Blog Post

Microsoft Entra Blog
3 MIN READ

Azure Active Directory Activity logs in Azure Log Analytics now available

Alex Simons (AZURE)'s avatar
Alex Simons (AZURE)
Icon for Microsoft rankMicrosoft
Oct 19, 2018

Howdy folks,

 

As more and more of you adopt Azure Active Directory (AD)—the service now manages 1.1 BILLION (!!!) identities—we’ve received a ton of requests to make it easier to access and analyze the huge amounts of data the service creates on your behalf. You’ve told us you need access to all this data to do all kinds of analytics for business, operations, and security processes, and to also monitor Azure AD as a critical component of your infrastructure.

 

Today, I’m excited to announce the availability of one of our top-requested features: the ability to forward your Azure AD logs to Azure Log Analytics! With this integration, Log Analytics gives you the power to query huge amounts of your Azure AD data to find events, analyze trends, and create rich visualizations within minutes. 

 

Overview of Azure logs in Log Analytics.

This integration gives you the richness of data available through Azure AD logs to resolve cross-service scenarios. For example:

 

  • As an IT admin, you can easily troubleshoot key issues in your tenant and monitor them through alerts and notifications. For example, you can identify users or apps that use legacy auth sign-ins or generate an alert to notify you when a high-risk user using legacy auth sign-ins.

Legacy- and conditional access-based sign-ins.

  • As a SecOps admin, you can easily correlate sign-in activities of your users or apps in your tenant with any CRUD operations performed to get a complete picture of what’s going onwith your Azure resources.

User consent and sign-ins associated with those users.

  • As an Application owner, you can troubleshoot that nagging performance bottleneck on your app’s sign-in page by correlating application performance data from Azure Application Insights

Query using AppInsights and Azure AD logs.

  • As a Security admin, you now can use the Azure AD sign-in and audit logs in tandem with security logs published by Azure Security Center to assess the impact and scope of a security breach by analyzing all the user activities performed, thereby, giving answers to questions like: “What did this user access while the breach happened?” and “What resources does the user have access to?”
  • As an IT admin interested in governance, risk management, or compliance, you can get a clear view into how users are getting access. For example, are they being added to groups by admins, or by group owners, or due to changes in the user or group attributes? You can leverage this history of identity and access changes, with the details of the dates, times, and actors for each, to respond to auditor inquiries. And you can set up alerts, so you and your colleagues are notified whenever users are added to highly sensitive groups. With this data you can ensure that the correct identity and access lifecycle processes are being followed to meet the organization’s identity governance policies.

 

In addition to the above scenarios, customers now can get the Azure AD logs in the same workspace where they have their Azure logs, as well as other logs (like Office 365), to perform a broader analysis and successful monitoring of their infrastructure. 

 

Learn more

To learn more about forwarding Azure AD logs to Azure Log Analytics, check out these resources:

 

Once you try out the integration of Azure AD logs with Log Analytics, give us your valuable feedback on the either the Azure AD Tech Community or Log Analytics Tech Community. You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

 

 

 

 

 

 

Updated Jul 24, 2020
Version 6.0
Product Announcements
  • Andy Ball's avatar
    Andy Ball
    Copper Contributor
    Nov 23, 2018

    Hi ,

     

    Are there any plans to add Azure MFA / Activity Report output into Log Analytics / Queryable via API ? We are using NPR Extension for Azure MFA and this would be useful for troubleshooting.

     

    cheers

    Andy.

  • JonasBack's avatar
    JonasBack
    Steel Contributor
    Nov 30, 2018

    This is awesome. But the GitHub only contains 2 views:

     - Azure AD Account Provisioning Events.omsview

    - AzureADSignins.omsview

     

    But I can't find the Users performing consent view. Alex Simons (AZURE), you know if it's available somewhere?

  • ozesati's avatar
    ozesati
    Copper Contributor
    Dec 30, 2019

    Same question, anyone know where we can get "Users performing consent" omsview file?

  • Tyson Navarre's avatar
    Tyson Navarre
    Copper Contributor
    Nov 28, 2018

    I was thinking the exact same thing after the pair of incidents we have seen with MFA in the past two weeks. We spun this service up to see what we could figure out on our own.

  • John_Joyner's avatar
    John_Joyner
    Brass Contributor
    Mar 02, 2020

    Not getting any data for "Azure AD Account Provisioning Events". It seems Azure AD B2C audit logs schema may have changed since this solution was published?