Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Admins can use Audit Logs in the Azure portal or the onPremisesSyncBehavior Microsoft Graph API to monitor and report SOA changes in their environment. They can also integrate SOA changes with third-party monitoring systems. For more information, see onPremisesSyncBehavior.
How to use Audit Logs to see SOA changes
You can access Audit Logs in the Azure portal. They retain a record of SOA changes for the last 30 days.
Sign in to the Azure portal as at least a Reports Reader.
Select Manage Microsoft Entra ID > Monitoring > Audit logs or search for audit logs in the search bar.
Select activity as Change Source of Authority from AD DS to cloud.
Alternatively, you can also see activity of when a user has their source of authority reverted away from the cloud.
You can also get a full list of all users who have had their SOA reverted by making the following API call:
GET https://graph.microsoft.com/v1.0/users?$count=true&$filter=OnPremisesSyncEnabled ne true and OnPremisesImmutableId ne null
How to use Azure Monitor to create workbooks and reports using Log Analytics
You can integrate Audit Logs with Azure Monitoring and search the following events to get SOA operations:
Event ID 6956 is logged if an object isn't synced to the cloud because the SOA of the object is cloud-managed.
When SOA transfer is rolled back to on-premises, user provisioning to AD DS stops syncing changes without deleting the AD DS user. The AD DS user is also removed from the configuration scope. The AD DS user remains intact, and AD DS resumes control in the next sync cycle. You can verify in the Audit Logs that sync doesn't happen for this object because it's managed on-premises.
For more information about how to create custom queries, see Understand how provisioning integrates with Azure Monitor logs.