How to configure Entra ID auditing in ADAudit Plus

Objective

This article explains how to configure Entra ID auditing in ADAudit Plus to monitor and track user activities, sign-ins, group modifications, and changes to directory roles within Azure Active Directory (Entra ID).

By integrating Entra ID with ADAudit Plus, administrators can achieve centralized auditing of their cloud infrastructure alongside on-premises AD auditing.

Prerequisites

ADAudit Plus should be installed and operational.
A valid Entra ID subscription with appropriate licenses (like Entra ID Premium P1/P2) to enable auditing features.

Global Administrator or privileged role administrator rights in Entra ID are needed to configure auditing and provide necessary API permissions. (Only needed for configuration of the application in Entra ID)

Entra ID Graph API or Microsoft Graph API permissions enabled.
ADAudit Plus must have internet access to communicate with Entra ID.

Steps to follow

Configuring using Entra ID/Azure AD premium license

To audit your Entra ID environment using an Entra ID Premium license. ADAudit Plus uses the Microsoft Graph API to obtain events from Entra ID.

Privileges required while using Microsoft Graph API

Application.Read.All
AuditLog.Read.All
Directory.Read.All
IdentityRiskEvent.Read.All
Group.Read.All
User.Read.All
DeviceManagementApps.Read.All
DeviceManagementManagedDevices.Read.All

1. Register an application

Go to the Azure portal, and sign in using your Microsoft account.
Select Azure Active Directory from the Azure services section.

Go to Manage > App registrations > + New registration to open the Register an application window.

Enter the application name, for example, ADAudit Plus Application.
Ensure that Accounts in this organizational directory only (zohoadapazure only - Single tenant) is selected under Supported account types.

Using an Azure AD Premium license

Click Register.

2. Grant minimum privileges required for Microsoft Graph API

Go to the Azure portal, and sign in using your Microsoft account.
Select Azure Active Directory from the Azure services section.
Go to Manage > App registrations. Select your application under Owned applications.

Go to Manage > API permissions and select + Add a permission.

Select Microsoft Graph. Click Application permissions as the type of permission required.
From the listing, select the following:

Application.Read.All
AuditLog.Read.All
Directory.Read.All
IdentityRiskEvent.Read.All
Group.Read.All
User.Read.All
DeviceManagementApps.Read.All
DeviceManagementManagedDevices.Read.All

Using an Azure AD Premium license

Click Add permissions.
Select Grant admin consent for <tenantname >
Click Yes.

3. Obtain the tenant name

Go to the Azure portal, and sign in using your Microsoft account.
Search for and select Microsoft Entra ID.

Go to Manage > Custom domain names.
Click Add filter.
Set Filter to Status and Value to Verified, and then click Apply.

From the listed domains, copy a name of a domain (preferably one that ends with .onmicrosoft.com) as this will be needed when setting up Entra ID in ADAudit Plus.

4. Obtain client ID and client secret

Go to the Azure portal, and sign in using your Microsoft account.
Select Azure Active Directory service from the Azure services section.
Go to Manage > App registrations. Select your application under Owned applications.
Go to Manage > Certificates & secrets.

Click + New client secret.
Enter the description.
Choose 24 Months as the expiration date; this is the maximum value that can be used.
Click Add.
Copy the client secret value (e.g., "14uCILxkHtIVGR3wkCq12341Nd5VtestkkWTyIPrrE=")

Using an Azure AD Premium license

Go to Manage > App registrations. Select your application under Owned Applications.
Navigate to Application (Client ID) and click Copy to clipboard.

Using an Azure AD Premium license

5. Setting up Entra ID in ADAudit Plus

Open the ADAudit Plus web console.
Go to Configuration > Configured Server(s) > Cloud Directory.
Select +Add Tenant in the top-right corner.

Select Audit via Azure.
In the Cloud Directory window, choose the Cloud Type based on the national cloud points from the list below:

Entra ID global service (Azure Cloud - Default)
Entra ID for US Government L4 (Azure GCC High Cloud)
Entra ID for US Government L5 (Azure DOD Cloud)
Entra ID China operated by 21Vianet (Azure China Cloud)
Entra ID for Germany (Azure Germany Cloud)

Enter the Tenant Name, Client ID, and Client Secret.

Click Add.

6. Privileges required while using Entra ID Graph API

The use of Entra ID Graph API is deprecated. Instead, it's strongly recommended you use the Microsoft Graph API to audit your Entra ID.

For more details on why Entra ID graph API was deprecated, check the FAQ.

Check if you are using Entra ID Graph API and, if so, migrate using these steps:

Open the ADAudit Plus web console.
Go to Configuration > Configured Server(s) > Cloud Directory.

In the top-right corner, if the Migrate to Microsoft Graph API button is available, then Azure Active Directory Graph API is in use.
If the Back to Entra ID Graph API button is available, then Microsoft Graph API is in use.

Migrate to Microsoft Graph API from Entra ID Graph API by clicking Migrate to Microsoft Graph API at the top-right corner.
Click Yes in the confirmation prompt.

Using an Azure AD Premium license

Note: Once you have migrated to Microsoft Graph API, add the necessary minimum privileges using the steps listed here.

If you still want to use Entra ID Graph API, you can find the privileges required below:

Directory.Read.All

Configuring using a Microsoft 365 license

To audit your Entra ID (renamed as Entra ID) environment using a Microsoft 365 license, ADAudit Plus uses the Microsoft 365 Management API for all installations after ADAudit Plus build 7050.

Privileges required while using Microsoft 365 Management API

Microsoft Graph API > Directory.Read.All
Office 365 Management API > ActivityFeed.Read