Just a friendly reminder that the Microsoft sensitive operations report workbook exists and can be super helpful.

For those unfamiliar, it's an Azure Monitor workbook designed to capture activities/events that could be critical or impactful for Azure AD. Examples include:

• Modified application and service principal credentials/authentication methods
• New permissions granted to service principals
• Directory role and group membership updates for service principals
• Modified federation settings

To be clear, it's not a replacement for a modern SIEM (that's always necessary) but it's a nice mechanism for quickly observing potentially impactful actions happening in Azure AD.