0

I need to get info about changes made on Directory roles (for example Global Administrator) I need details like, username - A) user who made a change, B) timestamp, C) action - add a user to a group or remove, D) name of the group to which user has been added. I updated AD module on Azure portal, now I have AzureADPreview, and I am using cmd-let --> Get-AzureADAuditDirectoryLogs. And as an output I can get only: A) B) and C). I checked all "Id" from the output but I didn't find Directory Roles IDs. Is there a method for catching this info --> (D) using mentioned PowerShell command? below, the command I used: 

Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2019-08-25" | where-object activitydisplayname -eq "Add member to group" | fl *
Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2019-09-01" | where-object activitydisplayname -eq "remove member from group"

UPDATE:

I used Rest API in order to catch the needed information:

$request = "https://graph.windows.net/xxx.com/activities/audit?api-version=beta"

$authHeader = @{  
'Content-Type'='application/json'  
'Accept'='application/json'  
'Authorization'= ("Bearer $personalToken")  
}  

$output = Invoke-RestMethod -Uri $request -Method Get -ContentType "application/json" -Headers $authHeader  
$output.value

And in the output still, don't see info about the group to which the user has been added.

Reegan Miranda
  • 2,879
  • 6
  • 43
  • 55
tester81
  • 533
  • 2
  • 9
  • 28

1 Answers1

0

I'm not sure why the name of the group is not returned.

But the Object ID of the group will be shown in the result.

Azure AD log

Use Get-AzureADGroup -ObjectId {Object ID} to get its name information.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • I have corrected command, now I have --> Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2019-08-25" | where-object activitydisplayname -eq "Add member to role". I can Find info about group, but Your hint is ok, thanks, we can find in the output group ID. – tester81 Sep 12 '19 at 12:44