Add an entry to the Entra ID (Azure AD) audit log from a PowerShell script in Azure Automation

Question

My company uses an MSP for the daily care and feeding of our M365 tenant. After more than a few "issues" with offboarding employees, I've written an offboarding script to run via Azure Automation. The idea is for the MSP to trigger the script via a webhook or other external means.

The script works correctly, but all actions in the Audit Log are tied to the ManagedIdentity. We need to associate these actions to the MSP account. Is there a way I can add specific audit records to the audit log from within the script. I want these actions to show up in audit reports pulled from Entra ID.

Yes, I'm aware we can simply "include" the ManagedIdentity actions in the MSP audit reports. We are a publicly traded company and have to satisfy external auditors for various SOC/SOX/ISO compliance requirements. It is far easier to include a custom record than try to explain (and re-explain) the connection between the MSP account and the ManagedIdentity.

I have looked into the audit log capabilities of PowerShell. I can create audit logs but have not found a way to add records to the Entra ID audit log.

Thank you for your time!

Answer 1

I found my own answer. There is not a method that will allow you to send log entries to the Entra ID audit log. There is a supported and documented method to send custom log entries from AzureAutomation scripts/runbooks to a Log Analytics Workspace. Since we already use a Log Analytics Workspace for log-term storage of our Entra ID audit logs, we will simply add these custom log entries to the same Log Analytics Workspace.