Azure Documentation

Monitoring Azure Active Directory

This document provides comprehensive guidance on monitoring Azure Active Directory (Azure AD), including setting up alerts, analyzing logs, and using various Azure services to gain insights into your directory's security and operational status.

Note: Azure AD is now Microsoft Entra ID. While many resources still refer to Azure AD, please be aware of the name change.

Key Monitoring Areas

  • Sign-in Activity: Track user and administrative sign-ins, identify suspicious activities, and monitor sign-in failures.
  • Audit Logs: Review changes made within your Azure AD tenant, such as user creations, group modifications, and application assignments.
  • Provisioning Logs: Monitor the success and failure of provisioning operations for applications and services.
  • Risky Sign-ins and Users: Detect and investigate potential security risks flagged by Azure AD Identity Protection.
  • Health and Performance: Monitor the availability and performance of Azure AD services.

Tools and Services for Monitoring

Azure Monitor

Azure Monitor is a powerful platform for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. For Azure AD, it offers:

  • Diagnostic Settings: Configure Azure AD to send logs and metrics to various destinations like Log Analytics workspaces, Event Hubs, and Azure Storage.
  • Log Analytics: A highly scalable cloud-native service that enables you to analyze log data and query it using Kusto Query Language (KQL).
  • Workbooks: Visualize your Azure AD data with interactive reports and dashboards.
  • Alerts: Set up proactive alerts based on specific metrics or log queries to notify you of critical events.
Configuring Diagnostic Settings

To send Azure AD logs to Log Analytics:

  1. Navigate to your Azure AD tenant in the Azure portal.
  2. Under "Monitoring", select "Diagnostic settings".
  3. Click "Add diagnostic setting".
  4. Select the log categories you want to send (e.g., AuditEvent, SignInLogs, ManagedIdentityLogs).
  5. Choose "Send to Log Analytics workspace" and select your workspace.
  6. Click "Save".
Example KQL Query for Failed Sign-ins

SigninLogs
| where ResultType != 0
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultDescription
| order by TimeGenerated desc

Azure AD Identity Protection

Identity Protection leverages machine learning and AI to detect risks, investigate threats, and take automated remediation actions.

  • Risk Detection: Provides detections for anomalous sign-in activity, potentially compromised credentials, and more.
  • User Risk and Sign-in Risk Policies: Configure policies to require multi-factor authentication (MFA) or block sign-ins based on risk levels.
  • Reporting: Offers dedicated reports for risky sign-ins and risky users.

Best Practice: Regularly review the Risky sign-ins and Risky users reports in Azure AD Identity Protection.

Azure Sentinel (Microsoft Sentinel)

Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It can ingest Azure AD logs from Log Analytics and provide advanced threat detection, investigation, and response capabilities.

  • Connect Azure AD logs to Sentinel.
  • Utilize built-in analytics rules and custom detection rules.
  • Investigate incidents using interactive investigation tools.
  • Automate responses to security incidents with playbooks.

Common Monitoring Scenarios

  • Detecting Brute Force Attacks: Monitor for an unusually high number of failed sign-ins from a single IP address or for a single user.
  • Identifying Account Compromise: Look for sign-ins from unusual locations, impossible travel scenarios, or sign-ins associated with known malicious IP addresses.
  • Tracking Administrative Actions: Monitor audit logs for changes to user roles, group memberships, and application permissions.
  • Auditing Application Access: Review sign-in logs for specific applications to understand who is accessing them and when.

Getting Started

To effectively monitor your Azure AD environment, it is recommended to:

  1. Enable Diagnostic Settings: Ensure Azure AD logs are being sent to a Log Analytics workspace.
  2. Familiarize Yourself with KQL: Learn to query your logs for actionable insights.
  3. Configure Alerts: Set up alerts for critical events and high-risk activities.
  4. Explore Azure AD Identity Protection: Leverage its capabilities for risk detection and automated response.
  5. Consider Azure Sentinel: For advanced SIEM/SOAR capabilities, integrate Azure AD logs with Azure Sentinel.

For more detailed information, refer to the official Azure AD documentation.