Azure AD Auditing reports – Office 365 users license usage reporting

I recently was working with Partner; he says that Office 365 users are unlicensed. Some of those users were showing up in the portal without licenses for Exchange Online and Lync Online.

How’d that happen?” the Partner admin asked.

I don’t know,” I said…something that I hate saying, especially to Partners/Customer.

So after bit research I understand we can identify unlicensed information in Azure AD Audit reports.

The Azure Active Directory Audit Report helps customers identify privileged actions that occurred in their Azure Active Directory. Privileged actions include elevation changes (for example, role creation or password resets), changing policy configurations (for example password policies), or changes to directory configuration (for example, changes to domain federation settings). The reports provide the audit record for the event name, the actor who performed the action, the target resource affected by the change, and the date and time (in UTC). Customers are able to retrieve the list of audit events for their Azure Active Directory via the Azure Management Portal.

Azure Active Directory comes in three editions: Free, Basic, and Premium.

Enabling Azure AD Free

The enablement process is very straightforward: log in to the Office 365 admin center and expand the Admin triangle, and you’ll see Azure AD listed. Click it, and you’ll get a new browser window that takes you to the Microsoft Azure sign-up page (shown below). After you fill in the fields, you’ll need to  click the button in the “Mobile Verification” section to verify your possession of the phone whose number you plugged in. After doing so, you’ll see a green “Sign Up” button.


IMPORTANT: Before you click the green button, you should know that signing up doesn’t cost you anything and doesn’t have any impact on your Office 365 service. Apart from seeing some new options in the Office 365 admin center, you won’t notice the change.

All right, that’s out of the way. Click the button already. The Azure factory will hum away for a few minutes as it creates your subscription. You’ll get a progress page like this one:

There’s no billing, because you’re using the AAD Free tier. Now you can go back to the O365 admin portal and click the Azure AD link under Admin again. You’ll be offered a quick tour of the Azure AD portal interface, which is interesting but not necessary for our purposes; once the tour’s dismissed, you’ll see the AAD management interface. Click the pyramid icon in the left nav bar to switch to the actual AD management portion of the portal. You’ll see a list of each AAD partition that you’ve subscribed to. Click the right arrow next to the name of the organization, then you’ll see a page that looks like this:


At the top of the window, underneath your organization name, you’ll see a bunch of tabs with familiar-sounding names such as “Users” and “Groups”. What you see here is merely a reflection of what was already in your invisible AAD, courtesy of your O365 subscriptions. For example, if you click the Users tab, you’ll see all the user accounts that O365 knows about, whether they were dirsynced or created in the cloud.

We’re interested in the Reports tab, so click it now.

Using AAD Free reports

As I write this, AAD Free supports six report types, with an additional eight available to AAD Premium subscribers. These reports mostly have descriptive names, which I appreciate; for example, if you click on “Sign ins after multiple failures,” it’s pretty clear what you’re going to see. Depending on what geography your tenant is registered in, you might see a warning dialog that tells you that you’re about to see IP address and geolocation information.This is required by privacy laws in some places.


After you dismiss this dialog… you’ll probably get a blank report, depending on which report you chose. Some of the reports have to be generated, and when you first sign up for AAD Free they will not have been generated.

What you probably actually care about—who added, removed, or changed user accounts and licenses—is actually found in the audit report. Below is an example, with the interesting part helpfully highlighted (and some sensitive data elided):


This report tells me that someone changed the user license for a specific user, and when the change was posted to O365. If that change was unexpected, this would provide a good place to start looking. In this case, the change was posted by the dirsync process, which in this case was expected. However, for changes made manually by an administrator, their user ID would show up here.

Comments (2)

  1. Robert_Luck says:

    Office 365 Security & Compliance Center provides audit log search option which unifies all of the activities performed in Office 365 applications in one place, but it never gives you the glimpse of the activities happened.

    Admin has to perform many exhaustive searches to get into the details of what went on with their Office 365 environment!

    – AdminDroid Office 365 Auditing tool provides the summary view of the auditing events with different dimensions and you can navigate the dimensions just by few clicks.
    – You can get the weekly, monthly and daily activities trend along with the top 10 activities in each Office 365 applications.
    – There is a dedicated dashboard given for monitoring the failed activities.It helps you to analyze the root causes of the failed incidents and fix them as earliest.
    – Every analytics data available in the dashboard can be expanded further to get the broader detail of the statistics.

    This tool offers 200+ built-in reports which help admin to monitor the Office 365 environment easily. It provides more than 10 analytical dashboards which show statistics information about each and every office 365 components like user, licenses, security, mailbox, email traffic etc.

    For example, it can answer your questions like

    – How many disabled users in the domain with active license assigned?
    – How many users are without managers?
    – How many users have the configuration which allows weak password?
    – Who is going to run out of mailbox quota/size limit?
    – Who is sending/receiving most spam mail in your organization?
    – Who sends/receives most emails in your organization?
    More use cases can be explored in respective feature pages of the product website.

    You can check out the tool in your hand by accessing the live demo.
    Live demo:

    PS: The free edition of this software is more than enough for most of the administrators.

Skip to main content