Portal Community
Passport

Managed Identity Audit Log

Every authentication event, token issuance, secret rotation, role change, and API call made by a managed identity is recorded in Passport's audit log — query by managed_identity_id, secretId, or event type for complete traceability.

Audit Event Types

Event TypeWhen EmittedKey Fields
mi.token.issuedSuccessful client credentials token issuancemanagedIdentityId, secretId, clientIp, tokenId
mi.token.rejectedAuthentication failed (bad secret, disabled identity)managedIdentityId, reason, clientIp
mi.token.revokedToken revoked (secret revocation or identity disable)managedIdentityId, secretId, tokenId, reason
mi.createdNew managed identity createdmanagedIdentityId, name, tenantId, createdBy
mi.disabledIdentity disabledmanagedIdentityId, disabledBy, reason
mi.enabledIdentity re-enabledmanagedIdentityId, enabledBy
mi.deletedIdentity permanently deletedmanagedIdentityId, deletedBy
mi.secret.generatedNew secret generatedmanagedIdentityId, secretId, label
mi.secret.revokedSecret revokedmanagedIdentityId, secretId, revokedBy, reason
mi.roles.updatedRoles added or removedmanagedIdentityId, addedRoles, removedRoles, updatedBy
mi.api.callAPI call made using managed identity tokenmanagedIdentityId, method, path, statusCode, duration

Querying the Audit Log

// Query all events for a specific managed identity
GET /passport/admin/audit?managedIdentityId=mi-guid-1234&from=2026-05-01&to=2026-05-25
Authorization: Bearer {admin-token}

// Filter by event type
GET /passport/admin/audit?managedIdentityId=mi-guid-1234&eventType=mi.token.issued

// Filter by secret ID (useful post-rotation to verify old secret stopped being used)
GET /passport/admin/audit?managedIdentityId=mi-guid-1234&secretId=sec-guid-OLD

// Query across all managed identities in a tenant (admin only)
GET /passport/admin/audit?tenantId=tenant-abc&eventType=mi.token.rejected&from=2026-05-25

// Response
{
  "events": [
    {
      "eventId":           "evt-guid-9999",
      "eventType":         "mi.token.issued",
      "timestamp":         "2026-05-25T06:00:01Z",
      "managedIdentityId": "mi-guid-1234",
      "managedIdentityName": "payroll-monthly-scheduler",
      "secretId":          "sec-guid-5678",
      "clientIp":          "10.0.1.55",
      "tokenId":           "tok-guid-abc",
      "tenantId":          "tenant-abc",
      "metadata": {
        "triggeredBy": "schedule:Monthly Payroll Run",
        "workflowId":  "wf-monthly-payroll"
      }
    }
  ],
  "total": 1,
  "page":  1
}

Audit Log Entry Structure

public class ManagedIdentityAuditEvent
{
    public required Guid   EventId             { get; init; }
    public required string EventType           { get; init; }  // e.g. "mi.token.issued"
    public required DateTimeOffset Timestamp   { get; init; }
    public required Guid   ManagedIdentityId   { get; init; }
    public required string ManagedIdentityName { get; init; }
    public required string TenantId            { get; init; }

    // For token events
    public Guid?   SecretId   { get; init; }
    public string? TokenId    { get; init; }
    public string? ClientIp   { get; init; }

    // For admin events (create, disable, role change)
    public string? ActorUserId   { get; init; }  // admin who performed the action
    public string? ActorEmail    { get; init; }

    // For rejection events
    public string? RejectionReason { get; init; }

    // For API call events
    public string? HttpMethod   { get; init; }
    public string? ApiPath      { get; init; }
    public int?    HttpStatus   { get; init; }
    public int?    DurationMs   { get; init; }

    // Free-form metadata
    public IDictionary<string,string> Metadata { get; init; } = new Dictionary<string,string>();
}

Security Investigation Queries

// Find all failed authentications in the last 24 hours (possible brute force)
GET /passport/admin/audit
  ?tenantId=tenant-abc
  &eventType=mi.token.rejected
  &from=2026-05-24T10:00:00Z

// Verify rotation completed: confirm no token issuances using old secret after revocation
GET /passport/admin/audit
  ?managedIdentityId=mi-guid-1234
  &secretId=sec-guid-OLD
  &from=2026-05-25T11:00:00Z   // after revocation time

// Audit trail for a specific workflow execution
GET /passport/admin/audit
  ?managedIdentityId=mi-guid-1234
  &metadata.workflowId=wf-monthly-payroll
  &from=2026-05-25T06:00:00Z
  &to=2026-05-25T08:00:00Z

// Who changed the roles on this managed identity?
GET /passport/admin/audit
  ?managedIdentityId=mi-guid-1234
  &eventType=mi.roles.updated

Retention and Export

Managed identity audit events are retained for the same period as all Passport audit logs — default 90 days, configurable up to 7 years for compliance requirements. Events can be exported to external SIEM systems:

// Configure audit log export to external SIEM
POST /passport/admin/audit/export-config
Authorization: Bearer {admin-token}
Content-Type: application/json

{
  "destination": "azure-event-hub",
  "eventHubConnectionString": "Endpoint=sb://...",
  "eventHubName":             "passport-audit",
  "filter": {
    "eventTypes": ["mi.token.rejected", "mi.secret.revoked", "mi.disabled"],
    "tenantIds":  ["tenant-abc"]
  },
  "includeServiceAccountEvents": true
}

// Or export to Azure Monitor Logs
{
  "destination":       "azure-monitor",
  "workspaceId":       "log-analytics-workspace-id",
  "workspaceKey":      "{key}",
  "customLogName":     "PassportManagedIdentityAudit"
}
Audit Log Is Append-Only

Audit log entries cannot be modified or deleted by any API call, including admin calls. Even deleting a managed identity does not remove its historical audit events — the events are retained for the full retention period so that security investigations can reconstruct the complete history of a decommissioned identity.

← Credential Rotation