Naveenommi-MSFT
commented
4 months ago @gabbsmo Thanks for your feedback! We will investigate and update as appropriate.
Closed gabbsmo closed 2 months ago
Naveenommi-MSFT
commented
4 months ago @gabbsmo Thanks for your feedback! We will investigate and update as appropriate.
Naveenommi-MSFT
commented
4 months ago @gabbsmo Thank you for bringing this to our attention. I've delegated this to content author @shlipsey3, who will review it and offer their insightful opinions.
Naveenommi-MSFT
commented
4 months ago @shlipsey3 Please review it.
shlipsey3
commented
4 months ago Hi - thanks for your feedback. This article is notoriously difficult to maintain and improve. It changes frequently and contains over 1000 activities. We've been adding descriptions in the paragraph before each table, but they're minimal. I'll see if I can get more information on the particular activity you referenced and see what I can add.
Because of conflicting priorities, I can't provide an estimate on when this change will be incorporated.
If you have a moment, can you provide some activities that you often look up and are stumped by? I can focus my attention there.
Thanks! Sarah
gabbsmo
commented
4 months ago So far it has only been the GroupManagment activities that start with Feature_. I have no idea what a feature is in the context of Entra ID or how it can be initiated by a user (that is not a group owner).
shlipsey3
commented
4 months ago Good to know - thanks! I'm trying to track that information down.
gabbsmo
commented
3 months ago Yesterday this event Features_GetFeaturesAsync was initiated 4 times by a user within a few minutes after that same user initiated a app role assignment. Not sure if this means that the event is a side effect of app role assignments.
shlipsey3
commented
3 months ago That's good to know! I'm still tracking this information down. I'll share that bit with my contact to see if that helps.
Also - your question came in around the same time as another question around cryptic activity descriptions. We're working on providing better onboarding requirements for teams to use better language. The audit logs ingest SO much information from every team/feature - so there's a lot of cooks in the kitchen. I'm hopeful that we see some improvements soon! Thanks again!
gabbsmo
commented
3 months ago GroupsODataV4_Get is another one. 4 occurences before and after a group was created. All events initiated by the same user.
shlipsey3
commented
3 months ago Noted. I got pulled into a different direction for a bit last couple weeks, but I'll continue to track down the answers. Thanks for continuing to gather notes.
shlipsey3
commented
2 months ago Hi @gabbsmo - I found a little information on your first question. This came from the engineering team:
Features_IsFeatureEnabledAsync is logged by Self-Service Group Management (SSGM) service, when there is a request to SSGM to query if a feature like MyApps, Mygroups, MyStaff or ConvergedUX is enabled for a certain user. This normally occurs when a user accesses MyApps or MyGroups portal. The Portal UX would call into SSGM service to check if the feature is enabled. This activity is logged by backend service when a user signs into MyApps/MyGroups portal. It doesn't indicate whether the user is compromised or not, also it doesn't indicate if the user has access or made any changes to the directory.
So that seems to align with how it appeared after a user initiated an app role assignment. It's a backend service checking if the self-service group management service is enabled.
I'll try and get some updates added to the article to provide some context. I'm still looking for answers on the most recent activity.
shlipsey3
commented
2 months ago I added some notes to the paragraph preceding the related table in the audit activities article. I provided the notes to the product group. We're going to look into a couple things, including why background processes like the ones you mentioned are surfacing in the audit logs. We're also going to try and update some of these cryptic activities to be more user friendly.
Please note - we're phasing out GitHub issues as our main source for docs feedback. The tool we're moving to doesn't allow back and forth communication like we have here. It might be added at some point. But please continue to provide feedback as I'll be reviewing it in the new tool.
I'll close this thread, but please feel free to create a new one if you need. Thanks so much!!
shlipsey3
commented
2 months ago gabbsmo
commented
2 months ago @shlipsey3 Sorry for writing again on this closed issue but it came up again in the logs and I have more questions.
Features_IsFeatureEnabledAsync is logged by Self-Service Group Management (SSGM) service, when there is a request to SSGM to query if a feature like MyApps, Mygroups, MyStaff or ConvergedUX is enabled for a certain user. This normally occurs when a user accesses MyApps or MyGroups portal.
If it is like you said, that this is about MyApps etc., why is it categorized as Group Management?
You mention that this is a query, AADOperationType is Update however, implying that something was actually changed. Is that correct? I want to include changes to groups in my alerts, but like to exclude read operations as these are mostly noise in our case.
shlipsey3
commented
2 months ago It's all good!
So to clarify - you're looking for a way to differentiate between operations and actual changes?
I'll pass on the feedback about the self-service actions for MyApps being included in the Group management category.
gabbsmo
commented
2 months ago So to clarify - you're looking for a way to differentiate between operations and actual changes?
Between read operations and actual changes yes.
Thanks.
Today I noticed the activity Features_GetFeaturesAsync in the GroupManagement category of the audit log. I looks like it was initiated by a user but I have no idea what this activity is exactly. This is just one example. Many of the activities listed on this page could use a good description.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.