Audit Vault for M365

A powerful and cost-effective solution to retain and surface your Microsoft 365 audit log records.

Retain your Entra ID Audit Log Records

Why Use Audit Vault for M365:

Audit Vault for M365 will retain all audit log records from Microsoft Entra ID. Track various user mangement and group policy events from Entra ID. Securely preserve those audit logs within Audit Vault for M365 without the need to purchase expensive Microsoft licenses.

Audit User Management Functions.
Track of when users are added or removed from security and distribution groups.
Oversee all changes to Group Policy settings.

What type of audit information is retained from Entra ID?

Below is a listing of all the audit properties that Audit Vault for M365 preserves from Microsoft Entra ID. Run reports to detect failed login attempts to ensure that no suspicious activity is occuring in your Microsoft 365 tenant. Track down user and group managment activity, and review your Azure logs for unauthorized applications.

Audit Properties Retained from Entra ID
Property Description
Creation Time: The date and time when the audit event or operation occurred in Entra ID. Stored in UTC Time.
Microsoft Id: Unique Id of the audit log from Microsoft.
Operation: The name of activity or event that had occurred when generating the Entra ID audit log. Examples:
  • Add app role assignment grant to user.
  • Add app role assignment to service principal.
  • Add application.
  • Add delegated permission grant.
  • Add device.
  • Add group.
  • Add member to group.
  • Add member to role.
  • Add owner to group.
  • Add policy.
  • Add registered owner to device.
  • Add registered users to device.
  • Add service principal.
  • Add user.
  • Change user license.
  • Change user password.
  • Consent to application.
  • Delete user.
  • Disable account.
  • Remove member from group.
  • Remove service principal.
  • Reset user password.
  • Set Company Information.
  • Update application – Certificates and secrets management
  • Update application.
  • Update device.
  • Update group.
  • Update policy.
  • Update service principal.
  • Update StsRefreshTokenValidFrom Timestamp.
  • Update user.
  • UserLoggedIn
  • UserLoginFailed
User Id: The name of the user that performed the action that generated the Entra ID Audit Log.
Additional Properties: Stores any new properties from Entra ID Audit Log that are not captured elsewhere.
Actor: Includes the User ID and Microsoft ID of the user that performed the action that triggered the Entra ID event.
Actor Context Id: The GUID of the organization that the actor belongs to.
Actor Ip Address The actor's IP address in IPV4 or IPV6 address format.
App Access Context:
Application: The application that triggers the account login event from Entra ID, such as Office 15.
Application Id: The GUID that represents the application that is requesting the login. The display name can be looked up via the Microsoft Entra Graph API.
Client: Details about the client device, device OS, and device browser that was used for the of the account login event.
Client IP: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
Device Properties: This property includes various device details, including Id, Display name, OS, Browser, IsCompliant, IsCompliantAndManaged, SessionId, and DeviceTrustType. The DeviceTrustType property can have the following values:
  • 0 - Microsoft Entra registered
  • 1 - Microsoft Entra joined
  • 2 - Microsoft Entra hybrid joined
Entra ID Event Type: The ID of the Entra event. Example: 1
Error Code: For failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Microsoft Entra STS (AADSTS) error code. For descriptions of these error codes, see Authentication and authorization error codes. A value of 0 indicates a successful login.
Error Number: The number of the error that occured in Entra ID that triggered the audit log event.
Extended Properties: The extended properties of the Microsoft Entra event. Includes information such as Extended Audit Event Category, User Agent details, KeepMeSigned In boolean, App and Device Id's' etc.:
Inter Systems Id: The GUID that track the actions across components within the Office 365 service that created the Entra ID audit log.
Intra Systems Id: The GUID that's generated by Microsoft Entra ID to track the action.
Login Status: The mapping of various interesting logon failures could be done by alerting algorithms.
Logon Error: For failed logins, this property contains a user-readable description of the reason for the failed login.
Modified Properties: Includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property with respect to the audit log created for the Entra ID event. Examples include AccountEnabled boolean, Consent Contect IS Admin Consent boolean, App Role Id etc.
Object Id: The ID of the user that triggered the Entra ID audit log event.
Record Type: Stores the Id of the record type for the Entra ID Audit Log.
8: AzureActiveDirectory (Microsoft Entra Events)
15: AzureActiveDirectoryStsLogon (Secure Token Service (STS) logon events in Microsoft Entra ID.).
Result Status: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Success, Failed or Failure.
Scope: Indicates if the Entra ID event created by a hosted O365 service or an on-premises server.
Support Ticket Id: The customer support ticket ID from Microsoft for the action in "act-on-behalf-of" situations. This is not an ECM Insights support ticket Id.
Target: The user that the Entra ID action (identified by the Operation property) was performed on.
Target Context Id: The GUID of the organization that the targeted user belongs to.
User Domain: The Tenant Identity Information (TII) that triggered the Entra ID Audit Log.
User Id: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the Entra ID audit record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included.
User Key: An alternative ID for the user identified in the UserId property.
User Type: The type of user that performed the operation that generated the SharePoint Audit Log. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version: The version number of the Microsoft Management Api that executed the request to retrieve the Entra ID Audit Logs.
Workload: The Office 365 service where the activity occurred. In this case its AzureActiveDirectory.

Note: Audit vault for M365 will only store the values for the properties listed above if they are returned from Microsoft. Some information is present only if it is applicable.