Query Details
Add Custom Security Attribute Definition In An Attribute Set
Query
AADCustomSecurityAttributeAuditLogs | where OperationName == "Add custom security attribute definition in an attribute set" //Custom Atribute Diagnostic log must be enabled. this can only be done by the Attribute Log Administrator Role (global admin is NOT able to perform this)
Explanation
This query is searching through the AADCustomSecurityAttributeAuditLogs to find records where a new custom security attribute definition has been added to an attribute set. It specifically looks for operations with the name "Add custom security attribute definition in an attribute set." Additionally, it's important to note that in order to generate these logs, the Custom Attribute Diagnostic log must be enabled, and only someone with the Attribute Log Administrator role can enable this logging. The global admin role does not have the capability to perform this action.
Details
Jay Kerai
Released: September 10, 2025
Tables
AADCustomSecurityAttributeAuditLogs
Keywords
AADCustomSecurityAttributeAuditLogs
Operators
|where==