Azure Active Directory 门户中的“审核活动”报告Audit activity reports in the Azure Active Directory portal

通过 Azure Active Directory (Azure AD) 报告,可以获取确定环境运行状况所需的信息。With Azure Active Directory (Azure AD) reports, you can get the information you need to determine how your environment is doing.

报告体系结构包括以下组件:The reporting architecture consists of the following components:

  • 活动Activity
    • 登录 - 登录报告提供有关托管应用程序的使用情况和用户登录活动的信息。Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
    • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中的任何资源(例如添加或删除用户、应用、组、角色和策略)所做的更改。Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

本文概述了审核报告。This article gives you an overview of the audit report.

谁可以访问该数据?Who can access the data?

  • 具有安全管理员安全读取者报告读取者全局读取者全局管理员角色的用户Users in the Security Administrator, Security Reader, Report Reader , Global Reader or Global Administrator roles

审核日志Audit logs

Azure AD 审核日志提供系统活动的记录以实现符合性。The Azure AD audit logs provide records of system activities for compliance. 若要访问审核报告,请在 Azure Active Directory 的“监视”部分中选择“审核日志” 。To access the audit report, select Audit logs in the Monitoring section of Azure Active Directory. 请注意,审核日志的延迟可能长达一个小时,因此在完成任务后,审核活动数据可能需要很长时间才能显示在门户中。Note that audit logs may have a latency of up to an hour, so it may take that long for audit activity data to show up in the portal after you have completed the task.

审核日志有一个默认列表视图,用于显示:An audit log has a default list view that shows:

  • 匹配项的日期和时间the date and time of the occurrence
  • 记录了匹配项的服务the service that logged the occurrence
  • 活动的类别和名称(内容) the category and name of the activity (what)
  • 活动的状态(成功或失败)the status of the activity (success or failure)
  • 目标the target
  • 活动的发起者/参与者(人员)the initiator / actor (who) of an activity

审核日志Audit logs

单击工具栏中的“列”即可自定义列表视图。 You can customize the list view by clicking Columns in the toolbar.

审核日志Audit logs

用于显示其他字段,或者删除已显示的字段。This enables you to display additional fields or remove fields that are already displayed.

审核日志Audit logs

选择列表视图中的某个项可获得更详细的信息。Select an item in the list view to get more detailed information.

审核日志Audit logs

筛选审核日志Filtering audit logs

可以根据以下字段筛选审核数据:You can filter the audit data on the following fields:

  • CategoryCategory
  • 活动Activity
  • 状态Status
  • 目标Target
  • 发起者(参与者/执行组件)Initiated by (Actor)
  • 日期范围Date range

审核日志Audit logs

“类别”筛选器用于选择下述筛选器之一: The Category filter enables you to select one of the following filters:

  • 全部All
  • B2CB2C
  • 使用条款Terms of Use
  • 访问评审Access Reviews
  • 核心目录Core Directory
  • 自助服务密码管理Self-service Password Management

“活动”筛选器基于类别以及所做的活动资源类型选择。 The Activity filter is based on the category and activity resource type selection you make. 可以选择要查看的特定活动,也可以全选。You can select a specific activity you want to see or choose all.

可以使用图形 API 获取所有审核活动的列表:<tenantdomain>/activities/auditActivityTypesV2?api-version=betaYou can get the list of all Audit Activities using the Graph API:<tenantdomain>/activities/auditActivityTypesV2?api-version=beta

可以使用“状态”筛选器根据审核操作的状态进行筛选。 The Status filter allows you to filter based on the status of an audit operation. 状态可以是下列其中一项:The status can be one of the following:

  • 全部All
  • SuccessSuccess
  • 失败Failure

“目标”筛选器允许你按名称或用户主体名称 (UPN) 的开头来搜索特定目标。The Target filter allows you to search for a particular target by the starting of the name or user principal name (UPN). 目标名称和 UPN 区分大小写。The target name and UPN are case-sensitive.

“发起者”筛选器允许你定义参与者名称或通用主体名称 (UPN) 的开头。 The Initiated by filter enables you to define what an actor's name or a universal principal name (UPN) starts with. 名称和 UPN 区分大小写。The name and UPN are case-sensitive.

“日期范围”筛选器用于定义已返回数据的时间范围。 The Date range filter enables to you to define a timeframe for the returned data.
可能的值包括:Possible values are:

  • 7 天7 days
  • 24 小时24 hours
  • “自定义”Custom

选择自定义时间范围时,可以配置开始时间和结束时间。When you select a custom timeframe, you can configure a start time and an end time.

也可选择下载筛选的数据(多达 250,000 条记录),只需选择“下载”按钮即可。 You can also choose to download the filtered data, up to 250,000 records, by selecting the Download button. 可以下载 CSV 或 JSON 格式的日志。You can download the logs in either CSV or JSON format. 可以下载的记录数受 Azure Active Directory 报告保留策略的限制。The number of records you can download is constrained by the Azure Active Directory report retention policies.

审核日志Audit logs

审核日志快捷方式Audit logs shortcuts

除了 Azure Active Directory,Azure 门户还提供了两个额外的进行数据审核的入口点:In addition to Azure Active Directory, the Azure portal provides you with two additional entry points to audit data:

  • 用户和组Users and groups
  • 企业应用程序Enterprise applications

用户和组审核日志Users and groups audit logs

使用基于用户和组的审核报表,可以获得如下问题的答案:With user and group-based audit reports, you can get answers to questions such as:

  • 对用户应用了哪种类型的更新?What types of updates have been applied the users?

  • 更改了多少用户?How many users were changed?

  • 更改了多少密码?How many passwords were changed?

  • 管理员在目录中做了什么?What has an administrator done in a directory?

  • 添加了哪些组?What are the groups that have been added?

  • 是否存在成员身份已更改的组?Are there groups with membership changes?

  • 是否已更改组的所有者?Have the owners of group been changed?

  • 向组或用户分配了哪些许可证?What licenses have been assigned to a group or a user?

如果只想查看与用户相关的审核数据,可以在“用户”选项卡“监视”部分中的“审核日志”下找到筛选视图 。此入口点已将 UserManagement 作为预先选择的类别。If you want to review only auditing data that is related to users, you can find a filtered view under Audit logs in the Monitoring section of the Users tab. This entry point has UserManagement as preselected category.

审核日志Audit logs

如果只想查看与组相关的审核数据,可以在“组”选项卡“监视”部分中的“审核日志”下找到筛选视图 。此入口点已将 GroupManagement 作为预先选择的类别。If you want to review only auditing data that is related to groups, you can find a filtered view under Audit logs in the Monitoring section of the Groups tab. This entry point has GroupManagement as preselected category.

审核日志Audit logs

企业应用程序审核日志Enterprise applications audit logs

通过基于应用程序的审核报表,可以获得如下问题的答案:With application-based audit reports, you can get answers to questions such as:

  • 添加或更新了哪些应用程序?What applications have been added or updated?
  • 删除了哪些应用程序?What applications have been removed?
  • 应用程序的服务主体是否有变化?Has a service principal for an application changed?
  • 应用程序的名称是否已更改?Have the names of applications been changed?
  • 哪些用户同意使用应用程序?Who gave consent to an application?

如果希望查看与应用程序相关的审核数据,可以在“企业应用程序”边栏选项卡的“活动”部分中的“审核日志”下方查找筛选视图。 If you want to review audit data related to your applications, you can find a filtered view under Audit logs in the Activity section of the Enterprise applications blade. 此入口点已将“企业应用程序”预先选择为“应用程序类型”。 This entry point has Enterprise applications preselected as the Application Type.

审核日志Audit logs

Office 365 活动日志Office 365 activity logs

可以从 Microsoft 365 管理中心查看 Office 365 活动日志。You can view Office 365 activity logs from the Microsoft 365 admin center. 尽管 Office 365 活动和 Azure AD 活动日志共享大量的目录资源,但只有 Microsoft 365 管理中心提供 Office 365 活动日志的完整视图。Even though Office 365 activity and Azure AD activity logs share a lot of the directory resources, only the Microsoft 365 admin center provides a full view of the Office 365 activity logs.

还可以使用 Office 365 管理 API 以编程方式访问 Office 365 活动日志。You can also access the Office 365 activity logs programmatically by using the Office 365 Management APIs.

后续步骤Next steps