I can see more AAD audit log activity types on Portal than documents

[aaaaasam]

The issues service or technology

• Service Name -> Azure AD
• Issue name -> I can see more AAD audit log activity types on Portal than documents

The issues documentation link

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/reports-monitoring/reference-audit-activities.md

Auditlog activity list obtained on Portal

User deleted security info User registered security info User updated security info A self-service sign up request was completed Accept Terms Of Use Access review ended Add AuthenticationContextClassReference Add BitLocker key Add CertificateBasedAuthConfiguration Add Connector Group Add Device from DeviceTemplate Add DeviceTemplate Add EligibleRoleAssignement to RoleDefinition Add Entitlement Management role assignment Add FIDO2 security key Add PrivateEndpoint Add PrivateLinkResource Add Windows Hello for Business credential Add a Connector to Connector Group Add a deletion-marked app role assignment grant to group as part of link removal Add a deletion-marked app role assignment grant to service principal as part of link removal Add a deletion-marked app role assignment grant to user as part of link removal Add a group to feature rollout Add a partner to cross-tenant access setting Add administrative unit Add agreement Add an attribute set Add app role assignment grant to user Add app role assignment to group Add app role assignment to service principal Add application Add application SSL certificate Add blocked user Add bypass user Add conditional access policy Add contact Add custom security attribute definition in an attribute set Add delegated permission grant Add device Add device configuration Add eligible member to role Add eligible member to role in PIM canceled (permanent) Add eligible member to role in PIM canceled (renew) Add eligible member to role in PIM canceled (timebound) Add eligible member to role in PIM completed (permanent) Add eligible member to role in PIM completed (timebound) Add eligible member to role in PIM requested (permanent) Add eligible member to role in PIM requested (renew) Add eligible member to role in PIM requested (timebound) Add execution conditions Add group Add kerberos domain Add label Add member to administrative unit Add member to group Add member to restricted management administrative unit Add member to role Add member to role approval requested (PIM activation) Add member to role canceled (PIM activation) Add member to role completed (PIM activation) Add member to role in PIM canceled (permanent) Add member to role in PIM canceled (renew) Add member to role in PIM canceled (timebound) Add member to role in PIM completed (permanent) Add member to role in PIM completed (timebound) Add member to role in PIM requested (permanent) Add member to role in PIM requested (renew) Add member to role in PIM requested (timebound) Add member to role outside of PIM (permanent) Add member to role request approved (PIM activation) Add member to role request denied (PIM activation) Add member to role requested (PIM activation) Add member to role scoped over Restricted Management Administrative Unit Add named location Add owner to application Add owner to group Add owner to policy Add owner to service principal Add partner to company Add passwordless phone sign-in credential Add permission grant policy Add policy Add policy to application Add policy to service principal Add provisioning configuration Add registered owner to device Add registered users to device Add role assignment to role definition Add role definition Add role from template Add scoped member to role Add service principal Add service principal credentials Add sharedEmailDomainInvitation Add task to workflow Add unverified domain Add user Add user to feature rollout Add users strong authentication phone app detail Add v2 application permissions Add verified domain Add workflow version Admin deleted security info Admin registered security info Admin started password reset Admin updated security info Administrator directly assigns user to access package Administrator directly removes user access package assignment An API was called as part of a user flow Apply decision Apply review Approval stage completed for access package assignment request Approve a pending request to join a group Approve access package assignment request Approve all requests in business flow Approve decision Approve request - direct role assignment Assign Hardware Oath Token Assign label to group Assign user as external sponsor Assign user as internal sponsor Authentication Methods Policy Reset Authentication Methods Policy Update Authentication Strength Combination Configuration Create Authentication Strength Combination Configuration Delete Authentication Strength Combination Configuration Update Authentication Strength Policy Create Authentication Strength Policy Delete Authentication Strength Policy Update Auto Review Auto apply review Auto approve access package assignment request Autorenew group Blocked from self-service password reset Bulk Approve decisions Bulk Deny decisions Bulk Reset decisions Bulk add authentication devices - finished (bulk) Bulk add members to administrative unit - finished (bulk) Bulk add members to administrative unit - started (bulk) Bulk create users - finished (bulk) Bulk create users - started (bulk) Bulk delete users - finished (bulk) Bulk delete users - started (bulk) Bulk download hardware tokens - finished (bulk) Bulk download hardware tokens - started (bulk) Bulk import group members - finished (bulk) Bulk import group members - started (bulk) Bulk invite users - finished (bulk) Bulk invite users - started (bulk) Bulk mark decisions as don't know Bulk remove group members - finished (bulk) Bulk remove group members - started (bulk) Bulk remove members from administrative unit - finished (bulk) Bulk remove members from administrative unit - started (bulk) Bulk restore deleted users - finished (bulk) Bulk restore deleted users - started (bulk) Bulk upload Hardware Oath Token Cancel a pending request to join a group Cancel access package assignment request Cancel application update with safe rollout Cancel request Cancel request for role removal Cancel request for role update Change password (self-service) Change user license Change user password Check whether the resource name is available Clear block on user Complete application update after safe rollout ConfirmAccountCompromised ConfirmCompromised ConfirmSafe ConfirmServicePrincipalCompromised Consent to application Convert federated user to managed Create Api connector Create Company Create ExternalUserProfile Create Hardware Oath Token Create Identity Provider Create PendingExternalUserProfile Create Terms Of Use Create a partner cross-tenant identity sync setting Create access package Create access package assignment policy Create access package assignment user update request Create access package catalog Create access review Create application collection Create application password for user Create authenticationEventListener Create authenticationEventsFlow Create business flow Create company Create company settings Create connected organization Create custom extension Create custom identity provider Create custom policy Create custom task extension Create customAuthenticationExtension Create governance policy template Create group settings Create identity provider Create incompatible access package Create incompatible group Create lifecycle management policy Create or update a B2C directory resource Create or update a B2C directory tenant and resource Create or update a CIAM directory tenant and resource Create or update a Guest Usages resource Create or update localized resource Create policy key Create program Create request Create resource environment Create resource remove request Create resource request Create rollout policy for feature Create starter pack Create user attribute Create user flow Create v2 application Create workflow DELETE Subscription.DeleteProviders DELETE Tenant.DeleteAgentStatuses DELETE Tenant.DeleteCaches DELETE Tenant.DeleteGreetings Deactivate PIM alert Decline Terms Of Use Delete Api connector Delete AuthenticationContextClassReference Delete B2C Tenant where the caller is an administrator Delete B2C directory resource Delete BitLocker key Delete CIAM directory resource Delete CertificateBasedAuthConfiguration Delete Connector Group Delete Consent Delete DeviceTemplate Delete ExternalUserProfile Delete FIDO2 security key(s) Delete Guest Usages resource Delete Hardware Oath Token Delete Identity Provider Delete PendingExternalUserProfile Delete PrivateEndpoint Delete PrivateLinkResource Delete SSL binding Delete Terms Of Use Delete Windows Hello for Business credential Delete a partner cross-tenant identity sync setting Delete a pending request to join a group Delete access package Delete access package assignment for a deleted user Delete access package assignment policy Delete access package assignment request Delete access package assignment request for a deleted user Delete access package catalog Delete access review Delete administrative unit Delete agreement Delete all available strong authentication devices Delete application Delete application collection Delete application password for user Delete approvals Delete authenticationEventListener Delete authenticationEventsFlow Delete business flow Delete company allowed data location Delete company settings Delete conditional access policy Delete connected organization Delete contact Delete custom extension Delete custom policy Delete custom task extension Delete customAuthenticationExtension Delete device Delete device configuration Delete external user Delete governance policy template Delete group Delete group settings Delete identity provider Delete incompatible access package Delete incompatible group Delete kerberos domain Delete label Delete lifecycle management policy Delete localized resource Delete named location Delete partner specific cross-tenant access setting Delete passwordless phone sign-in credential Delete permission grant policy Delete policy Delete policy key Delete pre-created device Delete provisioning configuration Delete request Delete role definition Delete rollout policy of feature Delete subscription Delete user Delete user attribute Delete user flow Delete v2 application Delete v2 application permission grant Delete workflow Demote partner Deny access package assignment request Deny all decisions Deny all requests in business flow Deny decision Device no longer compliant Device no longer managed Directory deleted Directory deleted permanently Directory scheduled for deletion (Lifecycle) Directory scheduled for deletion (UserRequest) Disable Desktop Sso Disable Desktop Sso for a specific domain Disable PIM alert Disable Strong Authentication Disable account Disable application proxy Disable passthrough authentication Disable password writeback for directory Disable task Disable workflow Disable workflow schedule Disable/pause provisioning configuration Dismiss recommendation DismissServicePrincipal DismissUser Don't know decision Download devices - finished (bulk) Download devices - started (bulk) Download group members - finished (bulk) Download group members - started (bulk) Download groups - finished (bulk) Download groups - started (bulk) Download registration and reset events - finished (bulk) Download registration and reset events - started (bulk) Download role assignments - finished (bulk) Download role assignments - started (bulk) Download service principals - finished (bulk) Download service principals - started (bulk) Download user registration details - finished (bulk) Download user registration details - started (bulk) Download users - finished (bulk) Download users - started (bulk) Edit Terms Of Use Email not sent, user unsubscribed Email subscribed Email unsubscribed Enable Desktop Sso Enable Desktop Sso for a specific domain Enable PIM alert Enable Strong Authentication Enable account Enable application proxy Enable passthrough authentication Enable password writeback for directory Enable task Enable workflow Enable workflow schedule Enable/restart provisioning configuration Enable/start provisioning configuration Entitlement Management creates access package assignment request for user Entitlement Management removes access package assignment request for user Evaluate conditional access policies Exchange token Execute custom extension Export Export summary data - finished (bulk) Export summary data - started (bulk) Extend access package assignment Failed access package assignment request Federate with an identity provider Finish applying group based license to users Fraud reported - no action taken Fraud reported - user is blocked for MFA Fulfill access package assignment request Fulfill access package resource assignment Generate key Generate one time password Get Api connector Get Api connectors Get B2C Tenants where the caller is an administrator Get B2C directory resource Get B2C directory resources in a resource group Get B2C directory resources in a subscription Get CIAM directory resource Get CIAM directory resources in a resource group Get CIAM directory resources in a subscription Get Guest Usages resource Get Guest Usages resources in a resource group Get Guest Usages resources in a subscription Get Identity Provider Get Identity Providers Get OnAttributeCollectionStartCustomExtension Get OnAttributeCollectionSubmitCustomExtension Get OnPageRenderStartCustomExtension Get active key metadata from policy key Get age gating configuration Get authentication flows policy Get authenticationEventListener Get authenticationEventListeners Get authenticationEventsFlow Get authenticationEventsFlows Get available output claims Get available strong authentication devices Get configured custom identity providers Get configured identity providers Get configured local identity providers Get cross-cloud verification code for domain Get custom domains Get custom identity provider Get custom policies Get custom policy Get custom policy metadata Get customAuthenticationExtension Get customAuthenticationExtensions Get identity provider Get identity provider types Get identity providers Get list of tenants Get localized resource Get operation status for an async operation Get operations of Microsoft.AzureActiveDirectory resource provider Get policy key Get policy keys Get resource properties of a tenant Get supported cultures Get supported identity providers Get supported page contracts Get tenant details Get tenant domains Get the authenticationEventsPolicy Get user attribute Get user attributes Get user flow Get user flows Get v1 and v2 applications Get v1 application Get v1 applications Get v2 application Get v2 applications Grant contextual consent to application Hard Delete ExternalUserProfile Hard Delete PendingExternalUserProfile Hard Delete administrative unit Hard Delete application Hard Delete group Hard Delete policy Hard Delete user Hard delete agreement Hard delete service principal Hard delete workflow Import Initialize tenant Invitation Email Invite external user Invite external user with reset invitation status Invite internal user to B2B collaboration Issue a SAML assertion to the application Issue an access token to the application Issue an authorization code to the application Issue an id_token to the application Link program control Make phone call to verify phone number Mark recommendation as complete Migrated partner cross-tenant access settings to the scalable model Move resources Offboarded resource from PIM On-demand workflow execution completed Onboarded resource to PIM Other PATCH Tenant.Patch PATCH Tenant.PatchCaches PATCH Tenant.PatchReplication PATCH UserAuthMethod.PatchSignInPreferencesAsync PIM activation request expired POST SoundFile.Post POST Subscription.CreateProvider POST Subscription.CreateSubscription POST Tenant.CreateBlockedUser POST Tenant.CreateBypassedUser POST Tenant.CreateCacheConfig POST Tenant.CreateGreeting POST Tenant.CreateOemTenant POST Tenant.CreateTenant POST Tenant.GenerateNewActivationCredentials POST Tenant.RemoveBlockedUser POST Tenant.RemoveBypassedUser Partially fulfill access package assignment request Patch local administrator password metadata Postpone recommendation Pre-create device Process escrow Process request Process role removal request Process role update request Promote company to partner Promote sub domain to root domain Quarantine Read BitLocker key Ready to fulfill access package assignment request Redeem external user invite Refresh PIM alert Register TOTP secret Register connector Register device Reject a pending request to join a group Remediate user Remove EligibleRoleAssignement from RoleDefinition Remove Entitlement Management role assignment Remove a group from feature rollout Remove access package resource assignment Remove app role assignment from group Remove app role assignment from service principal Remove app role assignment from user Remove bypassed user Remove delegated permission grant Remove eligible member from role Remove eligible member from role in PIM completed (permanent) Remove eligible member from role in PIM completed (timebound) Remove eligible member from role in PIM requested (permanent) Remove eligible member from role in PIM requested (timebound) Remove label from group Remove member from administrative unit Remove member from group Remove member from restricted management administrative unit Remove member from role Remove member from role (PIM activation expired) Remove member from role completed (PIM deactivate) Remove member from role in PIM completed (permanent) Remove member from role in PIM completed (timebound) Remove member from role in PIM requested (permanent) Remove member from role in PIM requested (timebound) Remove member from role requested (PIM deactivate) Remove member from role scoped over Restricted Management Administrative Unit Remove owner from application Remove owner from group Remove owner from policy Remove owner from service principal Remove partner from company Remove permanent direct role assignment Remove permanent eligible role assignment Remove policy credentials Remove policy from application Remove policy from service principal Remove registered owner from device Remove registered users from device Remove role assignment from role definition Remove scoped member from role Remove service principal Remove service principal credentials Remove sharedEmailDomain Remove sharedEmailDomainInvitation Remove task from workflow Remove unverified domain Remove user as external sponsor Remove user as internal sponsor Remove user from feature rollout Remove users strong authentication phone app detail Remove verified domain Renew group Reprocess access package assignment Reprocess access package assignment request Request approved Request denied Request expired Request to join a group Reset decision Reset password (by admin) Reset password (self-service) Reset the cross-tenant access default setting Reset user password Resolve PIM alert Restore Administrative Unit Restore ExternalUserProfile Restore Group Restore application Restore kerberos domain Restore policy key Restore service principal Restore user Restore workflow Retrieve v2 application permissions grants Retrieve v2 application service principals Reveal local administrator password Revoke consent Role definition created Schedule Add sharedEmailDomain Schedule Remove sharedEmailDomain Schedule a future access package assignment Scheduled workflow execution completed Scheduled workflow execution started Security info saved for self-service password reset Self-service password reset flow activity progress Send SMS to verify phone number Send verification email Set Company Information Set DirSync feature Set DirSyncEnabled flag Set Partnership Set accidental deletion threshold Set company allowed data location Set company multinational feature enabled Set device registration policies Set directory feature on tenant Set domain authentication Set dynamic group properties Set federation settings on domain Set force change user password Set group license Set group to be managed by user Set password policy Set user manager Set users oath token metadata enabled Set verified publisher Set workflow for on-demand execution Start applying group based license to users Suspicious activity reported Synchronization rule action Tenant offboarded from PIM Trigger group license recalculation Triggered PIM alert Unlink program control Unlock user account (self-service) Unregister device Unset verified publisher Update Api connector Update AuthenticationContextClassReference Update Connector Group Update ExternalUserProfile Update Hardware Oath Token Update Identity Provider Update NotificationSettings Update OnAttributeCollectionStartCustomExtension Update OnAttributeCollectionSubmitCustomExtension Update OnPageRenderStartCustomExtension Update PIM alert setting Update PendingExternalUserProfile Update PrivateLinkResource Update Sign-In Risk Policy Update StsRefreshTokenValidFrom Timestamp Update User Risk and MFA Registration Policy Update a B2C directory resource Update a CIAM directory resource Update a Guest Usages resource Update a partner cross-tenant access setting Update a partner cross-tenant identity sync setting Update access package Update access package assignment policy Update access package assignment request Update access package catalog Update access package catalog resource Update access review Update administrative unit Update age gating configuration Update agreement Update an attribute set Update application Update application collection Update application collection order Update application with safe rollout Update application – Certificates and secrets management Update attribute mappings or scope Update attribute values assigned to a servicePrincipal Update attribute values assigned to a user Update authentication flows policy Update authenticationEventListener Update authenticationEventsFlow Update authenticationEventsPolicy Update authorization policy Update business flow Update company Update company settings Update conditional access policy Update connected organization Update contact Update continuous access evaluation Update custom extension Update custom identity provider Update custom policy Update custom security attribute definition in an attribute set Update custom task extension Update customAuthenticationExtension Update device Update device configuration Update domain Update eligible member in PIM canceled (extend) Update eligible member in PIM requested (extend) Update execution conditions Update external secrets Update governance policy template Update group Update group settings Update identity provider Update kerberos domain Update label Update lifecycle management policy Update local administrator password Update local identity provider Update member in PIM approved by admin (extend/renew) Update member in PIM canceled (extend) Update member in PIM denied by admin (extend/renew) Update member in PIM requested (extend) Update mobility management policy Update named location Update partner directory settings Update permission grant policy Update policy Update policy key Update preview settings Update provisioning setting or credentials Update request Update request answers by approver Update role Update role definition Update role setting in PIM Update rollout policy of feature Update security defaults Update service principal Update sharedEmailDomain Update sharedEmailDomainInvitation Update subscription status Update task Update tenant setting Update tenant settings Update the company default cross-tenant access setting Update user Update user attribute Update user flow Update v2 application Update v2 application permission grant Update workflow Updated ConvergedUXV2 feature value Updated MyApps feature value Updated MyStaff feature value Updated SSPRConvergence feature value Updated SignInReports feature value Upload certificate to policy key Upload key to policy key Upload secret into policy key User Password Registration User Password Reset User Provisioning User cancelled security info registration User changed default security info User completed security info registration for self-service password reset User deleted security info User registered all required security info User registered security info User requests access package assignment User requests an access package assignment on behalf of service principal User requests to extend access package assignment User requests to remove access package assignment User reviewed security info User started password change User started password reset User started security info registration User started security info registration for self-service password reset Validate Client Credentials Validate customExtension authenticationConfiguration Validate local account credentials Validate move resources Validate user authentication Verify domain Verify email address Verify email verified domain Verify one time password Verify phone number Viral tenant creation Viral user creation confirmServicePrincipalCompromised dismissServicePrincipal started (bulk)

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: f93b9e06-06c7-696e-6a04-d90281ccee6c
• Version Independent ID: a6968723-641f-12f4-9e0a-ff237c546e56
• Content: Azure Active Directory (Azure AD) audit activity reference - Microsoft Entra
• Content Source: articles/active-directory/reports-monitoring/reference-audit-activities.md
• Service: active-directory
• Sub-service: report-monitor
• GitHub Login: @shlipsey3
• Microsoft Alias: sarahlipsey

[ManoharLakkoju-MSFT]

@aaaaasam Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@aaaaasam Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly

[ManoharLakkoju-MSFT]

@shlipsey3 Can you please check and add your comments on this doc update request as applicable.

[shlipsey3]

Thank you for the feedback. We are currently looking into making improvements to this article. As you can tell, it's difficult to keep this article current with the portal. It can become out of date quickly. We're working through options that provide the most benefit to customers. Thanks!

[shlipsey3]

Hello - I have updated the article: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities

I'll continue to monitor things. We're working on providing more scenarios to share in the content. Thanks for your feedback!

[shlipsey3]

please-close