Azure AD Auditing reports – Office 365 users license usage reporting


I recently was working with Partner; he says that Office 365 users are unlicensed. Some of those users were showing up in the portal without licenses for Exchange Online and Lync Online.

How’d that happen?” the Partner admin asked.

I don’t know,” I said…something that I hate saying, especially to Partners/Customer.

So after bit research I understand we can identify unlicensed information in Azure AD Audit reports.

The Azure Active Directory Audit Report helps customers identify privileged actions that occurred in their Azure Active Directory. Privileged actions include elevation changes (for example, role creation or password resets), changing policy configurations (for example password policies), or changes to directory configuration (for example, changes to domain federation settings). The reports provide the audit record for the event name, the actor who performed the action, the target resource affected by the change, and the date and time (in UTC). Customers are able to retrieve the list of audit events for their Azure Active Directory via the Azure Management Portal.

Azure Active Directory comes in three editions: Free, Basic, and Premium.

Enabling Azure AD Free

The enablement process is very straightforward: log in to the Office 365 admin center and expand the Admin triangle, and you’ll see Azure AD listed. Click it, and you’ll get a new browser window that takes you to the Microsoft Azure sign-up page (shown below). After you fill in the fields, you’ll need to  click the button in the “Mobile Verification” section to verify your possession of the phone whose number you plugged in. After doing so, you’ll see a green “Sign Up” button.

 

IMPORTANT: Before you click the green button, you should know that signing up doesn’t cost you anything and doesn’t have any impact on your Office 365 service. Apart from seeing some new options in the Office 365 admin center, you won’t notice the change.

All right, that’s out of the way. Click the button already. The Azure factory will hum away for a few minutes as it creates your subscription. You’ll get a progress page like this one:

There’s no billing, because you’re using the AAD Free tier. Now you can go back to the O365 admin portal and click the Azure AD link under Admin again. You’ll be offered a quick tour of the Azure AD portal interface, which is interesting but not necessary for our purposes; once the tour’s dismissed, you’ll see the AAD management interface. Click the pyramid icon in the left nav bar to switch to the actual AD management portion of the portal. You’ll see a list of each AAD partition that you’ve subscribed to. Click the right arrow next to the name of the organization, then you’ll see a page that looks like this:

 

At the top of the window, underneath your organization name, you’ll see a bunch of tabs with familiar-sounding names such as “Users” and “Groups”. What you see here is merely a reflection of what was already in your invisible AAD, courtesy of your O365 subscriptions. For example, if you click the Users tab, you’ll see all the user accounts that O365 knows about, whether they were dirsynced or created in the cloud.

We’re interested in the Reports tab, so click it now.

Using AAD Free reports

As I write this, AAD Free supports six report types, with an additional eight available to AAD Premium subscribers. These reports mostly have descriptive names, which I appreciate; for example, if you click on “Sign ins after multiple failures,” it’s pretty clear what you’re going to see. Depending on what geography your tenant is registered in, you might see a warning dialog that tells you that you’re about to see IP address and geolocation information.This is required by privacy laws in some places.

 

After you dismiss this dialog… you’ll probably get a blank report, depending on which report you chose. Some of the reports have to be generated, and when you first sign up for AAD Free they will not have been generated.

What you probably actually care about—who added, removed, or changed user accounts and licenses—is actually found in the audit report. Below is an example, with the interesting part helpfully highlighted (and some sensitive data elided):

 

This report tells me that someone changed the user license for a specific user, and when the change was posted to O365. If that change was unexpected, this would provide a good place to start looking. In this case, the change was posted by the dirsync process, which in this case was expected. However, for changes made manually by an administrator, their user ID would show up here.

Comments (1)

Skip to main content