Troubleshooting Filters in AAD Analytic Logs for WAM Interactions

6 months ago
Ruian Ding
2 minutes

Overview

Web Account Manager (WAM) plays a crucial role in AAD device workplace join and Microsoft native app authentication, so understanding its log is very helpful for effective troubleshooting. In this post, we will explore some specific keywords that can help us pinpoint the issues related to WAM interactions.

WAM Interactions

1. Identifying Token Broker Operation Requests

When you need to track the behavior of calls made to WAM (specifically the AadTokenBrokerPlugin), look for the following keyword in your logs:

Calling the Broker: Code: 0x4AA50119 Token broker operation request parameters.

This keyword is essential for identifying the parameters involved in a token broker operation request.

For common client id you might encounter is 1fec8e78-bce4-4aaf-ab1b-5451cc387264, which is typically associated with Microsoft Teams.
In the above example is ecd6b820-32c2-49b6-98a6-444530e5a77, which is the Microsoft Edge app client id.

2. Monitoring WAM Popup Interactions

WAM pop-up interactions are another critical area to monitor. To do this, search for the following keywords:

Start of UI Flow: Code: 0x4AA90011 UI flow started.

This indicates the initiation of a user interface flow in WAM.

Completion of UI Flow: Code: 0x4AA9000E UI Flow is completed.

This signifies the completion of the UI flow, marking an important checkpoint in the process.

3. Verifying Successful WAM Requests

To confirm that WAM has successfully processed a request (where the user has completed verification in the WAM pop-up), use this keyword:

Successful Processing: redeem

This keyword helps in verifying that the user has successfully navigated the WAM interface and completed the necessary steps.

4. Tracking Token Writing Back to PRT

An important aspect of troubleshooting involves checking whether WAM is attempting to write the token back to the Primary Refresh Token (PRT). For this, search for:

Token Update Attempt: updatePRT

This keyword is critical for understanding if WAM is successfully updating the PRT with the new token information.

Conclusion

Effective troubleshooting in AAD Analytics requires a deep understanding of specific keywords, especially when dealing with WAM interactions. By using these keywords to filter your logs, you can more efficiently diagnose and resolve issues related to token operations, UI flows, and token management in WAM. Stay tuned for more insights on optimizing your AAD troubleshooting processes.