123
@@ -102,7 +135,7 @@ Once you have the appropriate role assignment, launch PowerShell, and [install t
102
135
install-module -Name az -allowClobber -Scope CurrentUser
103
136
```
104
137
105
-
Now you're ready to authenticate to Azure AD, and retrieve the id of the Log Analytics workspace you're querying.
138
+
Now you're ready to authenticate to Azure AD, and retrieve the ID of the Log Analytics workspace you're querying.
106
139
107
140
### Retrieve Log Analytics ID with one Azure subscription
108
141
If you have only a single Azure subscription, and a single Log Analytics workspace, then type the following to authenticate to Azure AD, connect to that subscription, and retrieve that workspace:
[Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) operates in one subscription at a time. So, if you have multiple Azure subscriptions, you'll want to make sure you connect to the one that has the Log Analytics workspace with the Azure AD logs.
118
151
119
-
The following cmdlets display a list of subscriptions, and find the id of the subscription that has the Log Analytics workspace:
152
+
The following cmdlets display a list of subscriptions, and find the ID of the subscription that has the Log Analytics workspace:
120
153
121
154
```azurepowershell
122
155
Connect-AzAccount
@@ -127,7 +160,7 @@ $subs | ft
127
160
You can reauthenticate and associate your PowerShell session to that subscription using a command such as `Connect-AzAccount –Subscription $subs[0].id`. To learn more about how to authenticate to Azure from PowerShell, including non-interactively, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azps-2.5.0
128
161
).
129
162
130
-
If you have multiple Log Analytics workspaces in that subscription, then the cmdlet [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) returns the list of workspaces. Then you can find the one that has the Azure AD logs. The `CustomerId` field returned by this cmdlet is the same as the value of the "Workspace id" displayed in the Azure portal in the Log Analytics workspace overview.
163
+
If you have multiple Log Analytics workspaces in that subscription, then the cmdlet [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) returns the list of workspaces. Then you can find the one that has the Azure AD logs. The `CustomerId` field returned by this cmdlet is the same as the value of the "Workspace Id" displayed in the Azure portal in the Log Analytics workspace overview.
131
164
132
165
```powershell
133
166
$wks = Get-AzOperationalInsightsWorkspace
@@ -149,7 +182,7 @@ $aResponse.Results |ft
149
182
You can also retrieve entitlement management events using a query like:
150
183
151
184
```azurepowershell
152
-
$bQuery = = 'AuditLogs | where Category == "EntitlementManagement"'
185
+
$bQuery = 'AuditLogs | where Category == "EntitlementManagement"'
0 commit comments