![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 60%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,394 questions
@Viktor Korokhov Greetings!
From the details you shared, I understand that you want to enforce restrictions on application registration for single tenant and get notified on such actions. You're on the right track with monitoring *Audit Logs *via Log Analytics to detect changes related to application registrations. The issue you're facing with empty signInAudience is likely due to the structure or specific details in the logs, and the query might need slight adjustments.
In the context of application registrations, the signInAudience refers to the audience of the app (who can use it). When you're trying to capture Single Tenant applications, you want to look for those with a signInAudience of AzureADMyOrg.
The reason you're getting an empty signInAudience field might be due to the specific way the data is structured in the TargetResources field. You may need to ensure you're correctly parsing the properties section of the TargetResources for the relevant details.
You may try the below query based on common usage patterns for auditing application registrations, focusing on signInAudience:
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName == "Add application" or OperationName == "Update application"
| extend appProperties = parse_json(tostring(TargetResources[0].properties))
| extend signInAudience = tostring(appProperties.signInAudience)
| where signInAudience == "AzureADMyOrg" // This will capture single tenant apps
| project TimeGenerated, OperationName, ActivityDisplayName, InitiatedBy, signInAudience
Important points to consider:
- Ensure you are parsing the properties of TargetResources correctly. The properties field in TargetResources is typically where you'll find the signInAudience information, but this can sometimes vary. Using parse_json should help to extract this field reliably.
- Ensure you're checking for the specific value AzureADMyOrg, which corresponds to Single Tenant applications.
- Make sure your Audit Logs are enabled and capturing the relevant Application Management events. Azure AD logs capture a wide variety of activities, and sometimes certain logs might not be captured depending on your logging configuration.
If you're still seeing empty fields, double-check that the TargetResources structure in the logs actually contains the signInAudience. In some cases, the field might be missing or named differently, and inspecting a raw log entry might provide clues.
You can inspect the raw log data by running a query like:
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName == "Add application" or OperationName == "Update application"
| limit 10
This will help you identify exactly where the signInAudience value is stored or if it's missing.
Once you have the correct query working and capturing Single Tenant app registrations, you can set up an alert in Azure Monitor to notify you whenever such an application is registered or updated.
To create an alert:
- In the Log Analytics workspace, go to the Alerts section.
- Create a new Alert Rule and use the query you’ve developed as the condition.
- Define the alert threshold (e.g., notify if any result is returned).
- Set up the action (email, webhook, etc.) to notify the necessary people or systems.
By refining your query, you should be able to accurately capture and alert on Single Tenant application registrations.
Hope this helps. Let us know if you need further assistance or run into any issues.