Change Guardian monitors the following in Active Directory Federation Services (ADFS):
Application token failure/success
Fresh credential validation success/failure
Password change request success/failure
To configure ADFS auditing:
Log in as an administrator in the domain that you want to configure.
Open Group Policy Management Console. Run gpmc.msc using command prompt.
Click Forest > Domains > Domain Name > Domain Controllers.
Right-click Default Domain Controllers Policy and select Edit.
NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.
Click Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
To configure ADFS auditing under Object Access, select the following for Audit Application Generated: Configure the following audit events, Success, and Failure.
To update policy settings, run the gpUpdate command at the command prompt
To open ADFS Management snap-in, navigate to Programs > Administrative Tools > ADFS Management
Click Actions and select Edit Federation Service Properties.
In the dialog box that opens, click on the Events tab. Enable it for Success and Failure.