Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Azure AD Mailbag: Tips for Azure AD reporting and monitoring your day-to-day activities
Published Aug 23 2019 09:00 AM 13.6K Views
Microsoft

Greetings!

 

This is Sue Bohn, Director of Program Management for Identity and Access Management. One area where we invest a lot of time with our customers is Azure AD logs. Why? Because that’s where all the insights about your environment reside. These logs can be a real treasure trove -- you’re only limited by the questions you ask about the data. Peter, Mark, and Dhanyah spend a lot of time with our Azure AD logs and share the answers to the most common customer questions here.

 

------

Hey there,

 

I’m Peter Lenzke from the Azure AD Get-to-Production team. While working with some of our enterprise customers, they’ve asked me what they should be using the logs for from a day to day perspective. This post will address some of the most common questions we receive.

 

We’ve also released a new deployment plan for Azure AD monitoring which you will find at http://aka.ms/deploymentplans.

 

Q1: I can see the sign-ins logs and audit logs in the Azure AD portal, isn´t that enough for my daily admin tasks?

 

In some cases, this is not enough. The activity logs in Azure AD (sign-ins and audit events) are stored only for 30 days in the cloud back-end. Most enterprise companies need to retain the logs for a longer period of time.

 

The other reason this isn’t enough is that many companies already have an existing security information and event management (SIEM) system where they want to send the logs to.

 

Another option is to use Azure Monitor. This can give you quick and easy insights into your Azure AD activities directly from the Azure portal. The chart below helps you decide which integration would fit your scenario.

 

Mailbag1.png

 

Q2: What information can be found in the sign-ins logs?

 

The sign-ins logs are typically the first stop when you investigate security incidents as well as any sign-in issues. Today, we show all interactive sign-ins to Azure AD integrated applications. This means that every single time a user signs into such an app, it is logged. In the future, we will add non-interactive sign-ins like service principals or refresh tokens to the logs.

 

Be aware that federated user sign-ins, which fail at the federation server (ADFS) level and never reach Azure AD, will not show up in the logs today.

 

Once you look into the sign-ins logs, you will find important information such as the user, application, device, multi-factor authentication (MFA), and conditional access status per sign-in. To speed up investigations, we collect all information needed in case you open a support ticket.

 

mailbag2.png

 

Q3: How do I integrate the sign-ins logs into Azure Monitor?

 

In order to send the sign-ins and audit logs to Azure Monitor, formerly known as Azure Log Analytics, you must configure the diagnostic settings in the Azure AD – Monitoring blade and specify an Azure Log Analytics workspace in your Azure subscription. The logs will automatically flow to your workspace and you can start using the information there or simply go to the insights blade under Azure AD – Monitoring to view our pre-configured reports.

 

mailbag3.png

 

 

Q4: Only the security team in my organization need this, right?

 

Although the security teams are quite interested in the sign-ins logs, as well as the audit logs, many other teams will benefit from these insights. Your service desk might need the sign-ins logs to investigate incidents of users who were unable to sign into applications. Or your identity and access management (IAM) team wants to gain operational insights on usage and trends like conditional access, MFA, self-service password reset or application usage. And of course, you want to track down the usage of legacy authentication in your organization in order to get rid of this in the future.

 

Q5: Ok I got the point. But what if I´m looking into a specific data report which is not available out of the box?

 

We often see customers dumping all logs into an existing SIEM system without knowing what to look for. With the Azure Monitor integration, we provide a powerful query language called Kusto where admins create their own reports and insights in minutes.

 

In the first example we search the Azure AD audit logs for accounts which have been successfully added to the global admin role and project this by initiator and target account.

 

mailbag4.jpg

 

In the second example we stack rank the sign-ins to our applications and display them in a pie chart.

 

mailbag5.png

 

 

Q6: Do you have any pre-built queries I can start with?

 

Yes. We have some pre-built workbooks that focus on common issues such as sign-ins with errors and legacy authentication. The best part is you can use these as a jumping off point to create your own queries. You can read more about them here.

 

Q7: I see these are written in KQL, do you have resources so I can learn this new language?

 

Yes! We have some documentation around this here, but there is a FREE Pluralsight class that covers a lot of what you need to know in only a few hours. You can find that here.

 

For any questions you can reach us at AskAzureADBlog@microsoft.com, Tech Communities or on Twitter @AzureAD@MarkMorow and @Alex_A_Simons. You can also ask questions in the comments of this post.

 

-Peter Lenzke, Mark Morowczynski and Dhanyah Krishnamoorthy

 

 

5 Comments
Copper Contributor

@Sue Bohn what's the ETA for service principal logs? 

Brass Contributor

What about #sentinel option?

Copper Contributor

@SpartanWaycomauare you asking if its connected to sentinel or offering me a suggestion?

Brass Contributor

Hi @Carlos-Authentix (I like the  name, reminds of some Gauls)

All I was trying to understand how does all this come together as an ecosystem unde AAD activity, so we can finally get a handle on #cybersecurity  in #azure #aad and #o365 / #m365

I'm asking for guidance from #msft, if anything ...

It's way too fragmented to manage at the moment, hence asking about feeding to #sentinel instead ?

Copper Contributor

Log analytics needs to reduce its ingress costs and be more customisable for events that are consumed and not have to enable full bore logging to even get classic AD group deletes.

 

 

 

Version history
Last update:
‎Aug 03 2020 01:49 PM
Updated by: