Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity. Do you want to enhance your knowledge of using Azure AD security and audit logs to monitor and analyze Azure AD activities?
This article explains how to utilize each log to monitor and review user activities in Azure AD.
The article starts by exploring 4 logs and explaining the information they provide. Then, it discusses the licensing and role prerequisites for utilizing these logs.
Finally there is step-by-step instructions on using the logs for monitoring and analyzing user activities.
Azure AD Security and Audit Logs for Monitoring and Analyzing Activities
Understanding Azure AD Sign-in and Sign-in (preview) Logs
Azure AD sign-in logs give organizations powerful insights into how users access and utilize applications and services. This log type is one of the three activity logs.
IT admins determine user sign-in patterns with the information recorded on the sign-in log. Moreover, this log reveals the number of users that signed in at a particular period. Also it displays the status of the sign-ins.
As of June 2023, Microsoft released a preview version called “sign-in logs (preview).” While the classical sign-in log records interactive user activities, the preview tracks this and 3 additional types of sign-ins (non-interactive users, service principals, and managed identities) for Azure resource sign-ins.
Well, interactive sign-in occurs when users access Azure AD with a username and password or MFA. On the other hand, non-interactive sign-ins are from applications that sign in on behalf of a user.
Furthermore, service principals sign-in on their behalf while managed identities sign-in logs record sign-ins from applications with secrets securely stored in Azure Key Vault.
Beyond the “user” component, sign-in logs record 3 essential components when users or applications access an Azure resource. The first critical element is “who.”
This record shows the Identity (user) that signed in. The log also records “how,” indicating the client or application used for the sign-in.
Finally, you also get “what,” – which records the target resource accessed by the Identity.
So, whenever you monitor and audit Azure AD security activity using sign-in logs, look out for “who,” “how,” and “what” recorded as “user,” “resource,” and “application” or “client app.”
Understanding Azure Active Directory Audit Logs
The audit log is another Azure AD activity log that helps monitor and analyze user actions. Audit log records activities within the directory.
Specifically, the Azure AD audit logs records changes made to users, groups, or applications in the directory. These activity logs are often required for compliance purposes.
When organizations monitor Azure AD audit logs, it could reveal security breaches or compliance issues that require fixing.
The audit log’s subject (user, group, or application) is registered as “Activity Type.” In addition to the activity type, it also records the “Category,” “Status,” and the person that initiated the activity, recorded as “Initiated by (actor).”
When an audit log is opened, it has three tabs: “Activity,” “Target(s),” and “Modified Properties.”
The Activity tab displays the “Activity Type,” which records whether the change was made to a group, user, or application. Additionally, the tab records the category of the log and its status.
Also records the “Initiated by (actor),” information, which includes the user that made the changes, the IP address, and the UPN of user.
The “Target(s)” tab records details of the modified object. If available, it records the object’s name, display name, id, and UPN.
Finally, the “Modified Properties” tab shows the properties of the modified object, including the old and new values.
Understanding Azure Active Directory Provisioning Logs
Azure Active Directory integrates with 3 party applications that provision users in the directory. It records their activities in provisioning logs for IT admins to troubleshoot or track changes these applications make.
Regarding records, provisioning logs track information like users successfully created or modified by a 3 party service like ServiceNow. Additionally, it tracks group changes and which service made the change.
These records help with security, audit, and compliance information.
Understanding Azure AD "Usage and insights" Reports
The “usage and insights” reports are a central repository where Azure AD records sign-in activities of other Microsoft 365 applications. It is a single location where sign-in activities are viewed.
The page records successful and failed sign-ins, the number of each, and the success rate. Not only those, but it also displays a link to view sign-in activity for each application.
As shown in the screenshot above, the “usage and insights” page provides information on the most used applications in an organization, apps with the lowest sign-in success rate, and top sign-in errors.
Clicking on the “view sign in activity” link for an app displays sign-in errors. Additionally, the details page displays the error codes, occurrences, and the last date the error occurred.
Before proceeding from “usage & insights,” I want to highlight other critical reports here. Earlier, I mentioned that sign-in logs track service principal sign-ins.
This information is available in the “usage & insights” as “Service principal sign-in activity (Preview).” Clicking this displays service principals that Azure Active Directory has authenticated.
This report includes the name of the service principal, the last time it signed in, and a link to “view more details.”
Before we get to that, I like to mention other valuable logs on the “usage & insights” page, starting with “Authentication methods activities.”
“Authentication methods activities” records authentication methods users in an organization use to register in Azure AD.
The page has 2 tabs: Registration and Usage. The Registration tab records users signed up for the available authentication methods.
On the other hand, the Usage tab details how the authentication methods has been used.
The final log you need in your toolbox is the “Application credential activity (Preview).” report. This report provides the last date an application credential was used.
Additionally, this report logs the application id, certificate type, and a link to view the record details.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Also Read Use Office 365 User Reports
Monitor and Analyze Azure AD Activity with Azure AD Security & Audit Logs
In this section sign in to the Azure portal via portal.azure.com. Then, search for and open “Azure Active Directory.”
Using Sign-in Logs to Monitor and Analyze User Activities
To access sign-in logs, open it from the Monitor menu of the Azure Active Directory portal.
After opening the Azure AD sign-in logs, customize the columns to meet your needs.
Then, check the columns you require on the “Columns” flyout and uncheck the ones you don’t. We recommend checking the columns in my screenshot below.
Add filters to the log after setting the columns to your preference to display the information you want to analyse.
To add a filter, click “Add filters,” select a filter and click Apply. Repeat this for as many filters as you need.
Next, click on a filter and add a condition. In the screenshot below, I have filtered my sign-in logs to return only logs with users containing “victor.”
This filtering has reduced the number of logs to what I want to view. Depending on what we troubleshooting, we add additional filters.
Opening a log entry provides detailed reports about it. The “Basic info” tab reveals critical information about the sign-in, like the date, “Authentication requirement,” information about the user, the application accessed, and the Sign-in Diagnostic tool.
The Sign-in Diagnostic tool is used to perform additional troubleshooting regarding the sign-in and get recommended actions to fix problems.
The log entry has other tabs.
Well, the “Location” tab records the location and IP address the user attempted authentication from.
The “Device info” tab also records the user’s Operating System, browser, and whether the device is compliant.
Finally, use information in the “Conditional Access” and “Report-only” tabs to view conditional access and other policies that may or may not have applied to the sign-in.
Using Azure AD Audit Logs to Analyze User Activities
To open the audit log, click it in the Azure Active Directory menu.
Then, follow the steps described in the last subsection to customize the column to your needs.
Similar to sign-in logs, audit logs have filtering capabilities. Fortunately, Microsoft adds the filtering conditions – Service, Activity, and Category – you require most.
However, the audit log provides the option to add custom filters. To add a filter, click “Add filters,” select a filter and click Apply.
Once you’ve added a filter, it is displayed, and use it to determine the results displayed by the audit log. In the screenshot below, I have filtered the log by Date and Initiated by (actor).
The next step is to drill down by clicking on an entry. Once the log entry opens, review the information in the Activity, Target (s), and “Modified Properties” tabs.
Follow the steps in the last two subsections and the information in previous sections to configure, analyse and monitor provisioning logs and “Usage and insights” reports.
Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity Conclusion
Monitoring and analyzing audit logs is as crucial as configuring Azure Identity Protection, Conditional Access, Privileged Identity Management, and other security features. By analyzing logs in Azure Active Directory, IT admins proactively detect and mitigate potential security incidents.
Fortunately, Azure AD has all the logs required to achieve this goal. Specifically, it offers organizations sign-in, sign-in (preview), and audit logs.
Additionally, this robust cloud identity management tool also features provisioning logs and “usage and insights” reports. These logs provide various data logging to help determine the security health of an Azure AD infrastructure.
To help organizations utilize the logs effectively, this article explains the data the Azure AD logs provide and how to use them to monitor and analyze the security posture of Azure AD.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
