How Reconciliation works in Entra Audit Log Collection

This article describes the Run reconciliation setting available in the Entra Event Collection job in Cayosoft Guardian, as seen in: Change Monitoring > Jobs > Entra Event Collection – <tenant name> > Entra Audit Log Collection > Properties.

Entra audit events are retrieved via REST API polling with token-based time windows, which can occasionally result in:

• API throttling
• Token mismatches
• Audit delays

To compensate, a dedicated reconciliation process is provided for Entra jobs.

Reconciliation settings

The Run reconciliation option is designed to help identify Entra audit events that may have been missed during normal collection cycles due to API throttling, transient service issues, or missed tokens.

Cayosoft Guardian’s Change History correlation mechanism already attempts to associate change records with audit events using Entra ID's data across jobs—regardless of this setting. Therefore, initiators may still be discovered even when this box is unchecked, depending on data availability in the audit log at the time of correlation.

This setting is used when audit log gaps are suspected or confirmed, such as:

• Entra audit API throttling events
• Known network interruptions or job failures
• Compliance-driven audit completeness requirements

 

For Reconciliation setting options see the table below:

Setting	Description
Run reconciliation	If enabled, the system will periodically check for missing events that were not collected during the standard execution window.
Reconciliation period (hours)	Defines how often reconciliation runs. For example, 1 means the job checks for missed events every 1 hour.
Reconciliation window (hours)	Defines the time span to look back from the current time during reconciliation. For example, 3 means the system checks the past 3 hours of audit data.

For example, if Reconciliation period is set to 2 and Reconciliation window to 4, Cayosoft Guardian will:

1. Run reconciliation every 2 hours.
2. Look back 4 hours into Entra’s audit logs to detect missing events.

Notes

• Default behavior, i.e., Run reconciliation disabled - Cayosoft Guardian still attempts to associate change records with available audit logs if timestamps align.
• This setting is optional and only impacts the frequency and coverage of supplemental reconciliation passes.
• It does not affect Change History directly, but can improve correlation rates if used properly.