JustinC.61274 (Customer) asked a question.
system logs for group.user_membership.add for AD account
Is it possible to get logs for when a user was added to an AD group that is synced to Okta?
current queries based on group.user_memberhsip.add exist only for local Okta groups, not AD groups.
Im okay with the timing is off in the sense that they couldve been added to the AD group before sync so the time isnt 100% accurate, but i would at least like to know when they were added to the group by Okta log standards.
Oddly enough i can query the data of the group using groups/${groupID}/users api call, but not for entry/removal.
Should it be possible to query, would a removal of the group be possible via API too?
Thanks!
Hello Justin,
Adding a user to a group in AD, should be reflected in Okta immediately (Perform RealTimeSync by AD agent), the Event Info: "Successfully imported new member to an app group"
Just take into consideration that syslogs are kept for 90 days only.
Full sample:
Aug 02 13:16:33 Okta System (SystemPrincipal) Successfully imported new member to an app group success Juan Chacon (AppUser) GROUP1 (AppGroup) 2 more targets
Aug 02 13:16:33 JD Chacon (User) Perform RealTimeSync by AD agent success Active Directory
I also checked the Okta API documentation but it seems we cannot get the information from there.
Users API
https://developer.okta.com/docs/reference/api/users/
Feel free to reach out if you have any other questions.
JD Chacon
Tier 2 Technical Support
ok, i think i made some progress on this based on what you said
here is the new excerpt:
```
url = oktaURL+"/api/v1/logs?filter=eventType eq \"app.user_management\" and target.displayName eq \"sdl-okta-o365-AllowAnywhere\""
```
and this part tells me if they were added to or removed from the group
```
print("Action:", responseDATA[innerCOUNT]['displayMessage'])
```
The only prob is, and it might be related to what you are saying, that when i run the API call even though i can parse response.links, the total count is 79 users and it only loops 1 page.
my logic for parsing the second pages is if the next url is the same as the url presently used, that it would initiate a break, since the logs always have a next page.
When i look at the group itself, it has over 1k members in it.
if i do the same query by change the date to search from 6/1 to 8/2, i get over 2k results.
so it begs the question of 1. how to properly so a since= because I cant succesfully query the api call with since= in using the following code
```
weekAGO = (startTIME - timedelta(days=7))
weekAGOiso = (weekAGO.isoformat())
```
and 2. why am i not able to parse multiple pages if the logs have thousands of entries.
here is an excerpt from the script for checking purposes
```
LEN: 79
Published time: 2021-07-27T00:40:24.934Z
Action: Successfully imported new member to an app group
user 1
sdl-okta-o365-AllowAnywhere
sdl-okta-o365-AllowAnywhere found
Published time: 2021-07-27T08:15:11.507Z
Action: Successfully deleted member of an app group
user 2
sdl-okta-o365-AllowAnywhere
sdl-okta-o365-AllowAnywhere found
Published time: 2021-07-27T15:50:18.298Z
Action: Successfully imported new member to an app group
user 3
sdl-okta-o365-AllowAnywhere
sdl-okta-o365-AllowAnywhere found
```