Microsoft
MicrosoftI realize this blog is showing some age, but the comments, conversation and details are very helpful. I am going out on a limb to see if anyone has encountered a possible solution to the following:
I understand where the logs are written on the DC(s) and that as a Domain Administrator one can connect to the DC and review the logs. Has anyone found a good solution for allowing others to view the logs to support end users as we enable this feature?
1) Essentially a central logging solution for the various Event IDs mentioned here.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor#dc-agent-admin-event-log
If all these events are collected into a central logging source, those assisting users in password changes could review the logs, identify the userID in question and inform them of the event (they chose a password on the global list).
2) I also see where you can export the Trace log to a file.
Can you export the Admin log to a file? The current format of the Admin log is un readable by certain logging solutions so this might provide a simple solution to export to a central location in text format. I realize it would output SAMID format but it could be locked down and cleared every few days.
3) Has anyone built a custom solution or does Azure AD/Azure PaaS/SaaS provide a solution where these logs can be fed back into Azure AD and appear on AAD audit logs for review to determine if an AD user tried to set a password on a banned list.
I am just trying to make those employees who are supporting users live's a bit easier and provide them with ways to identify why a user is unable to set a password as they might not have read the announcements.
