The query for AZT402 - Elevated Access Toggle does not appear to be valid.
AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role'
In my testing these 'Directory Activity' logs are not exported to AuditLogs (nor to ActivityLogs). I am engaging support but fear the answer is that these logs are not currently exportable.
@bradb2145 we were dealing with the same problem. We fixes this by fetching data from API and pushing them to custom table. We run analytic rule on custom table.
The query for AZT402 - Elevated Access Toggle does not appear to be valid.
AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role'
In my testing these 'Directory Activity' logs are not exported to AuditLogs (nor to ActivityLogs). I am engaging support but fear the answer is that these logs are not currently exportable.
Edit: Support seems to concur that these logs are not currently exportable. I have found that you can at least retrieve these events from the Tenant Activity API endpoint https://learn.microsoft.com/en-us/rest/api/monitor/tenant-activity-logs/list?view=rest-monitor-2015-04-01&tabs=HTTP