I am looking for a way to bundle the individual log entries inside the Privileged Identity Management audit logs by the workflow they belong to.
Every action (like request -> approval -> completion) is a separate entry in the audit logs, and simply grouping by requester and role is not helpful e.g. in case the same person requests something multiple times.
There is a CorrelationId field in every audit log but that is not the same for all steps from the workflow.
I found this in the docs, but that is not helpful for automatic processing:
Typically, the log event immediately above the approval event is an event for "Add member to role completed" where the Initiated by (actor) is the requester. In most cases, you won't need to find the requester in the approval request from an auditing perspective.
Is there another way that I am overlooking?
You could do that by using the Request Id from the Target(s). All actions (request->approval->completion) use the same Request Id.
[]
Related
I am setting up webhooks for Teams call records mentioned in https://learn.microsoft.com/en-us/graph/api/callrecords-callrecord-get?view=graph-rest-1.0&tabs=http .
My doubt is related to statement "Subscribe to change notifications to the /communications/callRecords endpoint.".
Can we use same notification url for multiple accounts with different tenant id ?
or Can we use same notification url for completely different organizations ?
There is no technical constraint preventing us from using the same webhook endpoint.
The webhook just needs to read the tenantId field to route notifications appropriately. Note that each tenant does need its own subscription, but they can all have the same notificationUrl.
I have a simple azure logic app as follows.
Now I add a new action after the first one.
Select an email action.
Look for send email action
Now no mater what I do, I get this error
Please check your account info and/or permissions and try again. Details: REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server. clientRequestId: 9295041e-4d27-4d7f-8ac7-9f90f1cc65ff serviceRequestId: 17c7df3b-7f07-6d27-4f7b-68a4475e9b55 More diagnostic information: x-ms-client-request-id is '51B43F16-6D7C-4BE7-9AE2-7B4A6B73BA49'.
I click Change Connection above and I see these increasing number of connection, and I find no way to delete them. See the last image at the bottom.
And when I click Save, I get this message.
Save logic app failed. Failed to save logic app vivek-logic-app. Some of the connections are not authorized yet. If you just created a workflow from a template, please add the authorized connections to your workflow before saving.
And finally when I click Api Connections, I find no connections to delete.
So two questions.
How to authorize hotmail account te be used by Azure Logic App
How to delete the un-necessary connections
Ok, here it is after a good 3 hour PIA.
For the connections to manage(or delete), look at the resource group and not the Logic app.
And next for the send email action, choose Outlook.Com connection and not Office 365 Outlook. Found the answer here. Mine is personal account and not for work or for school.
Once you setup this action successfully, you can take a look at this page for managing the connection access.
I recently made a server clock bot that tells the time based on a set timezone. Now the problem is that because the bot makes 3 actions per minute (creates a channel, changes permission to lock/unlock that channel, and deletes that channel), our server monitor person gets infested with these 3 messages every minute. Is there a way for this bot to find its own entries and remove them from the list? Or would this just cause it to make 4 entries but 3 get deleted? The log is being monitored via ProBot if that helps any and support at ProBot has said it is not possible on their end (interface level).
The discord audit log is something nobody can change, it's intended like that. Nobody can take any administrative action without it being logged so theres always a papertrail. The only partial solution is the filtering option in the audit log, you can't exclude users/categories but at least you can select a single user/category and look at their/the categories actions without clutter.
What you could do is make your bot do its own audit logging in a channel, where it logs everything the audit log would log aside from your make-change-delete events
I am looking for a mechanism to identify the users who are added in a specific group and trigger an action based on user addition event. Looks like people are still waiting for it to be available from Azure. The details could be found here
The solution that i am thinking at the moment is have an Azure task/Function that goes through the audit logs and detect the "user added" event and then trigger an action.
Is there any other better method?
You could Integrate Azure AD logs with Azure Monitor logs, send the Azure AD AuditLogs to the Log Analytics workspace, then Alert on Azure AD activity log data, the query could be something like(just a sample, I have not test it, because there is some delay, the log will not send to the workspace immediately when it happened)
AuditLogs
| where TimeGenerated >= ago(1h)
| where OperationName == "Add member to group"
Sample:
You could set the Alert logic depending on your own requirement, e.g. Whenever count of results in Custom log search log query for last 1 hour is greater than 0. Evaluated every 10 minutes. and configure the action group, select the action type you want like Email, webhook.
a better way would be to trigger an automation runbook based on an alert based on a condition specific to that audit event. But I'm not sure adding a user is an audit event on azure level, it is probably an Azure AD event. I dont think Azure AD offers events based on that.
So you'd have to basically parse the events and figure out where you stopped last time based on time or something like that.
I have a SN question about workflow activities. Ideally when a user in an approval group activity rejects the item, catalog tasks are re-opened and approvals re-sent. That works fine. However, in the event that another user rejects the item, we do not want to re-open catalog tasks and re-send approvals. i.e. looping over again. We just want to keep the comments from the second, third and so on approver. Any ideas on how to obtain this functionality?
So just to understand what you're trying to accomplish:
1 user rejects, all other users approve: loop
2 or more users reject: cancel request
The easiest way to do this might be to use the workflow scratchpad and a script in the approval activity.
If you run a 'condition based on a script' in your workflow activity for the approvals, you could write to the workflow scratchpad with the actual number of rejections. Then you could use an if block to govern what happens when you leave the activity.
Alternately, you could add a condition to the approval workflow activity itself; a third option, based on the two existing ones (you can view the contents of any workflow activity condition by double-clicking on it). This would also require 'condition based on a script' to be active.