This is Sue Bohn, Director of Program Management for Identity and Access Management. One area where we invest a lot of time with our customers is Azure AD logs. Why? Because that’s where all the insights about your environment reside. These logs can be a real treasure trove -- you’re only limited by the questions you ask about the data. Peter, Mark, and Dhanyah spend a lot of time with our Azure AD logs and share the answers to the most common customer questions here.
I’m Peter Lenzke from the Azure AD Get-to-Production team. While working with some of our enterprise customers, they’ve asked me what they should be using the logs for from a day to day perspective. This post will address some of the most common questions we receive.
We’ve also released a new deployment plan for Azure AD monitoring which you will find at http://aka.ms/deploymentplans.
In some cases, this is not enough. The activity logs in Azure AD (sign-ins and audit events) are stored only for 30 days in the cloud back-end. Most enterprise companies need to retain the logs for a longer period of time.
The other reason this isn’t enough is that many companies already have an existing security information and event management (SIEM) system where they want to send the logs to.
Another option is to use Azure Monitor. This can give you quick and easy insights into your Azure AD activities directly from the Azure portal. The chart below helps you decide which integration would fit your scenario.
The sign-ins logs are typically the first stop when you investigate security incidents as well as any sign-in issues. Today, we show all interactive sign-ins to Azure AD integrated applications. This means that every single time a user signs into such an app, it is logged. In the future, we will add non-interactive sign-ins like service principals or refresh tokens to the logs.
Be aware that federated user sign-ins, which fail at the federation server (ADFS) level and never reach Azure AD, will not show up in the logs today.
Once you look into the sign-ins logs, you will find important information such as the user, application, device, multi-factor authentication (MFA), and conditional access status per sign-in. To speed up investigations, we collect all information needed in case you open a support ticket.
In order to send the sign-ins and audit logs to Azure Monitor, formerly known as Azure Log Analytics, you must configure the diagnostic settings in the Azure AD – Monitoring blade and specify an Azure Log Analytics workspace in your Azure subscription. The logs will automatically flow to your workspace and you can start using the information there or simply go to the insights blade under Azure AD – Monitoring to view our pre-configured reports.
Although the security teams are quite interested in the sign-ins logs, as well as the audit logs, many other teams will benefit from these insights. Your service desk might need the sign-ins logs to investigate incidents of users who were unable to sign into applications. Or your identity and access management (IAM) team wants to gain operational insights on usage and trends like conditional access, MFA, self-service password reset or application usage. And of course, you want to track down the usage of legacy authentication in your organization in order to get rid of this in the future.
We often see customers dumping all logs into an existing SIEM system without knowing what to look for. With the Azure Monitor integration, we provide a powerful query language called Kusto where admins create their own reports and insights in minutes.
In the first example we search the Azure AD audit logs for accounts which have been successfully added to the global admin role and project this by initiator and target account.
In the second example we stack rank the sign-ins to our applications and display them in a pie chart.
Yes. We have some pre-built workbooks that focus on common issues such as sign-ins with errors and legacy authentication. The best part is you can use these as a jumping off point to create your own queries. You can read more about them here.
-Peter Lenzke, Mark Morowczynski and Dhanyah Krishnamoorthy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.