AuditLogs

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Tables Index

Reference for AuditLogs table in Azure Monitor Logs.

Attribute Value
Category Azure Resources, Security
Basic Logs Eligible ✗ No (source)
Supports Transformations ✓ Yes (source)
Ingestion API Supported ✗ No
Lake-Only Ingestion ✓ Yes (source)
Azure Monitor Tables Reference View Documentation

Contents

Schema (31 columns)

Source: Azure Monitor documentation

Column Name Type Description
_BilledSize real The record size in bytes
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
AADOperationType string Type of the operation. Possible values are Add Update Delete and Other.
AADTenantId string ID of the ADD tenant
ActivityDateTime datetime Date and time the activity was performed in UTC.
ActivityDisplayName string Activity name or the operation name. Examples include Create User and Add member to group. For full list see Azure AD activity list.
AdditionalDetails dynamic Indicates additional details on the activity.
Category string Currently Audit is the only supported value.
CorrelationId string Optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services.
DurationMs long Property is not used and can be ignored.
Id string GUID that uniquely identifies the activity.
Identity string Identity from the token that was presented when the request was made. The identity can be a user account system account or service principal.
InitiatedBy dynamic User or app initiated the activity.
Level string Message type. This is currently always Informational.
Location string Location of the datacenter.
LoggedByService string Service that initiated the activity (For example: Self-service Password Management Core Directory B2C Invited Users Microsoft Identity Manager Privileged Identity Management.
OperationName string Name of the operation.
OperationVersion string REST API version that's requested by the client.
Resource string
ResourceGroup string
ResourceId string
ResourceProvider string
Result string Result of the activity. Possible values are: success failure timeout unknownFutureValue.
ResultDescription string Additional description of the result.
ResultReason string Describes cause of failure or timeout results.
ResultSignature string Property is not used and can be ignored.
ResultType string Result of the operation. Possible values are Success and Failure.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TargetResources dynamic Indicates information on which resource was changed due to the activity. Target Resource Type can be User Device Directory App Role Group Policy or Other.
TimeGenerated datetime Date and time the record was created.
Type string The name of the table

Solutions (20)

This table is used by the following solutions:

Connectors (1)

This table is ingested by the following connectors:

Connector Selection Criteria
Microsoft Entra ID

Content Items Using This Table (89)

Analytic Rules (67)

In solution Business Email Compromise - Financial Fraud:

Analytic Rule Selection Criteria
Account Elevated to New Role OperationName == "Add member to role completed (PIM activation)"
Authentication Method Changed for Privileged Account ActivityDisplayName == "User registered security info"
LoggedByService == "Authentication Methods"
Privileged Account Permissions Changed OperationName has "Add eligible member"
User Added to Admin Role

In solution Cloud Identity Threat Protection Essentials:

Analytic Rule Selection Criteria
Multi-Factor Authentication Disabled for a User
New External User Granted Admin Role AADOperationType in "Assign,AssignEligibleRole"
ActivityDisplayName has_any "Add eligible member to role"
OperationName in "Invite external user,Redeem external user invite"
OperationName has "Invite external user"
OperationName has "Redeem external user invite"

In solution Microsoft Business Applications:

Analytic Rule Selection Criteria
Dataverse - Guest user exfiltration following Power Platform defense impairment OperationName == "Update user"
Dataverse - New non-interactive identity granted access OperationName == "Update application"
Power Apps - Bulk sharing of Power Apps to newly created guest users OperationName == "Invite external user"
Power Platform - Account added to privileged Microsoft Entra roles Identity != "MS-PIM"
Identity != "MS-PIM-Fairfax"

In solution Microsoft Entra ID:

Analytic Rule Selection Criteria
Account Created and Deleted in Short Timeframe OperationName in "Add user,Delete user"
Account created or deleted by non-approved user OperationName in "Add user,Delete user"
Admin promotion after Role Management Application Permission Grant AADOperationType == "Assign"
LoggedByService == "Core Directory"
OperationName == "Add app role assignment to service principal"
Authentication Methods Changed for Privileged Account
Azure RBAC (Elevate Access) ActivityDisplayName == "User has elevated their access to User Access Administrator for their Azure Resources"
Bulk Changes to Privileged Account Permissions
Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) OperationName == "Update conditional access policy"
Conditional Access - A Conditional Access app exclusion has changed OperationName == "Update conditional access policy"
Conditional Access - A Conditional Access policy was deleted OperationName == "Delete conditional access policy"
Conditional Access - A Conditional Access policy was disabled OperationName == "Update conditional access policy"
Conditional Access - A Conditional Access policy was put into report-only mode OperationName == "Update conditional access policy"
Conditional Access - A Conditional Access policy was updated OperationName == "Update conditional access policy"
Conditional Access - A Conditional Access user/group/role exclusion has changed OperationName == "Update conditional access policy"
Conditional Access - A new Conditional Access policy was created OperationName == "Add conditional access policy"
Conditional Access - Dynamic Group Exclusion Changes OperationName == "Update group"
Credential added after admin consented to Application OperationName in "Add service principal credentials,Consent to application"
Cross-tenant Access Settings Organization Added OperationName has "Add a partner to cross-tenant access setting"
Cross-tenant Access Settings Organization Deleted OperationName has "Delete partner specific cross-tenant access setting"
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed OperationName has "Update a partner cross-tenant access setting"
Cross-tenant Access Settings Organization Inbound Direct Settings Changed OperationName has "Update a partner cross-tenant access setting"
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed OperationName has "Update a partner cross-tenant access setting"
Cross-tenant Access Settings Organization Outbound Direct Settings Changed OperationName has "Update a partner cross-tenant access setting"
External guest invitation followed by Microsoft Entra ID PowerShell signin OperationName == "Invite external user"
First access credential added to Application or Service Principal where no credential was present OperationName has "Certificates
secrets management"
Guest accounts added in Entra ID Groups other than the ones specified InitiatedBy has_any "CUSTOM DOMAIN NAME#"
OperationName in "Add member to group,Add owner to group"
Mail.Read Permissions Granted to Application ActivityDisplayName has "Consent to application"
ActivityDisplayName has_any "Add delegated permission grant"
Microsoft Entra ID Role Management Permission Grant LoggedByService == "Core Directory"
OperationName in "Add app role assignment to service principal,Add delegated permission grant"
Modified domain federation trust settings OperationName in "Set domain authentication,Set federation settings on domain"
Multiple admin membership removals from newly created admin.
NRT Authentication Methods Changed for VIP Users
NRT First access credential added to Application or Service Principal where no credential was present OperationName has_any "Add service principal,Certificates
secrets management"
NRT Modified domain federation trust settings OperationName in "Set domain authentication,Set federation settings on domain"
NRT New access credential added to Application or Service Principal OperationName has_any "Add service principal,Certificates
secrets management"
NRT PIM Elevation Request Rejected ActivityDisplayName == "Add member to role request denied (PIM activation)"
ResultReason != "RoleAssignmentExists"
NRT Privileged Role Assigned Outside PIM Identity != "MS-PIM"
Identity != "MS-PIM-Fairfax"
LoggedByService == "Core Directory"
OperationName == "Add member to role"
OperationName has "Add member to role outside of PIM"
NRT User added to Microsoft Entra ID Privileged Groups
New User Assigned to Privileged Role
New access credential added to Application or Service Principal OperationName has_any "Add service principal,Certificates
secrets management"
New onmicrosoft domain added to tenant AADOperationType == "Add"
OperationName in "Add unverified domain,Add verified domain"
PIM Elevation Request Rejected
Possible SignIn from Azure Backdoor
Privileged Role Assigned Outside PIM Identity != "MS-PIM"
Identity != "MS-PIM-Fairfax"
LoggedByService == "Core Directory"
OperationName == "Add member to role"
OperationName has "Add member to role outside of PIM"
Rare application consent OperationName has "Consent to application"
Suspicious Entra ID Joined Device Update OperationName == "Update device"
Suspicious Service Principal creation activity OperationName == "Remove service principal"
OperationName has_all "Update application"
Suspicious Sign In Followed by MFA Modification
Suspicious application consent for offline access LoggedByService == "Core Directory"
OperationName in "Add OAuth2PermissionGrant,Add delegated permission grant,Add service principal,Consent to application"
TargetResources has "offline"
Suspicious application consent similar to O365 Attack Toolkit LoggedByService == "Core Directory"
OperationName in "Add OAuth2PermissionGrant,Add delegated permission grant,Add service principal,Consent to application"
Suspicious application consent similar to PwnAuth LoggedByService == "Core Directory"
OperationName in "Add OAuth2PermissionGrant,Add delegated permission grant,Add service principal,Consent to application"
TargetResources has "offline"
User Assigned New Privileged Role AADOperationType in "Assign,AssignEligibleRole,CreateRequestGrantedRole,CreateRequestPermanentEligibleRole,CreateRequestPermanentGrantedRole"
ActivityDisplayName has_any "Add eligible member to role"
User added to Microsoft Entra ID Privileged Groups
full_access_as_app Granted To Application LoggedByService == "Core Directory"
OperationName == "Consent to application"
TargetResources has "full_access_as_app"

In solution SecurityThreatEssentialSolution:

Analytic Rule Selection Criteria
Threat Essentials - Multiple admin membership removals from newly created admin.
Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups LoggedByService == "Core Directory"
Threat Essentials - User Assigned Privileged Role AADOperationType in "Assign,AssignEligibleRole"
ActivityDisplayName has_any "Add eligible member to role"

In solution Threat Intelligence:

Analytic Rule Selection Criteria
TI Map URL Entity to AuditLogs

In solution Threat Intelligence (NEW):

Analytic Rule Selection Criteria
TI Map URL Entity to AuditLogs

Hunting Queries (8)

In solution Business Email Compromise - Financial Fraud:

Hunting Query Selection Criteria
Risky Sign-in with new MFA method
User detection added to privilege groups based in Watchlist ActivityDisplayName has_any "Add eligible member to role"
LoggedByService in "Core Directory,PIM"

In solution Cloud Identity Threat Protection Essentials:

Hunting Query Selection Criteria
Application Granted EWS Permissions OperationName has "Add app role assignment to service principal"
Interactive STS refresh token modifications OperationName has "StsRefreshTokenValidFrom"
User Granted Access and Grants Access to Other Users

In solution Microsoft Business Applications:

Hunting Query Selection Criteria
Power Apps - Anomalous bulk sharing of Power App to newly created guest users

In solution UEBA Essentials:

Hunting Query Selection Criteria
Anomalous Entra High-Privilege Role Modification OperationName == "Update user"
Anomalous High-Privileged Role Assignment OperationName == "Add member to role"

Workbooks (14)

In solution AzureSecurityBenchmark: OperationName in "Add member to role,Add user,AzureFirewallIDSLog,NetworkSecurityGroupEvents,Reset user password,Update user"
OperationName contains "PIM"
OperationName contains "create"
OperationName contains "delete"
OperationName contains "lockbox"
OperationName contains "remove"
OperationName contains "update"

Workbook
AzureSecurityBenchmark

In solution ContinuousDiagnostics&Mitigation: OperationName contains "PIM"

Workbook
ContinuousDiagnostics&Mitigation

In solution CybersecurityMaturityModelCertification(CMMC)2.0: OperationName in "Add member to role,Add user,NetworkSecurityGroupEvents,Reset user password,Update user"
OperationName contains "Add"
OperationName contains "Audit"
OperationName contains "Change"
OperationName contains "Create"
OperationName contains "Delete"
OperationName contains "Log"
OperationName contains "Monitor"
OperationName contains "PIM"
OperationName contains "Remove"
OperationName contains "Update"
OperationName contains "Write"
OperationName contains "reset"

Workbook
CybersecurityMaturityModelCertification_CMMCV2

In solution DPDP Compliance: OperationName in "Add member to role,Add user,Consent to application,Reset user password,Update user"
OperationName == "Sign-in activity"
OperationName != "Consent to application"

Workbook
DPDPCompliance

In solution GDPR Compliance & Data Security: OperationName in "Add member to role,Add user,Consent to application,Reset user password,Update user"
OperationName == "Sign-in activity"
OperationName != "Consent to application"

Workbook
GDPRComplianceAndDataSecurity

In solution Lumen Defender Threat Feed:

Workbook Selection Criteria
Lumen-Threat-Feed-Overview

In solution MaturityModelForEventLogManagementM2131: OperationName in "Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,Reset user password,Update user"
OperationName !contains "external"
OperationName !contains "invite"
OperationName !contains "licnense"
OperationName contains "group"
OperationName contains "member"
OperationName contains "principal"
OperationName contains "role"
OperationName contains "user"

Workbook
MaturityModelForEventLogManagement_M2131

In solution Microsoft Entra ID:

Workbook Selection Criteria
AzureActiveDirectoryAuditLogs SourceSystem == "Azure AD"
ConditionalAccessSISM

In solution MicrosoftPurviewInsiderRiskManagement: OperationName in "Add member to role,Add user,Consent to application,Create Deployment,Create or Update Virtual Machine,Create role assignment,List Storage Account Keys,Reset user password,Update user"
OperationName in "Set domain authentication,Set federation settings on domain,Sign-in activity"
OperationName != "Consent to application"
OperationName contains "Create"
OperationName contains "Delete"
OperationName contains "Update"
OperationName contains "delet"
OperationName contains "delete"
OperationName contains "remove"
OperationName has "Create"
OperationName has_any "Create,Update"
OperationName has_any "Ip,Security Rule"

Workbook
InsiderRiskManagement

In solution NISTSP80053: OperationName contains "Delete"
OperationName contains "PIM"
OperationName contains "Remove"

Workbook
NISTSP80053

In solution SOC Handbook: AdditionalDetails contains "fraud"
OperationName == "Consent to application"
OperationName == "Disable Strong Authentication"
OperationName contains "password"

Workbook
InvestigationInsights

In solution SOX IT Compliance:

Workbook Selection Criteria
SOXITCompliance

In solution ZeroTrust(TIC3.0): OperationName in "Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,AzureFirewallThreatIntelLog,NetworkSecurityGroupEvents,Reset user password,Update user"
OperationName contains "PIM"

Workbook
ZeroTrustTIC3

Resource Types

This table collects data from the following Azure resource types:

Selection Criteria Summary (51 criteria, 68 total references)

References by type: 0 connectors, 68 content items, 0 ASIM parsers, 0 other parsers.

Selection Criteria Connectors Content Items ASIM Parsers Other Parsers Total
OperationName == "Update conditional access policy" - 6 - - 6
OperationName has "Update a partner cross-tenant access setting" - 4 - - 4
OperationName has_any "Add service principal,Certificates
secrets management"		 - 3 - - 3
OperationName == "Update user" - 2 - - 2
OperationName == "Invite external user" - 2 - - 2
OperationName in "Add user,Delete user" - 2 - - 2
OperationName in "Set domain authentication,Set federation settings on domain" - 2 - - 2
LoggedByService == "Core Directory"
OperationName in "Add OAuth2PermissionGrant,Add delegated permission grant,Add service principal,Consent to application"
TargetResources has "offline"		 - 2 - - 2
Identity != "MS-PIM"
Identity != "MS-PIM-Fairfax"
LoggedByService == "Core Directory"
OperationName == "Add member to role"
OperationName has "Add member to role outside of PIM"		 - 2 - - 2
OperationName in "Add member to role,Add user,Consent to application,Reset user password,Update user"
OperationName == "Sign-in activity"
OperationName != "Consent to application"		 - 2 - - 2
OperationName == "Add member to role completed (PIM activation)" - 1 - - 1
ActivityDisplayName == "User registered security info"
LoggedByService == "Authentication Methods"		 - 1 - - 1
OperationName has "Add eligible member" - 1 - - 1
AADOperationType in "Assign,AssignEligibleRole"
ActivityDisplayName has_any "Add eligible member to role"
OperationName in "Invite external user,Redeem external user invite"
OperationName has "Invite external user"
OperationName has "Redeem external user invite"		 - 1 - - 1
OperationName == "Update application" - 1 - - 1
Identity != "MS-PIM"
Identity != "MS-PIM-Fairfax"		 - 1 - - 1
AADOperationType == "Assign"
LoggedByService == "Core Directory"
OperationName == "Add app role assignment to service principal"		 - 1 - - 1
LoggedByService == "Core Directory"
OperationName in "Add app role assignment to service principal,Add delegated permission grant"		 - 1 - - 1
ActivityDisplayName == "User has elevated their access to User Access Administrator for their Azure Resources" - 1 - - 1
OperationName == "Delete conditional access policy" - 1 - - 1
OperationName == "Add conditional access policy" - 1 - - 1
OperationName == "Update group" - 1 - - 1
OperationName in "Add service principal credentials,Consent to application" - 1 - - 1
OperationName has "Add a partner to cross-tenant access setting" - 1 - - 1
OperationName has "Delete partner specific cross-tenant access setting" - 1 - - 1
LoggedByService == "Core Directory"
OperationName == "Consent to application"
TargetResources has "full_access_as_app"		 - 1 - - 1
OperationName has "Certificates
secrets management"		 - 1 - - 1
InitiatedBy has_any "CUSTOM DOMAIN NAME#"
OperationName in "Add member to group,Add owner to group"		 - 1 - - 1
ActivityDisplayName has "Consent to application"
ActivityDisplayName has_any "Add delegated permission grant"		 - 1 - - 1
LoggedByService == "Core Directory"
OperationName in "Add OAuth2PermissionGrant,Add delegated permission grant,Add service principal,Consent to application"		 - 1 - - 1
AADOperationType == "Add"
OperationName in "Add unverified domain,Add verified domain"		 - 1 - - 1
ActivityDisplayName == "Add member to role request denied (PIM activation)"
ResultReason != "RoleAssignmentExists"		 - 1 - - 1
OperationName has "Consent to application" - 1 - - 1
OperationName == "Update device" - 1 - - 1
OperationName == "Remove service principal"
OperationName has_all "Update application"		 - 1 - - 1
AADOperationType in "Assign,AssignEligibleRole,CreateRequestGrantedRole,CreateRequestPermanentEligibleRole,CreateRequestPermanentGrantedRole"
ActivityDisplayName has_any "Add eligible member to role"		 - 1 - - 1
LoggedByService == "Core Directory" - 1 - - 1
AADOperationType in "Assign,AssignEligibleRole"
ActivityDisplayName has_any "Add eligible member to role"		 - 1 - - 1
ActivityDisplayName has_any "Add eligible member to role"
LoggedByService in "Core Directory,PIM"		 - 1 - - 1
OperationName has "Add app role assignment to service principal" - 1 - - 1
OperationName has "StsRefreshTokenValidFrom" - 1 - - 1
OperationName == "Add member to role" - 1 - - 1
OperationName in "Add member to role,Add user,AzureFirewallIDSLog,NetworkSecurityGroupEvents,Reset user password,Update user"
OperationName contains "PIM"
OperationName contains "create"
OperationName contains "delete"
OperationName contains "lockbox"
OperationName contains "remove"
OperationName contains "update"		 - 1 - - 1
OperationName contains "PIM" - 1 - - 1
OperationName in "Add member to role,Add user,NetworkSecurityGroupEvents,Reset user password,Update user"
OperationName contains "Add"
OperationName contains "Audit"
OperationName contains "Change"
OperationName contains "Create"
OperationName contains "Delete"
OperationName contains "Log"
OperationName contains "Monitor"
OperationName contains "PIM"
OperationName contains "Remove"
OperationName contains "Update"
OperationName contains "Write"
OperationName contains "reset"		 - 1 - - 1
OperationName in "Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,Reset user password,Update user"
OperationName !contains "external"
OperationName !contains "invite"
OperationName !contains "licnense"
OperationName contains "group"
OperationName contains "member"
OperationName contains "principal"
OperationName contains "role"
OperationName contains "user"		 - 1 - - 1
SourceSystem == "Azure AD" - 1 - - 1
OperationName in "Add member to role,Add user,Consent to application,Create Deployment,Create or Update Virtual Machine,Create role assignment,List Storage Account Keys,Reset user password,Update user"
OperationName in "Set domain authentication,Set federation settings on domain,Sign-in activity"
OperationName != "Consent to application"
OperationName contains "Create"
OperationName contains "Delete"
OperationName contains "Update"
OperationName contains "delet"
OperationName contains "delete"
OperationName contains "remove"
OperationName has "Create"
OperationName has_any "Create,Update"
OperationName has_any "Ip,Security Rule"		 - 1 - - 1
OperationName contains "Delete"
OperationName contains "PIM"
OperationName contains "Remove"		 - 1 - - 1
AdditionalDetails contains "fraud"
OperationName == "Consent to application"
OperationName == "Disable Strong Authentication"
OperationName contains "password"		 - 1 - - 1
OperationName in "Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,AzureFirewallThreatIntelLog,NetworkSecurityGroupEvents,Reset user password,Update user"
OperationName contains "PIM"		 - 1 - - 1
Total 0 68 0 0 68

AADOperationType

Value Connectors Content Items ASIM Parsers Other Parsers Total
Assign - 4 - - 4
AssignEligibleRole - 3 - - 3
Add - 1 - - 1
CreateRequestGrantedRole - 1 - - 1
CreateRequestPermanentEligibleRole - 1 - - 1
CreateRequestPermanentGrantedRole - 1 - - 1

ActivityDisplayName

Value Connectors Content Items ASIM Parsers Other Parsers Total
has_any Add eligible member to role - 4 - - 4
User registered security info - 1 - - 1
User has elevated their access to User Access Administrator for their Azure Resources - 1 - - 1
has Consent to application - 1 - - 1
has_any Add delegated permission grant - 1 - - 1
Add member to role request denied (PIM activation) - 1 - - 1

AdditionalDetails

Value Connectors Content Items ASIM Parsers Other Parsers Total
contains fraud - 1 - - 1

Identity

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= MS-PIM - 3 - - 3
!= MS-PIM-Fairfax - 3 - - 3

InitiatedBy

Value Connectors Content Items ASIM Parsers Other Parsers Total
has_any CUSTOM DOMAIN NAME# - 1 - - 1

LoggedByService

Value Connectors Content Items ASIM Parsers Other Parsers Total
Core Directory - 10 - - 10
Authentication Methods - 1 - - 1
PIM - 1 - - 1

OperationName

Value Connectors Content Items ASIM Parsers Other Parsers Total
Add member to role - 10 - - 10
Update user - 9 - - 9
Add user - 9 - - 9
Consent to application - 9 - - 9
Reset user password - 7 - - 7
Update conditional access policy - 6 - - 6
contains PIM - 5 - - 5
Add delegated permission grant - 4 - - 4
has Update a partner cross-tenant access setting - 4 - - 4
Invite external user - 3 - - 3
Set domain authentication - 3 - - 3
Set federation settings on domain - 3 - - 3
Add OAuth2PermissionGrant - 3 - - 3
Add service principal - 3 - - 3
has_any Add service principal - 3 - - 3
has_any Certificates - 3 - - 3
AzureFirewallIDSLog - 3 - - 3
NetworkSecurityGroupEvents - 3 - - 3
contains Delete - 3 - - 3
Sign-in activity - 3 - - 3
!= Consent to application - 3 - - 3
Delete user - 2 - - 2
Add app role assignment to service principal - 2 - - 2
has Add member to role outside of PIM - 2 - - 2
contains delete - 2 - - 2
contains remove - 2 - - 2
contains Create - 2 - - 2
contains Remove - 2 - - 2
contains Update - 2 - - 2
ApplicationGatewayFirewall - 2 - - 2
Add member to role completed (PIM activation) - 1 - - 1
has Add eligible member - 1 - - 1
Redeem external user invite - 1 - - 1
has Invite external user - 1 - - 1
has Redeem external user invite - 1 - - 1
Update application - 1 - - 1
Delete conditional access policy - 1 - - 1
Add conditional access policy - 1 - - 1
Update group - 1 - - 1
Add service principal credentials - 1 - - 1
has Add a partner to cross-tenant access setting - 1 - - 1
has Delete partner specific cross-tenant access setting - 1 - - 1
has Certificates - 1 - - 1
Add member to group - 1 - - 1
Add owner to group - 1 - - 1
Add unverified domain - 1 - - 1
Add verified domain - 1 - - 1
has Consent to application - 1 - - 1
Update device - 1 - - 1
Remove service principal - 1 - - 1
has_all Update application - 1 - - 1
has Add app role assignment to service principal - 1 - - 1
has StsRefreshTokenValidFrom - 1 - - 1
contains create - 1 - - 1
contains lockbox - 1 - - 1
contains update - 1 - - 1
contains Add - 1 - - 1
contains Audit - 1 - - 1
contains Change - 1 - - 1
contains Log - 1 - - 1
contains Monitor - 1 - - 1
contains Write - 1 - - 1
contains reset - 1 - - 1
!contains external - 1 - - 1
!contains invite - 1 - - 1
!contains licnense - 1 - - 1
contains group - 1 - - 1
contains member - 1 - - 1
contains principal - 1 - - 1
contains role - 1 - - 1
contains user - 1 - - 1
Create Deployment - 1 - - 1
Create or Update Virtual Machine - 1 - - 1
Create role assignment - 1 - - 1
List Storage Account Keys - 1 - - 1
contains delet - 1 - - 1
has Create - 1 - - 1
has_any Create - 1 - - 1
has_any Update - 1 - - 1
has_any Ip - 1 - - 1
has_any Security Rule - 1 - - 1
Disable Strong Authentication - 1 - - 1
contains password - 1 - - 1
AzureFirewallThreatIntelLog - 1 - - 1

ResultReason

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= RoleAssignmentExists - 1 - - 1

SourceSystem

Value Connectors Content Items ASIM Parsers Other Parsers Total
Azure AD - 1 - - 1

TargetResources

Value Connectors Content Items ASIM Parsers Other Parsers Total
has offline - 2 - - 2
has full_access_as_app - 1 - - 1

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Tables Index