The correct answer is D because Azure AD Audit Logs are designed to record directory-level changes inside the identity-management environment, including administrative modifications to users, groups, applications, and role-related actions. In a privilege-escalation case, investigators need to know who made the change, what was changed, and when it happened. That is exactly the kind of evidence Azure AD Audit Logs are meant to provide. In contrast, Azure AD Sign-in Logs focus on authentication attempts and sign-in context, not administrative change history. Azure Monitor Logs are broader telemetry and analytics sources, while Azure Activity Logs mainly track actions performed on Azure resource management objects at the subscription and resource level. The CHFI v11 blueprint includes cloud forensics, Azure log sources, and acquisition of cloud evidence, so the exam expects candidates to distinguish between identity-plane evidence and infrastructure-plane evidence. Since the question specifically points to changes in the organization’s identity-management environment and administrative role assignments, Azure AD Audit Logs are the most precise and defensible source for forensic review. This is consistent with Microsoft documentation that describes Entra ID audit logs as recording traceable directory changes and helping determine who made a change.