In Microsoft Azure Active Directory (Azure AD), multiple audit reports within the Azure Management Portal (manage.windowsazure.com) can provide basic information about changes to directory data for a tenant. However, those reports may not provide a complete view of why those changes are occurring.
You can find additional information about such changes in additional feature and service specific audit trails. For example, Azure AD Privileged Identity Management (PIM) manages just-in-time (JIT) user role assignments. If you want to learn about changes to user role assignments that originate in Azure AD PIM, the Audit History report from the Azure AD PIM user experience in the Azure portal (portal.azure.com) provides information beyond what is available in the Azure audit trail.
The Actor that is listed in audit reports from the Azure Management Portal represents the user or service principal that makes the change in Azure AD. In Azure AD PIM, the service principal is named "MSPIM." By examining the Audit History log in the Azure AD PIM user experience, you can find additional information about role changes that are started through the Azure AD PIM service. Other services and third-party products have their own service principal.
Therefore, if you are using Azure AD PIM, we recommend that you also collect audit reports about changes in administrator roles from the Audit History in the Azure AD PIM user experience in the Azure portal (portal.azure.com). Similarly, other services in Microsoft Online Services may generate their own audit trail in addition to the log that is generated by Azure AD. Third-party products and services may also change user role assignments.
You can find additional information about such changes in additional feature and service specific audit trails. For example, Azure AD Privileged Identity Management (PIM) manages just-in-time (JIT) user role assignments. If you want to learn about changes to user role assignments that originate in Azure AD PIM, the Audit History report from the Azure AD PIM user experience in the Azure portal (portal.azure.com) provides information beyond what is available in the Azure audit trail.
The Actor that is listed in audit reports from the Azure Management Portal represents the user or service principal that makes the change in Azure AD. In Azure AD PIM, the service principal is named "MSPIM." By examining the Audit History log in the Azure AD PIM user experience, you can find additional information about role changes that are started through the Azure AD PIM service. Other services and third-party products have their own service principal.
Therefore, if you are using Azure AD PIM, we recommend that you also collect audit reports about changes in administrator roles from the Audit History in the Azure AD PIM user experience in the Azure portal (portal.azure.com). Similarly, other services in Microsoft Online Services may generate their own audit trail in addition to the log that is generated by Azure AD. Third-party products and services may also change user role assignments.