How to achieve tenant-wide audit logging beyond Delegated Admin Extension?

Continuing the discussion from Why are user_name fields N/A in Api_operation logs?:

With proposed solution using Delegate Admin Extension, it does not solve my problem due it’s limitations:

  • Scoped to organizations, not the entire tenant. Our use case is broader: we need tenant-wide auditability.

  • Captures actions performed in the extension only. Actions made via API or dashboard outside the extension are not covered.

  • Introduces additional complexity in setup, management, and user flow.

  • Does not log organization-level configuration changes (e.g., modifying organization settings).

Example gaps we’re seeing today in Auth0 logs:

  • When a user is removed from the tenant, the logs only show who performed the removal, not which user was removed.

  • When a role is removed from a user, the logs do not indicate which role was removed, only who initiated the action.

  • When an invitation is revoked, the logs capture who revoked it but not which invitation (or invitee) was affected.

These details are critical for auditability, as they tell us not just who did something, but also what (or who) was impacted.

Is there a recommended approach (or planned feature) to achieve comprehensive tenant-wide audit logging that includes API operations, dashboard changes, and organization-level configuration updates?

Hi @vitor.fernandes

I am sorry about the delayed response to your inquiry!

Regarding the situation at hand, are you not able to determine both who performed the action and the affected user by following this knowledge article?

Regarding logging any user roles changes using the extension, as our documentation states regarding the user roles:

When logging in as a user using Organizations with Delegated Administration Extension (DAE), your user roles will not be available. Only your Organization member roles will be available within event.authorization.roles.

If you are talking about logging organization roles, you should be able to do that just fine, you can also try adding their normal roles as app metadata and access it that way.

Otherwise, the extension itself it designed to log events in the scope of an organization, so naturally it would not have access to any other tenant wide changes performed.
In order to have a more comprehensive audit logging, I would recommend setting up log streaming to capture all the necessary information.

Please let me know if the information above is helpful regarding the matter and if you have any other questions!

Kind Regards,
Nik

1 Like