m365Corner
M365 Glossary

Entra ID Audit Logs

What are Entra ID Audit Logs?

Microsoft Entra ID Audit Logs record administrative activities and changes made within a Microsoft Entra tenant. These logs help administrators track actions such as user creation, role assignments, group changes, and application updates.

Audit logs provide visibility into who performed an action, what was changed, and when the change occurred, making them essential for monitoring administrative activity and maintaining security.

Examples of activities recorded in audit logs include:

  • User account creation or deletion
  • Changes to group membership
  • Role assignments or removals
  • Application registrations and updates
  • Policy configuration changes

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

How to Use Entra ID Audit Logs

Administrators can view and analyze audit logs using either the Microsoft Entra Admin Center or Microsoft Graph PowerShell.


Using the Microsoft Entra Admin Center

Follow these steps to view audit logs:

  1. Go to the Microsoft Entra Admin Center: https://entra.microsoft.com
  2. Navigate to Entra ID → Monitoring & health → Audit logs
  3. Use filters to search activities based on:
    • Activity type
    • User
    • Date range
    • Target resource

The portal allows administrators to quickly review administrative actions performed within the tenant.


Using Microsoft Graph PowerShell

Audit logs can also be retrieved using Microsoft Graph PowerShell.

Example cmdlet:

Get-MgAuditLogDirectoryAudit

This cmdlet retrieves directory audit log entries from Microsoft Entra ID.

Administrators can further refine results using filters to analyze specific activities or time ranges.

Example: 

Get-MgAuditLogDirectoryAudit| Select ActivityDisplayName, InitiatedBy, ActivityDateTime

Using PowerShell enables administrators to export logs, automate monitoring tasks, and integrate auditing into scripts.


Key Features of Entra ID Audit Logs

Delegated Permissions

Feature Description
Activity Tracking Records administrative actions performed in the tenant
Detailed Log Entries Shows who performed the action and when
Filtering Capabilities Allows filtering by activity type, user, or time range
Integration with PowerShell Enables automated log retrieval and reporting
Security Visibility Helps administrators monitor sensitive changes

Use Cases for Entra ID Audit Logs

Entra ID audit logs are commonly used for:

  • Tracking administrative changes in the tenant
  • Investigating security incidents
  • Monitoring role assignments and permission changes
  • Reviewing group membership modifications
  • Maintaining compliance and audit trails

These logs help organizations maintain visibility and accountability for administrative activities within Microsoft Entra.

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.

© Created and Maintained by LEARNIT WELL SOLUTIONS. All Rights Reserved.