Azure AD Auditing: Enabling and Configuring Audit Logs. In today’s rapidly evolving digital landscape, where data breaches and cyber threats continue to rise, establishing robust security measures has become paramount for organizations. Well, Azure Active Directory (Azure AD) provides a comprehensive suite of tools to bolster security, and a crucial aspect of this is auditing. By enabling and configuring audit logs and Microsoft Graph activity logs within Azure AD, businesses gain valuable insights into user activities, potential vulnerabilities, and regulatory compliance. This article delves into the significance of getting started with Azure AD auditing, highlighting how these logs contribute to a proactive and effective security posture.
Azure AD Auditing: Enabling and Configuring Audit Logs
When a user authenticates to Azure Active Directory to access a particular service, such as Office 365 or another SaaS application, there is an authentication workflow attempt to Azure AD. The first part is to evaluate if the user is within the specified tenant or, if not, it routes users to the correct directory tenant. Next, it determines the group memberships and passwords. All authentication attempts, regardless of if they pass or fail, will get logged.
Then there are conditional access policies which we evaluate to determine what kind of settings are in place before the user we give access to or if it should be blocked. Within Azure Active Directory, some audit logs are default stored in a local Azure AD database. A log entry for Azure AD Sign-in logs look like this.
NOTE: An Azure AD Sign-in Activity also relates to two other attributes, which are device information and conditional access policies.
Log Entry
Since, this log entry indicates that a specific user logged into Azure using the Azure PowerShell client and didn’t have any Conditional Access policies that we applied. The most important things to consider are:
1. Does the traffic originate from known locations and devices if successfully authenticated?
2. If authentication failed, what is the reason why it failed?
These events the system logs , we can check through the activity. However, we note that by default, we store all these logs within the Azure AD database, and retention of these logs depends on what kind of licenses we have for Azure AD (P1 or P2). We, however, also have the option to define diagnostics, exporting the logs out of Azure AD and into a Log Analytics Workspace.
NOTE: Our organization needs Azure AD P1 or P2 license to export Sign-in data.
Azure AD Log Sources
In the ever-evolving digital security landscape, ensuring the protection of sensitive data and maintaining a robust cybersecurity posture has become a paramount goal for organizations. The different log sources log some other sets of data:
Audit Logs: These logs provide a record of various administrative actions and changes made within Azure AD, such as user and group management, application assignments, and policy modifications, offering insights into managing your directory.
Sign-in Logs: they track authentication activities, capturing details about successful and failed sign-in attempts by users, applications, and service principals, aiding in the detection of unauthorized access or suspicious behaviour.
Non-Interactive User Sign-In Logs: These logs focus on non-interactive (programmatic) sign-ins by users, often seen in automated processes or scripts, giving visibility into service accounts and automated activities.
Service Principal Sign-In Logs: they specifically track sign-in activities by service principals, which are identities used by applications to access resources. Monitoring these logs helps identify unusual behaviour or potential misuse of application identities.
Managed Identity Sign-In Logs: are used by Azure resources to authenticate with Azure AD. These logs document the sign-in activities of managed identities, contributing to understanding resource-level access patterns.
Provisioning Logs: offer insights into user and group synchronization activities between on-premises directories and Azure AD, helping to ensure data consistency and accuracy.
ADFS Sign-In Logs: Active Directory Federation Services (ADFS) logs track sign-in attempts via federation, providing information about users accessing resources in a federated environment and aiding in monitoring external access patterns.
Importance of Audit Logs
Each log type plays a distinct role in enhancing security, monitoring activities, and maintaining compliance within the Azure AD environment. If we move the logs to Log Analytics with Sentinel, we also have the option to create analytics queries that automatically trigger an alert in case of suspicious behaviour.
NOTE: You also have the option to export data to an Azure Storage Account and Azure Event Hub as well. For instance, we define multiple export flows to send data to various workspaces. First, we need to understand the different EventIDs that we log.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Best Practices When Monitoring Azure AD
Log Analytics and Azure Sentinel use Kusto queries to analyse the data. Kusto is a read-only query language with a surprisingly good visualizer as part of the portal. There are some different rules that we create. We use hunting rules to explore (but not run regularly); the second one is analytics rules running in a predefined schedule.
One example of hunting rules we typically used is a simple one to determine the logon locations from our sign-ins.
SigninLogs
| summarize count() by Location
Another good example is showing failed login attempts to Azure AD, where the error code is 50126 or 50020.
SigninLogs
| where ResultType in ("50126", "50020")
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress),
makeset(OS), makeset(Browser), makeset(City), AttemptCount = count()
by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName
| Sort by AttemptCount
Here, different example is looking at users who failed MFA authentication attempts.
SigninLogs
| where TimeGenerated >= ago(31d)
| where ResultType == "50074"
And another example is looking into external guest users and changes made to Conditional Access Policy.
AuditLogs
| where Category == "UserManagement"
| where OperationName == "Invite external user" or OperationName == "Redeem external user invite"
AuditLogs | where Category == "Policy" |
project ActivityDateTime, ActivityDisplayName , TargetResources[0].displayName, InitiatedBy.user.userPrincipalName
Please note that these are not the only queries we execute through Kusto.
New Azure AD Audit Logs Using Microsoft Graph Activity Logs
Microsoft introduced new Azure AD Audit Logs. We use the log analytics workspace to store these logs to Log Analytics workspace. New Microsoft Graph Activity Logs in Azure Active Directory Diagnostic Settings last March 14th, 2023 introduced a new log called MicrosoftGraphActivityLogs, along with other log files listed.
Especially, these log files offer details of API requests made to Microsoft Graph for resources in the tenant. EnrichedOffice365AuditLogs is another exciting log file that is very helpful for troubleshooting. Fortunately, Azure Active Directory (Azure AD) diagnostic settings allow us to configure logs and metrics for monitoring and analysing activity in Azure AD tenant.
When we create a diagnostic setting, we specify the type of data we want to collect, such as audit logs, sign-in logs, or directory logs, and where we want to send the data, such as a storage account, Event Hub, or Log Analytics workspace. The Microsoft Graph Activity Logs comprehensively record all API requests to Microsoft Graph for resources within an Azure AD tenant. So, these logs provide detailed information on the nature of the requests, including the user or application that made the request, the resource we access, and the specific action taken.
Overview of New Azure AD Audit Logs
The Microsoft Graph Activity Logs enable administrators and developers to monitor and analyse the usage patterns of Microsoft Graph within their tenants. Also, we help to identify potential issues or anomalies, track the performance of applications and users, and optimize the use of resources.
Microsoft introduced new Azure AD logs, as listed below. We send this data to the Log Analytics workspace of our choice. Our organization needs Azure AD P1 or P2 license to export sign-in data:
- NetworkAccessTrafficLogs
- RiskyServicePrincipals
- ServicePrincipalRiskEvents
- EnrichedOffice365AuditLogs
- MicrosoftGraphActivityLogs
Microsoft Graph Activity Logs
Overall, MicrosoftGraphActivityLogs serves as a powerful diagnostic tool for managing and monitoring Microsoft Graph usage. The categories and the solutions of MicrosoftGraphActivityLogs we show in the below list and screenshot:
- Categories
- Audit Category: Records admin changes, compliance.
- Security Category: Monitors sign-ins and access, aiding threat detection.
- Solutions
- Log Management Solutions: Streamline security practices, empowering proactive responses.
Refer to the full list of Microsoft Graph Activity Logs columns and attributes in this official Microsoft documentation.
Microsoft Graph Activity Logs in Azure Active Directory (Azure AD)
The streaming export of platform logs and metrics for a resource we configure using diagnostic settings. Create up to five diagnostic settings to send logs and metrics to independent destinations.
- Navigate to the Azure AD blade in the Azure portal
- Select Diagnostic settings from the left-hand menu
- The Diagnostic Settings show the new Microsoft Graph Activity Logs
Diagnostic Settings for Microsoft Graph Activity Logs
Click the Add Diagnostic setting above the screenshot to configure the Microsoft Graph Activity Logs. Microsoft Graph Activity Logs are combined with other Azure AD diagnostic tools to ensure the security and reliability of our Azure AD environment.
Azure AD Auditing: Enabling and Configuring Audit Logs Conclusion
In conclusion, embracing Azure AD auditing by enabling and configuring audit logs and Microsoft Graph activity logs is pivotal for organizations seeking heightened security and compliance. These logs offer valuable insights for tracking user activities, detecting threats, and meeting regulatory standards. By leveraging these logs together, organizations proactively enhance their security strategies, although consistent monitoring and staying updated on Azure AD features remain imperative for sustained effectiveness.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
