SAAS Connector and the Entra ID AuditLog Payload

JvS001 · 4 weeks ago

Hi, we are enabling the SAAS Connector and bounding it the Entra ID environment. According to the description found here: Integrating with Azure AD . Because of the Delegated permission on the Graph API of "AuditLog.Read.All" the connector is able to trace SSO logins by a user to a registered App in Entra ID. The usage of the SAAS application is then recorded as 'Last Activity' in the "samp_sw_subscription" table.

Now the security department wants to know what kind of information is being read/obtained by the Servicenow credential reading the API in Entra ID, because "AuditLog.Read.All" is a big permission to request (as it can access ALL Entra ID login information). And I cannot seem to find the payload or transaction that the Connector uses to obtain the 'Last Activity' for the SSO login. Where is that job and the results? How is that recorded? What information is put in Servicenow? Is it filtered? how is it put into the usage table?

dbook · 3 weeks ago

The Job schedule can be found from the Entra ID record you create in the samp_sso_integration_profile table.

ServiceNow will only retrieve usage data for SSO Application that you have 'connected'. Once connected the '...update connected applications' job executes daily calling the 'SAMSSOIntegration' script include which is shared by Entra & Okta.

This calls several Flow Designer Actions which will target the applications which have been connected.

Microsoft Azure AD – Users, Groups, Apps

look_up_incremental_changes_for_users_stream_by_directory
look_up_incremental_changes_for_groups_stream_by_directory
look_up_service_principals

Microsoft Azure AD – User Activity

list_sign_ins

I won't go any deeper, but to understand the exact API calls you would need to review each action.

Hope this helps!