Hi, we are enabling the SAAS Connector and bounding it the Entra ID environment. According to the description found here: Integrating with Azure AD . Because of the Delegated permission on the Graph API of "AuditLog.Read.All" the connector is able to trace SSO logins by a user to a registered App in Entra ID. The usage of the SAAS application is then recorded as 'Last Activity' in the "samp_sw_subscription" table.
Now the security department wants to know what kind of information is being read/obtained by the Servicenow credential reading the API in Entra ID, because "AuditLog.Read.All" is a big permission to request (as it can access ALL Entra ID login information). And I cannot seem to find the payload or transaction that the Connector uses to obtain the 'Last Activity' for the SSO login. Where is that job and the results? How is that recorded? What information is put in Servicenow? Is it filtered? how is it put into the usage table?
