Monitoring and Logging Azure AD - Azure Security Documentation

Monitoring and Logging in Azure Active Directory

Effective monitoring and logging are crucial for maintaining the security posture of your Azure Active Directory (Azure AD) environment. This document outlines key strategies, tools, and best practices for capturing, analyzing, and acting upon security-relevant events.

Why Monitor Azure AD?

Monitoring Azure AD provides visibility into user activities, sign-in attempts, application usage, and potential security threats. This information is vital for:

Detecting and responding to suspicious activities and security incidents.
Troubleshooting sign-in and access issues.
Auditing user behavior and compliance requirements.
Gaining insights into application adoption and usage patterns.
Identifying configuration drift and potential misconfigurations.

Key Azure AD Log Sources

Azure AD generates several types of logs that are essential for monitoring:

1. Azure AD Sign-in Logs

These logs provide detailed information about the identity and use of applications that are accessed by users and service principals. They include details on:

User identity.
Application accessed.
IP address and location of the sign-in.
Device information.
Authentication methods used.
Success or failure status of the sign-in attempt.

Use case: Identify compromised credentials or unusual sign-in patterns.

2. Azure AD Audit Logs

Audit logs provide records of all activities performed within Azure AD. These include activities related to user management, group management, application registration, and policy changes. Key events include:

User creation, deletion, and modification.
Group membership changes.
Application registration and updates.
Role assignments.
Policy updates (e.g., Conditional Access).

Use case: Track administrative changes and ensure compliance with internal policies.

3. Azure AD Provisioning Logs

These logs contain records of the automatic user provisioning to integrated applications (e.g., SaaS apps). They help you troubleshoot issues with user account lifecycle management. Key information includes:

User creation, update, and deletion events in target applications.
Errors encountered during provisioning.
Synchronization status.

Use case: Diagnose why user accounts are not being provisioned or de-provisioned correctly in connected applications.

Tools for Monitoring and Analysis

Azure Monitor

Azure Monitor is the foundational service for collecting, analyzing, and acting on telemetry from your Azure and on-premises environments. Azure AD logs can be sent to Azure Monitor for advanced analysis and alerting.

Log Analytics Workspaces

This is a core component of Azure Monitor where log data is stored and queried. You can ingest Azure AD logs into a Log Analytics workspace to perform powerful queries using the Kusto Query Language (KQL).


# Example KQL query to find failed sign-ins in the last 24 hours
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, ResultDescription

Azure Workbooks

Azure Workbooks provide a canvas for data visualization and reporting. You can create custom dashboards to visualize Azure AD log data, providing an at-a-glance view of your security status.

Azure Alerts

Configure alerts based on specific log data patterns. This allows you to be proactively notified of potential security events, such as a high number of failed sign-ins from a specific IP address or a critical administrative change.

Microsoft Sentinel

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. Integrating Azure AD logs with Sentinel enables:

Centralized security monitoring.
Advanced threat detection using machine learning and AI.
Automated incident response playbooks.
Threat hunting capabilities.

Best Practices for Azure AD Logging

Enable Diagnostic Settings: Ensure all relevant Azure AD logs (Sign-in, Audit, Provisioning) are being sent to a Log Analytics workspace or a storage account.
Retain Logs Appropriately: Configure log retention policies based on your compliance and security requirements.
Monitor for Anomalies: Regularly review sign-in logs for unusual patterns, such as sign-ins from unknown locations, multiple failed attempts, or sign-ins to unfamiliar applications.
Alert on Critical Events: Set up alerts for high-risk activities like privilege escalations, risky sign-ins, or changes to sensitive configurations.
Integrate with SIEM: For comprehensive security operations, integrate Azure AD logs into your SIEM solution like Microsoft Sentinel.
Regularly Audit Configurations: Use audit logs to track changes to Conditional Access policies, user roles, and application permissions.
Understand User Behavior: Analyze sign-in and audit logs to understand normal user behavior, making it easier to spot deviations.

Tip: Leverage Azure AD Identity Protection to automatically detect and respond to identity-based risks. Its findings are often surfaced in sign-in and risk detection logs.

Important: Free tier Azure AD logs have limited retention. For comprehensive auditing and analysis, consider Azure AD Premium P1 or P2 licenses, which provide extended log retention and access to advanced features.

Conclusion

Robust monitoring and logging are fundamental pillars of Azure AD security. By understanding the available log sources, leveraging powerful analysis tools like Azure Monitor and Microsoft Sentinel, and adhering to best practices, you can significantly enhance your ability to detect, investigate, and mitigate security threats within your Azure AD environment.