Auditing administrator events in Microsoft Entra Connect Sync (Public Preview)
In January 2025, we released a new version (2.4.129.0) of Microsoft Entra Connect Sync. This version contains an update to auditing which is enabled by default. With this update, you can now monitor administrator events and activity. The following article describes how to disable the auditing feature.
How to manually disable auditing of administrator events
To disable auditing of administrator events, use the following steps:
- Open the Registry Editor - Press Win + R to open the run dialog.
- Type regedit and press Enter to launch the Registry Editor. Confirm any security prompts to proceed.
- Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect.
- Modify or Create the AuditEventLogging Value by right-click on the Azure AD Connect key, select New -> DWORD (32-bit) Value if the AuditEventLogging value doesn't already exist.
- Name the new DWORD as AuditEventLogging.
- Double-clicking on the AuditEventLogging entry and enter 0 to disable the audit event logging. Enter 1 to re-enable it.
How to use PowerShell to disable auditing of administrator events
You can also use PowerShell to disable audit logging of administrator events. Use the following script.
#Declare variables
$registryPath = 'HKLM:\SOFTWARE\Microsoft\Azure AD Connect'
$valueName = 'AuditEventLoggging'
$newValue = '0'
#Create the AuditEventLogging key if it doesn't exist
if (!(Test-Path $registryPath)) {New-Item -Path $registryPath -Force}
#Set the value of the new AuditEventLogging key
Set-ItemProperty -Path $registryPath -Name $valueName -Value $newValue
List of logged events
The following table is a list of events that are logged with the new auditing feature. To view the events, use Event Viewer and look in the Application log.
| EventID | EventName | Description |
|---|---|---|
| 2503 | Add/Update/Delete Directories | Provides the name of the affected directory |
| 2504 | Enable Express settings mode | This event will be logged when "Express Setup" is selected by the administrator |
| 2505 | Enable/Disable domains and OU for sync | Shows a list of all domains connected to Connect Sync |
| 2506 | Enable/Disable PHS Sync | Shows Password Hash Sync is enabled or disabled |
| 2507 | Enable/Disable Sync start after install | Event is logged when sync is enabled or disabled when the installation is done |
| 2508 | Create ADDS account | Shows the created account needed to connect to the new directory added |
| 2509 | Use Existing ADDS account | Shows name of the account used to connect to the directory |
| 2510 | Create/Update/Delete custom sync rule | Shows the name of the sync rule that has changed along with information on what changed |
| 2511 | Enable/Disable Domain based filtering | Shows domain filtering is selected and lists selected domains |
| 2512 | Enable/Disable OU based filtering | Shows OU based filtering is selected and lists selected OUs |
| 2513 | User Sign-In method changed | Shows the old sign in method and the new one |
| 2514 | Configure new ADFS farm | Shows the federation service name |
| 2515 | Enable/Disable Single sign-on | Shows single sign-on change |
| 2516 | Install web application proxy server | Shows selected ADFS servers and Domain Admin username |
| 2517 | Set Permissions | Shows the specific AD Sync permission changed |
| 2518 | Change ADDS Connector credential | Shows ADDS Connector credential changed |
| 2519 | Reinitialize Entra ID Connector account password | Shows that the AD Sync service account password was reset |
| 2520 | Install ADFS Server | Shows the selected server |
| 2521 | Set ADFS Service Account | Specifies if group-managed or domain user. Includes administrator username |