This is Sue Bohn, Director of Program Management for Identity and Access Management. One area where we invest a lot of time with our customers is Azure AD logs. Why? Because that’s where all the insights about your environment reside. These logs can be a real treasure trove -- you’re only limited by the questions you ask about the data. Peter, Mark, and Dhanyah spend a lot of time with our Azure AD logs and share the answers to the most common customer questions here.
I’m Peter Lenzke from the Azure AD Get-to-Production team. While working with some of our enterprise customers, they’ve asked me what they should be using the logs for from a day to day perspective. This post will address some of the most common questions we receive.
Q1: I can see the sign-ins logs and audit logs in the Azure AD portal, isn´t that enough for my daily admin tasks?
In some cases, this is not enough. The activity logs in Azure AD (sign-ins and audit events) are stored only for 30 days in the cloud back-end. Most enterprise companies need to retain the logs for a longer period of time.
The other reason this isn’t enough is that many companies already have an existing security information and event management (SIEM) system where they want to send the logs to.
Another option is to use Azure Monitor. This can give you quick and easy insights into your Azure AD activities directly from the Azure portal. The chart below helps you decide which integration would fit your scenario.
Q2: What information can be found in the sign-ins logs?
The sign-ins logs are typically the first stop when you investigate security incidents as well as any sign-in issues. Today, we show all interactive sign-ins to Azure AD integrated applications. This means that every single time a user signs into such an app, it is logged. In the future, we will add non-interactive sign-ins like service principals or refresh tokens to the logs.
Be aware that federated user sign-ins, which fail at the federation server (ADFS) level and never reach Azure AD, will not show up in the logs today.
Once you look into the sign-ins logs, you will find important information such as the user, application, device, multi-factor authentication (MFA), and conditional access status per sign-in. To speed up investigations, we collect all information needed in case you open a support ticket.
Q3: How do I integrate the sign-ins logs into Azure Monitor?
In order to send the sign-ins and audit logs to Azure Monitor, formerly known as Azure Log Analytics, you must configure the diagnostic settings in the Azure AD – Monitoring blade and specify an Azure Log Analytics workspace in your Azure subscription. The logs will automatically flow to your workspace and you can start using the information there or simply go to the insights blade under Azure AD – Monitoring to view our pre-configured reports.
Q4: Only the security team in my organization need this, right?
Although the security teams are quite interested in the sign-ins logs, as well as the audit logs, many other teams will benefit from these insights. Your service desk might need the sign-ins logs to investigate incidents of users who were unable to sign into applications. Or your identity and access management (IAM) team wants to gain operational insights on usage and trends like conditional access, MFA, self-service password reset or application usage. And of course, you want to track down the usage of legacy authentication in your organization in order to get rid of this in the future.
Q5: Ok I got the point. But what if I´m looking into a specific data report which is not available out of the box?
We often see customers dumping all logs into an existing SIEM system without knowing what to look for. With the Azure Monitor integration, we provide a powerful query language called Kusto where admins create their own reports and insights in minutes.
In the first example we search the Azure AD audit logs for accounts which have been successfully added to the global admin role and project this by initiator and target account.
In the second example we stack rank the sign-ins to our applications and display them in a pie chart.
Q6: Do you have any pre-built queries I can start with?
Yes. We have some pre-built workbooks that focus on common issues such as sign-ins with errors and legacy authentication. The best part is you can use these as a jumping off point to create your own queries. You can read more about them here.
Q7: I see these are written in KQL, do you have resources so I can learn this new language?
Yes! We have some documentation around this here, but there is a FREE Pluralsight class that covers a lot of what you need to know in only a few hours. You can find that here.