Azure Active Directory group auditing

Grouping users in Azure AD can make your job as an administrator much easier, especially when it comes to policy application and permission management. Since groups carry permissions, you need to track when users are added to or removed from groups to prevent critical resources from falling into the wrong hands. M365 Security Plus, our extensive Microsoft 365 security solution, can help you do just that.

What can you audit with M365 Security Plus?

The native Microsoft 365 portal provides audit log information for created, modified, and deleted groups alone. M365 Security Plus, on the other hand, provides a multitude of reports on the actions that go on in your Microsoft 365 setup:

• Created group: Get details on groups created in Azure AD with information on group name, group ID, who created the group, and when.
• Updated group: Get details on groups modified by users with information on group name, group ID, operation performed, operation status, and more.
• Deleted group: Get details on groups deleted in Azure AD with information on group name, group ID, who deleted the group, and when. Deletion is quite important as this action may lead to a loss of access to resources.
• Added member to group: Get information on users added to a group. This helps you cross-check if the member can be added to that group or not.
• Removed member from group: Know when a user is removed from a group, with details on who removed them and when.
• Created group settings: Get audit details when new group settings have been configured.
• Updated group settings: Get audit details on modified group attributes.
• Deleted group settings: Get audit details on groups settings that have been deleted.

Microsoft 365 vs. M365 Security Plus

• Long-term historical data: In native Microsoft 365, there are limits to how long you can retrieve historical data based on the data being audited. M365 Security Plus stores audit data indefinitely to maintain complete records.
• Real-time auditing: Instead of gathering data for audit reports every single time, M365 Security Plus keeps audit reports updated in real time.
• Profile-based auditing: Instead of having to peruse the entire list of audit reports to find the right one (as required in Microsoft 365), M365 Security Plus lets you create your own profiles so you can view only those audit details you need to see.
• Group-based auditing: While auditing Azure AD, M365 Security Plus lets you generate reports for user activities based on group membership. Native Microsoft 365 can't audit user activities based on group membership.
• Advanced filtering: In native Microsoft 365, you can only filter logs based on certain attribute values. Use M365 Security Plus to filter your logs based on any attribute and perform multi-valued searches as needed.
• Custom views: While Microsoft 365 doesn't support custom views, with M365 Security Plus you can create your own custom views to see filtered data, summarized data, or summarized data that is filtered.
• Business hours auditing: Microsoft 365 doesn't support restricted time frame auditing, but M365 Security Plus lets you retrieve audit details based on business hours or a specific period of time.
• Export data: In native Microsoft 365, you can only export data to CSV. In M365 Security Plus, you can export audit data to PDF, XLSX, HTML, or CSV.