1password Activity Log

-->
  • You have entered our subscription area. We create fresh, complete content for upcoming months that cover a wide range of activity needs. We cover the basics like themed Bingo Cards and table activities, then we also dive into decorations, newsletters, special needs activities and other areas that make you shine.
  • Sign in to your account on 1Password.com and click Activity Log in the sidebar to get started. Read the Activity Log The Activity Log lists actions performed by team members, starting with the most recent.
  • Currently, password-based SSO is not logged on Azure AD sign-in activity log. Though Azure AD (browser extension) is simply sending credentials to the external app and the external web apps is utimately responsible for sign-in success/failure, AAD admins at least need a way to know who and when users started password-based SSO. I believe AD FS security logs will be integrated to AAD sign-in.

After the deployment of Azure AD Password Protection, monitoring and reporting are essential tasks. This article goes into detail to help you understand various monitoring techniques, including where each service logs information and how to report on the use of Azure AD Password Protection.

List Activity Log events. To list events from the Activity Log: op list events -eventid -older The 100 most recent events will be listed. List events after a specific log entry. You can provide an event ID (eid) as a starting point for listing entries by using the -eventid option.

Monitoring and reporting are done either by event log messages or by running PowerShell cmdlets. The DC agent and proxy services both log event log messages. All PowerShell cmdlets described below are only available on the proxy server (see the AzureADPasswordProtection PowerShell module). The DC agent software does not install a PowerShell module.

DC agent event logging

On each domain controller, the DC agent service software writes the results of each individual password validation operation (and other status) to a local event log:

Applications and Services LogsMicrosoftAzureADPasswordProtectionDCAgentAdmin

Applications and Services LogsMicrosoftAzureADPasswordProtectionDCAgentOperational

Applications and Services LogsMicrosoftAzureADPasswordProtectionDCAgentTrace

The DC agent Admin log is the primary source of information for how the software is behaving.

Note that the Trace log is off by default.

Events logged by the various DC agent components fall within the following ranges:

ComponentEvent ID range
DC Agent password filter dll10000-19999
DC agent service hosting process20000-29999
DC agent service policy validation logic30000-39999

DC agent Admin event log

Password validation outcome events

On each domain controller, the DC agent service software writes the results of each individual password validation to the DC agent admin event log.

For a successful password validation operation, there is generally one event logged from the DC agent password filter dll. For a failing password validation operation, there are generally two events logged, one from the DC agent service, and one from the DC Agent password filter dll.

Discrete events to capture these situations are logged, based around the following factors:

  • Whether a given password is being set or changed.
  • Whether validation of a given password passed or failed.
  • Whether validation failed due to the Microsoft global policy, the organizational policy, or a combination.
  • Whether audit only mode is currently on or off for the current password policy.

The key password-validation-related events are as follows:

Log
EventPassword changePassword set
Pass1001410015
Fail (due to customer password policy)10016, 3000210017, 30003
Fail (due to Microsoft password policy)10016, 3000410017, 30005
Fail (due to combined Microsoft and customer password policies)10016, 3002610017, 30027
Fail (due to user name)10016, 3002110017, 30022
Audit-only Pass (would have failed customer password policy)10024, 3000810025, 30007
Audit-only Pass (would have failed Microsoft password policy)10024, 3001010025, 30009
Audit-only Pass (would have failed combined Microsoft and customer password policies)10024, 3002810025, 30029
Audit-only Pass (would have failed due to user name)10016, 3002410017, 30023

The cases in the table above that refer to 'combined policies' are referring to situations where a user's password was found to contain at least one token from both the Microsoft banned password list and the customer banned password list.

The cases in the table above that refer to 'user name' are referring to situations where a user's password was found to contain either the user's account name and/or one of the user's friendly names. Either scenario will cause the user's password to be rejected when the policy is set to Enforce, or passed if the policy is in Audit mode.

When a pair of events is logged together, both events are explicitly associated by having the same CorrelationId.

Password validation summary reporting via PowerShell

The Get-AzureADPasswordProtectionSummaryReport cmdlet may be used to produce a summary view of password validation activity. An example output of this cmdlet is as follows:

The scope of the cmdlet's reporting may be influenced using one of the –Forest, -Domain, or –DomainController parameters. Not specifying a parameter implies –Forest.

The Get-AzureADPasswordProtectionSummaryReport cmdlet works by querying the DC agent admin event log, and then counting the total number of events that correspond to each displayed outcome category. The following table contains the mappings between each outcome and its corresponding event ID:

Get-AzureADPasswordProtectionSummaryReport propertyCorresponding event ID
PasswordChangesValidated10014
PasswordSetsValidated10015
PasswordChangesRejected10016
PasswordSetsRejected10017
PasswordChangeAuditOnlyFailures10024
PasswordSetAuditOnlyFailures10025
PasswordChangeErrors10012
PasswordSetErrors10013

Note that the Get-AzureADPasswordProtectionSummaryReport cmdlet is shipped in PowerShell script form and if needed may be referenced directly at the following location:

%ProgramFiles%WindowsPowerShellModulesAzureADPasswordProtectionGet-AzureADPasswordProtectionSummaryReport.ps1

Note

This cmdlet works by opening a PowerShell session to each domain controller. In order to succeed, PowerShell remote session support must be enabled on each domain controller, and the client must have sufficient privileges. For more information on PowerShell remote session requirements, run 'Get-Help about_Remote_Troubleshooting' in a PowerShell window.

Note

This cmdlet works by remotely querying each DC agent service's Admin event log. If the event logs contain large numbers of events, the cmdlet may take a long time to complete. In addition, bulk network queries of large data sets may impact domain controller performance. Therefore, this cmdlet should be used carefully in production environments.

Sample event log message for Event ID 10014 (successful password change)

Sample event log message for Event ID 10017 and 30003 (failed password set)

10017:

30003:

Sample event log message for Event ID 30001 (password accepted due to no policy available)

Sample event log message for Event ID 30006 (new policy being enforced)

Sample event log message for Event ID 30019 (Azure AD Password Protection is disabled)

DC Agent Operational log

The DC agent service will also log operational-related events to the following log:

Applications and Services LogsMicrosoftAzureADPasswordProtectionDCAgentOperational

1password Activity Log Book

DC Agent Trace log

The DC agent service can also log verbose debug-level trace events to the following log:

Applications and Services LogsMicrosoftAzureADPasswordProtectionDCAgentTrace

Trace logging is disabled by default.

Warning

When enabled, the Trace log receives a high volume of events and may impact domain controller performance. Therefore, this enhanced log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

DC Agent text logging

The DC agent service can be configured to write to a text log by setting the following registry value:

Text logging is disabled by default. A restart of the DC agent service is required for changes to this value to take effect. When enabled the DC agent service will write to a log file located under:

%ProgramFiles%Azure AD Password Protection DC AgentLogs

Tip

The text log receives the same debug-level entries that can be logged to the Trace log, but is generally in an easier format to review and analyze.

Warning

When enabled, this log receives a high volume of events and may impact domain controller performance. Therefore, this enhanced log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

DC agent performance monitoring

The DC agent service software installs a performance counter object named Azure AD Password Protection. The following perf counters are currently available:

1password Activity Log

Perf counter nameDescription
Passwords processedThis counter displays the total number of passwords processed (accepted or rejected) since last restart.
Passwords acceptedThis counter displays the total number of passwords that were accepted since last restart.
Passwords rejectedThis counter displays the total number of passwords that were rejected since last restart.
Password filter requests in progressThis counter displays the number of password filter requests currently in progress.
Peak password filter requestsThis counter displays the peak number of concurrent password filter requests since the last restart.
Password filter request errorsThis counter displays the total number of password filter requests that failed due to an error since last restart. Errors can occur when the Azure AD Password Protection DC agent service is not running.
Password filter requests/secThis counter displays the rate at which passwords are being processed.
Password filter request processing timeThis counter displays the average time required to process a password filter request.
Peak password filter request processing timeThis counter displays the peak password filter request processing time since the last restart.
Passwords accepted due to audit modeThis counter displays the total number of passwords that would normally have been rejected, but were accepted because the password policy was configured to be in audit-mode (since last restart).

DC Agent discovery

The Get-AzureADPasswordProtectionDCAgent cmdlet may be used to display basic information about the various DC agents running in a domain or forest. This information is retrieved from the serviceConnectionPoint object(s) registered by the running DC agent service(s).

An example output of this cmdlet is as follows:

The various properties are updated by each DC agent service on an approximate hourly basis. The data is still subject to Active Directory replication latency.

The scope of the cmdlet's query may be influenced using either the –Forest or –Domain parameters.

If the HeartbeatUTC value gets stale, this may be a symptom that the Azure AD Password Protection DC Agent on that domain controller is not running, or has been uninstalled, or the machine was demoted and is no longer a domain controller.

If the PasswordPolicyDateUTC value gets stale, this may be a symptom that the Azure AD Password Protection DC Agent on that machine is not working properly.

DC agent newer version available

The DC agent service will log a 30034 warning event to the Operational log upon detecting that a newer version of the DC agent software is available, for example:

The event above does not specify the version of the newer software. You should go to the link in the event message for that information.

Note

Despite the references to 'autoupgrade' in the above event message, the DC agent software does not currently support this feature.

Proxy service event logging

The Proxy service emits a minimal set of events to the following event logs:

Applications and Services LogsMicrosoftAzureADPasswordProtectionProxyServiceAdmin

Applications and Services LogsMicrosoftAzureADPasswordProtectionProxyServiceOperational

Applications and Services LogsMicrosoftAzureADPasswordProtectionProxyServiceTrace

Note that the Trace log is off by default.

Macos

Warning

When enabled, the Trace log receives a high volume of events and this may impact performance of the proxy host. Therefore, this log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

Events are logged by the various Proxy components using the following ranges:

ComponentEvent ID range
Proxy service hosting process10000-19999
Proxy service core business logic20000-29999
PowerShell cmdlets30000-39999

Proxy service text logging

The Proxy service can be configured to write to a text log by setting the following registry value:

HKLMSystemCurrentControlSetServicesAzureADPasswordProtectionProxyParameters!EnableTextLogging = 1 (REG_DWORD value)

Text logging is disabled by default. A restart of the Proxy service is required for changes to this value to take effect. When enabled the Proxy service will write to a log file located under:

%ProgramFiles%Azure AD Password Protection ProxyLogs

1password Activity Log Template

Tip

The text log receives the same debug-level entries that can be logged to the Trace log, but is generally in an easier format to review and analyze.

Warning

When enabled, this log receives a high volume of events and may impact the machine's performance. Therefore, this enhanced log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

PowerShell cmdlet logging

PowerShell cmdlets that result in a state change (for example, Register-AzureADPasswordProtectionProxy) will normally log an outcome event to the Operational log.

In addition, most of the Azure AD Password Protection PowerShell cmdlets will write to a text log located under:

%ProgramFiles%Azure AD Password Protection ProxyLogs

If a cmdlet error occurs and the cause andor solution is not readily apparent, these text logs may also be consulted.

1password Activity Log Sheet

Proxy discovery

The Get-AzureADPasswordProtectionProxy cmdlet may be used to display basic information about the various Azure AD Password Protection Proxy services running in a domain or forest. This information is retrieved from the serviceConnectionPoint object(s) registered by the running Proxy service(s).

An example output of this cmdlet is as follows:

The various properties are updated by each Proxy service on an approximate hourly basis. The data is still subject to Active Directory replication latency.

The scope of the cmdlet's query may be influenced using either the –Forest or –Domain parameters.

If the HeartbeatUTC value gets stale, this may be a symptom that the Azure AD Password Protection Proxy on that machine is not running or has been uninstalled.

Proxy agent newer version available

The Proxy service will log a 20002 warning event to the Operational log upon detecting that a newer version of the proxy software is available, for example:

The event above does not specify the version of the newer software. You should go to the link in the event message for that information.

This event will be emitted even if the Proxy agent is configured with autoupgrade enabled.

Next steps

1password Activity Log Form

For more information on the global and custom banned password lists, see the article Ban bad passwords