Azure AD Activity Logs in Azure Monitor Diagnostics now in public preview

First published on CloudBlogs on Jul, 26 2018
Howdy folks, Today, we’re turning on the public preview of Azure AD Activity Logs in Azure Monitor (Azure’s platform-wide monitoring service) — offering you long-term retention as well as seamless integration. These improvements and new capabilities offer you:

• Long-term retention by routing logs to your own Azure storage account.
• Seamless SIEM integration without writing or maintaining any custom scripts.
• Seamless integration with your own custom solutions, analytics tools or incident management solutions.

Many of our largest customers participated in the private preview of this feature. I’d like to thank all of them for their help and feedback. On average, they saw a 60 percent reduction in the time admins spent getting Azure AD Activity Logs. They also reported how easy the service is to use. Azure AD Activity Logs in Azure Monitor Diagnostics is simple to configure and only requires an Azure subscription . With a simple click, you can route the logs to your storage account or Event Hub. In addition, you can set this up with your SIEM tool, custom apps, or any service management systems through Event Hub integration within minutes. Here are some screenshots of configuring data with Azure Monitor, and viewing it with two of our SIEM partners, SumoLogic and Splunk:

Figure 1: Azure Monitor Diagnostic settings for Azure AD Logs.

Figure 2: Sumo logic app showing Azure AD Logs (integrated through Azure Monitor).

Figure 3: Sumo logic app based on Azure AD Logs (integrated through Azure Monitor Event Hub).

Figure 4: Splunk reports based on Azure AD Sign-ins.

This strategy for routing logs is consistent with other Azure resources as well. (You can find the details here about which Azure resources offer this functionality.)

Get started

To help get you started with Azure AD Activity Logs in Azure Monitor Diagnostics, we’ve put together some helpful resources

• Overview of Azure AD Activity Logs in Azure Monitor Diagnostics —An in-depth look at the feature.
• Planning guide —Outlines the costs involved for using this feature.
• Archive data using storage account —Support to help you configure your Azure AD logs to be routed to your Azure storage account.
• Stream data to Event Hub —Support to help you configure your Azure AD logs to be routed to your Azure event hub.
• Configuration examples from our SIEM partners —Learn which SIEM tools are currently supported and who supports Event Hub integration.

What’s next?

As we work to bring this feature to general availability, we would really appreciate it if you could take a survey providing feedback on this feature . In addition, please add your voice to this feature through the Azure AD Reporting forum . Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division