Entra ID groups inspector: a Log Analytics dashboard for tracking changes to groups
.png)
In this post I will show you a Log Analytics dashboard allowing you to monitor Entra ID groups. You can see group created or removed, members added in a group or removed from a group and owners added on a group or removed from a group.
The solution
Group audit info are located by default in the AuditLogs log in Log Analytics.
The workbook I share uses this log to show data.
See more info about this log here.
What does it show ?
In the report you can see for a specific time range (last x days):
- List of group created with date and by who
- List of group deleted with date and by who
- Members added in a group with date and by who
- Members removed from a group with date and by who
- Owners added in a group with date and by who
- Owners removed from a group with date and by who
How to get it ?
Click on the below GitHub picture to get the dashboard.
Add the workbook
In this part we will add the report.
The report can be downloaded on my GitHub, here.
The report is the file: Workbook.json
To add it, proceed as below:
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to workbooks
4. Click on New
5. Go to Advanced editor
6. Remove all content
7. Go to the GitHub link, there
8. Click on the copy button
9. Click on Apply
10. Click on Done editing then Save
To show content from your workspace a parameter must be set.
For that proceed as below:
1. Click on Edit
2. Go to the WorkspaceName parameter
3. Type the name of the workspace (the one that contains AuditLogs log)
If there is no workspace selected, you will have the below warning:
To show members and owners for a group type or select the group name in the Group name parameter.
How it looks like ?
The dashboard contains three tabs:
- Creation/Deletion
- Group members
- Group owners
Two parameters are available:
- Group name
- Time range
Creation/Deletion
Count of groups created or deleted during the time range.
List of groups created or deleted during the time range.
You can filter on action group added or removed.
Group members
The prerequisite is to select at least one group.
Count of members added in the group or removed from the group during the time range.
List of members added in the group or removed from the group during the time range.
You can filter on action: members added or removed.
You can filter on members users or devices.
Group owners
Count of owners added to the group or removed from the group during the time range.
List of owners added to the group or removed from the group during the time range.
You can filter on action: owners added or removed.
Enregistrer un commentaire