Home
%3CLINGO-SUB%20id%3D%22lingo-sub-473741%22%20slang%3D%22en-US%22%3EGain%20insights%20into%20your%20Azure%20AD%20resources%20with%20Log%20Analytics%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-473741%22%20slang%3D%22en-US%22%3E%3CP%3EToday%2C%20I%20am%20excited%20to%20announce%20that%20the%20integration%20of%20Azure%20AD%20Activity%20Logs%20with%20Azure%20Monitor%20is%20%3CSTRONG%3Enow%20generally%20available%3C%2FSTRONG%3E%20in%20the%20public%20cloud.%20This%20is%20one%20of%20our%20customers%20top%20requested%20features%20and%20when%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-Active-Directory-Activity-logs-in-Azure-Log-Analytics-now%2Fba-p%2F274843%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ewe%20announced%20the%20public%20preview%20of%20Azure%20AD%20Logs%20in%20Log%20Analytics%3C%2FA%3E%20a%20few%20months%20back%2C%20there%20was%20a%20lot%20of%20excitement%20around%20it.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EHere%E2%80%99s%20what%20one%20customer%20had%20to%20say%20about%20the%20feature%3A%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E%E2%80%9CI%20think%20we%E2%80%99re%20only%20beginning%20to%20scrape%20the%20surface%20of%20what%E2%80%99s%20possible%20with%20Log%20Analytics.%20So%20far%2C%20Log%20Analytics%20has%20proven%20very%20useful%20to%20analyze%20past%20traffic%20to%20help%20us%20shape%20our%20future%20conditional%20access%20policies.%20Perhaps%20the%20biggest%20challenge%20is%20unleashing%20your%20mind%20to%20imagine%20and%20explore%20of%20the%20cool%20stuff%20we%20could%20be%20doing%20with%20this.%E2%80%9D%3C%2FEM%3E%20%E2%80%94%20Associate%20director%20of%20IT%20Architecture%20at%20a%20research%20company.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EOver%20the%20past%20few%20months%2C%20many%20of%20our%20customers%20have%20leveraged%20the%20Azure%20Monitor%20features%20including%20Log%20Analytics%20and%20provided%20valuable%20feedback%20on%20how%20to%20make%20it%20better.%20We%20listened%20to%20your%20feedback%20and%20made%20it%20easier%20for%20you%20to%20get%20the%20visualizations%20you%20need%20about%20Azure%20AD%20Activity%20logs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20newly%20released%20Insights%20feature%20helps%20you%20easily%20gain%20insights%20into%20your%20Azure%20AD%20resources%20using%20our%20pre-built%20interactive%20templates%2C%20called%20Workbooks%20in%20Log%20Analytics.%20These%20pre-built%20templatized%20reports%20give%20you%20a%20lens%20into%20various%20aspects%20of%20Azure%20AD%20instances.%20%3CBR%20%2F%3EHere%20are%20a%20few%20pre-built%20Workbooks%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ESign-ins%3A%3C%2FSTRONG%3E%20Provides%20sign-in%20insights%20for%20apps%20and%20users%20including%2C%20sign-in%20location%2C%20OS%20or%20browser%20client%2Fversion%20used%2C%20and%20number%20of%20successful%20and%20failed%20sign-ins.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ELegacy%20authentication%20and%20conditional%20access%3A%3C%2FSTRONG%3E%20Provides%20insights%20into%20users%20or%20apps%20using%20legacy%20authentications%20in%20your%20tenant.%20Helps%20you%20understand%20MFA%20usage%20triggered%20by%20conditional%20access%20policies%2C%20apps%20using%20conditional%20access%20policies%20etc.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESign-in%20failure%20analysis%3A%3C%2FSTRONG%3E%20Troubleshoot%20sign-ins%20and%20identify%20the%20top%20sign-in%20errors%20in%20your%20organization.%20Using%20this%20information%2C%20you%20can%20determine%20if%20the%20error%20occurred%20due%20to%20a%20user%20action%2C%20policy%20issues%2C%20or%20infrastructure.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20addition%20to%20these%20Workbooks%2C%20you%20can%20create%20your%20own%20reports%20using%20the%20Azure%20AD%20Logs%20by%20clicking%20the%20%3CSTRONG%3ENew%3C%2FSTRONG%3E%20button%20at%20the%20top.%20You%20can%20also%20edit%20the%20pre-built%20Workbooks%20to%20customize%20for%20your%20needs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EGet%20Started%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3ETo%20get%20started%2C%20simply%20go%20to%20the%20%3CSTRONG%3EInsights%3C%2FSTRONG%3E%20page%20within%20Azure%20AD%20where%20you%20can%20access%20the%20Insights%20gallery%20and%20pre-built%20Workbooks.%20Learn%20more%20about%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faadworkbooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Workbooks%3C%2FA%3E%20and%20how%20to%20create%2C%20edit%2C%20and%20clone%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109564iF20A94D47598D26B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20logs%201%20v2.png%22%20title%3D%22Azure%20AD%20logs%201%20v2.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20AD%20Insights%20(Workbooks)%20gallery.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109565i20290F7CAA51E0F9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20logs%202.png%22%20title%3D%22Azure%20AD%20logs%202.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ESign-in%20Failures%20analysis.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109566iD59CA6EE6E4225E4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20logs%203.png%22%20title%3D%22Azure%20AD%20logs%203.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ESign-ins%20with%20conditional%20access%20details.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109567i445E3D4ADC67F859%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20logs%204.png%22%20title%3D%22Azure%20AD%20logs%204.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ELegacy%20or%20Basic%20Auth%20insights.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ENext%20Steps%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20using%20Azure%20Monitor%20for%20the%20first%20time%2C%20check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FMP5IaCTwkQg%3Ft%3D1898%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecool%20demo%20video%3C%2FA%3E%20on%20how%20to%20maximize%20your%20integration%20story.%20You%20can%20also%20find%20reference%20documentation%20on%20how%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-install-use-log-analytics-views%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einstall%20our%20pre-build%20views%3C%2FA%3E.%20If%20you%20want%20to%20integrate%20Azure%20AD%20Logs%20with%20your%20SIEM%20tools%2C%20check%20out%20the%20integration%20docs%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-sumologic%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESumologic%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-arcsight%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EArcSight%3C%2FA%3E%2C%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Ftutorial-integrate-activity-logs-with-splunk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESplunk%3C%2FA%3E.%20In%20addition%2C%20check%20out%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-Mailbag-Return-Of-The-Mailbag-with-Azure-AD-Logs%2Fba-p%2F358499%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Erecently%20published%20blog%3C%2FA%3E%20around%20how%20to%20interpret%20the%20Azure%20AD%20logs.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ELearn%20more%20about%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faadworkbooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Workbooks%3C%2FA%3E%20and%20how%20to%20create%2C%20edit%20and%20make%20them%20your%20own%20As%20always%2C%20we'd%20love%20to%20receive%20any%20suggestions%20or%20feedback%20you%20have%2C%20so%20please%20comment%20below%20or%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faadapuservoice%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20feedback%20forum%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%40Alex_A_Simons)Corporate%20VP%20of%20Program%20ManagementMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-473741%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20integration%20of%20Azure%20AD%20Activity%20Logs%20with%20Azure%20Monitor%20is%20now%20generally%20available%20in%20the%20public%20cloud.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20901px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109563iA53BB6B369199196%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20logs%20teaser%20v2.png%22%20title%3D%22Azure%20AD%20logs%20teaser%20v2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-473741%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Today, I am excited to announce that the integration of Azure AD Activity Logs with Azure Monitor is now generally available in the public cloud. This is one of our customers top requested features and when we announced the public preview of Azure AD Logs in Log Analytics a few months back, there was a lot of excitement around it.


Here’s what one customer had to say about the feature:


“I think we’re only beginning to scrape the surface of what’s possible with Log Analytics. So far, Log Analytics has proven very useful to analyze past traffic to help us shape our future conditional access policies. Perhaps the biggest challenge is unleashing your mind to imagine and explore of the cool stuff we could be doing with this.” — Associate director of IT Architecture at a research company.


Over the past few months, many of our customers have leveraged the Azure Monitor features including Log Analytics and provided valuable feedback on how to make it better. We listened to your feedback and made it easier for you to get the visualizations you need about Azure AD Activity logs.

 

The newly released Insights feature helps you easily gain insights into your Azure AD resources using our pre-built interactive templates, called Workbooks in Log Analytics. These pre-built templatized reports give you a lens into various aspects of Azure AD instances.
Here are a few pre-built Workbooks:

 

  • Sign-ins: Provides sign-in insights for apps and users including, sign-in location, OS or browser client/version used, and number of successful and failed sign-ins.
  • Legacy authentication and conditional access: Provides insights into users or apps using legacy authentications in your tenant. Helps you understand MFA usage triggered by conditional access policies, apps using conditional access policies etc.
  • Sign-in failure analysis: Troubleshoot sign-ins and identify the top sign-in errors in your organization. Using this information, you can determine if the error occurred due to a user action, policy issues, or infrastructure.

In addition to these Workbooks, you can create your own reports using the Azure AD Logs by clicking the New button at the top. You can also edit the pre-built Workbooks to customize for your needs.

 

Get Started

To get started, simply go to the Insights page within Azure AD where you can access the Insights gallery and pre-built Workbooks. Learn more about Azure AD Workbooks and how to create, edit, and clone them.

 

Azure AD logs 1 v2.pngAzure AD Insights (Workbooks) gallery.

 

Azure AD logs 2.pngSign-in Failures analysis.

 

Azure AD logs 3.pngSign-ins with conditional access details.

 

Azure AD logs 4.pngLegacy or Basic Auth insights.

 

Next Steps

If you are using Azure Monitor for the first time, check out the cool demo video on how to maximize your integration story. You can also find reference documentation on how to install our pre-build views. If you want to integrate Azure AD Logs with your SIEM tools, check out the integration docs with Sumologic, ArcSight, and Splunk. In addition, check out the recently published blog around how to interpret the Azure AD logs.


Learn more about Azure AD Workbooks and how to create, edit and make them your own As always, we'd love to receive any suggestions or feedback you have, so please comment below or on the Azure AD feedback forum.


Best regards,

 

Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division