This article explains how to utilize each log to monitor and review user activities in Azure AD.
The article starts by exploring 4 logs and explaining the information they provide. Then, it discusses the licensing and role prerequisites for utilizing these logs.
Finally there is step-by-step instructions on using the logs for monitoring and analyzing user activities.
Azure AD Security and Audit Logs for Monitoring and Analyzing Activities
Understanding Azure AD Sign-in and Sign-in (preview) Logs
IT admins determine user sign-in patterns with the information recorded on the sign-in log. Moreover, this log reveals the number of users that signed in at a particular period. Also it displays the status of the sign-ins.
As of June 2023, Microsoft released a preview version called “sign-in logs (preview).” While the classical sign-in log records interactive user activities, the preview tracks this and 3 additional types of sign-ins (non-interactive users, service principals, and managed identities) for Azure resource sign-ins.
Beyond the “user” component, sign-in logs record 3 essential components when users or applications access an Azure resource. The first critical element is “who.”
This record shows the Identity (user) that signed in. The log also records “how,” indicating the client or application used for the sign-in.
Finally, you also get “what,” – which records the target resource accessed by the Identity.
So, whenever you monitor and audit Azure AD security activity using sign-in logs, look out for “who,” “how,” and “what” recorded as “user,” “resource,” and “application” or “client app.”
Understanding Azure Active Directory Audit Logs
The audit log is another Azure AD activity log that helps monitor and analyze user actions. Audit log records activities within the directory.
Specifically, the Azure AD audit logs records changes made to users, groups, or applications in the directory. These activity logs are often required for compliance purposes.
When organizations monitor Azure AD audit logs, it could reveal security breaches or compliance issues that require fixing.
The audit log’s subject (user, group, or application) is registered as “Activity Type.” In addition to the activity type, it also records the “Category,” “Status,” and the person that initiated the activity, recorded as “Initiated by (actor).”
When an audit log is opened, it has three tabs: “Activity,” “Target(s),” and “Modified Properties.”
Also records the “Initiated by (actor),” information, which includes the user that made the changes, the IP address, and the UPN of user.
The “Target(s)” tab records details of the modified object. If available, it records the object’s name, display name, id, and UPN.
Finally, the “Modified Properties” tab shows the properties of the modified object, including the old and new values.
Understanding Azure Active Directory Provisioning Logs
Azure Active Directory integrates with 3 party applications that provision users in the directory. It records their activities in provisioning logs for IT admins to troubleshoot or track changes these applications make.
Regarding records, provisioning logs track information like users successfully created or modified by a 3 party service like ServiceNow. Additionally, it tracks group changes and which service made the change.
Understanding Azure AD "Usage and insights" Reports
The “usage and insights” reports are a central repository where Azure AD records sign-in activities of other Microsoft 365 applications. It is a single location where sign-in activities are viewed.
The page records successful and failed sign-ins, the number of each, and the success rate. Not only those, but it also displays a link to view sign-in activity for each application.
As shown in the screenshot above, the “usage and insights” page provides information on the most used applications in an organization, apps with the lowest sign-in success rate, and top sign-in errors.
Clicking on the “view sign in activity” link for an app displays sign-in errors. Additionally, the details page displays the error codes, occurrences, and the last date the error occurred.
Before proceeding from “usage & insights,” I want to highlight other critical reports here. Earlier, I mentioned that sign-in logs track service principal sign-ins.
This information is available in the “usage & insights” as “Service principal sign-in activity (Preview).” Clicking this displays service principals that Azure Active Directory has authenticated.
This report includes the name of the service principal, the last time it signed in, and a link to “view more details.”
“Authentication methods activities” records authentication methods users in an organization use to register in Azure AD.
The page has 2 tabs: Registration and Usage. The Registration tab records users signed up for the available authentication methods.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Using Sign-in Logs to Monitor and Analyze User Activities
To access sign-in logs, open it from the Monitor menu of the Azure Active Directory portal.
Next, click on a filter and add a condition. In the screenshot below, I have filtered my sign-in logs to return only logs with users containing “victor.”
This filtering has reduced the number of logs to what I want to view. Depending on what we troubleshooting, we add additional filters.
Opening a log entry provides detailed reports about it. The “Basic info” tab reveals critical information about the sign-in, like the date, “Authentication requirement,” information about the user, the application accessed, and the Sign-in Diagnostic tool.
The Sign-in Diagnostic tool is used to perform additional troubleshooting regarding the sign-in and get recommended actions to fix problems.
The log entry has other tabs.
Well, the “Location” tab records the location and IP address the user attempted authentication from.
The “Device info” tab also records the user’s Operating System, browser, and whether the device is compliant.
Finally, use information in the “Conditional Access” and “Report-only” tabs to view conditional access and other policies that may or may not have applied to the sign-in.
Using Azure AD Audit Logs to Analyze User Activities
To open the audit log, click it in the Azure Active Directory menu.
Then, follow the steps described in the last subsection to customize the column to your needs.
Similar to sign-in logs, audit logs have filtering capabilities. Fortunately, Microsoft adds the filtering conditions – Service, Activity, and Category – you require most.
However, the audit log provides the option to add custom filters. To add a filter, click “Add filters,” select a filter and click Apply.
Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity Conclusion
Monitoring and analyzing audit logs is as crucial as configuring Azure Identity Protection, Conditional Access, Privileged Identity Management, and other security features. By analyzing logs in Azure Active Directory, IT admins proactively detect and mitigate potential security incidents.
Fortunately, Azure AD has all the logs required to achieve this goal. Specifically, it offers organizations sign-in, sign-in (preview), and audit logs.
Additionally, this robust cloud identity management tool also features provisioning logs and “usage and insights” reports. These logs provide various data logging to help determine the security health of an Azure AD infrastructure.
To help organizations utilize the logs effectively, this article explains the data the Azure AD logs provide and how to use them to monitor and analyze the security posture of Azure AD.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool