Azure AD RBAC Audit / Reporting: Monitor and Analyze Azure AD. In the ever-evolving realm of cloud security, keeping a vigilant eye on access controls is a cornerstone of a robust defence strategy. Azure Active Directory’s Role-Based Access Control (RBAC) offers a powerful mechanism for governing resource access. In this article, we delve into monitoring Azure AD RBAC using Azure Monitor, unveiling essential insights that empower organizations to scrutinize and optimize their access policies for heightened security and compliance.
Azure AD RBAC Audit: Monitor and Analyze Azure AD
We can build applications deployed on Azure on top of an architecture that is siloed and highly dynamic. Monitoring the applications and services maximizes their availability, performance, reliability, and consumption. Microsoft has long been a leader in offering enterprise-grade platform services that enable increasingly complex applications’ reliable and scalable operation.
They need great baselines to flag from a monitoring and management standpoint. Because of its complex and overlapping offerings, monitoring an Azure environment using first-party tools can be challenging for even the most skilled and expert team
Overview of Azure Monitor and Log Analytics
Key Responsibility of Azure Monitor
Azure Monitor assists in comprehending the functionality of our applications and proactively detects problems that impact them and the resources they require.
We use it for insights into our environment’s and applications’ behaviour and running. We then respond proactively to the faults in our system.
Working with Azure Monitor
Well, Azure Monitor ingests information from designated sources like applications, operating systems, resources, subscriptions, and tenants. The data type received determines the available data types: metrics, logs, or a combination. These data types undergo additional processing to facilitate various functions such as analysis, visualization, alerting, automation, and integrations.
Metric-based data types center around numerical, time-sensitive values that portray specific facets of the designated resource. On the other hand, log-based data types focus on querying content data stored in organized, record-based log files associated with the target resource.
Azure Metrics
Metrics are measures of a resource’s specific characteristics over a given period. Some examples of metrics are CPU utilization, disk IOPS, and number of connections. Since the system maintains them as values with a standard collection interval, they are appropriate for presenting as graphs to help us view results over time.
Numerical quantities describing one system aspect at a time are called metrics. We collect metrics almost instantly via Azure Monitor. In addition, we sample these metrics, which makes them useful for alerting. Lastly, we use a few algorithms to compare one measure to another and track trends over time.
The best use case for this data store is time-stamped data analysis. Metrics are suited for alerting and quickly detecting issues because they tell us about system performance. We combine them with logs to identify the root cause of problems if needed.
Log Analytics
Although most logs contain text data rather than numerical values, some, like Azure Monitor metrics, may contain numerical values. Azure records in the most popular kind of log entry. Instead of happening on a set timetable or at regular intervals, events can happen randomly.
We create events with applications and services that provide the context for the events. Azure keeps the metrics in logs and then combines them with other monitoring data for analysis. Azure logs Azure Monitor data into a Log Analytics workspace.
Integrating Azure Active Directory Logs with Azure Monitor
Azure Monitor logs enable the querying of data to identify specific events, analyse patterns, and establish correlations across diverse data sources. Including Azure AD activity logs in Azure Monitor logs facilitates tasks such as comparing Azure AD sign-in logs with security logs from Azure Security Center and pinpointing performance bottlenecks on an application’s sign-in page by correlating data from Azure Application Insights on application performance.
Sending Logs to Azure Monitor Logs
To fully realize the benefits of monitoring Azure AD RBAC, we go into this subsection’s critical procedure of submitting records to Azure Monitor Logs. Unravel the intricacies of this integration to establish a solid foundation for comprehensive analysis and proactive management of our organization’s access controls.
- Log in to the Azure portal.
- Navigate to Azure Active Directory > Diagnostic settings.
- Note: Azure Active Directory is now Microsoft Entra ID.
- Turn on diagnostics.
- Choose Send to Log Analytics workspace in the Diagnostic settings menu and click Configure.
- Click Create new workspace.
- Specify a name for the new Log Analytics workspace.
- Choose a Subscription from the drop-down list or create a new one for Resource Group.
- Select Location.
- Provide the details on the Log Analytics Workspace pane, and click OK.
- Optionally, select either or both of the following:
- To send audit logs, check the AuditLogs box.
- To send sign-in logs, check the SignInLogs box.
11. Click Save.
12. Wait approx 15 mins and verify that events stream to the Log Analytics workspace.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of reports available to gain control of your IAM.
Improve your AD & Entra ID security & compliance.
Verifying the Logs
After that, verify if the logs are now in our workspace:
- Select Azure Active Directory, then select Logs from the Monitoring section to open our Log Analytics workspace.
- The workspace opens a default KQL query.
As we mentioned before, we use KQL to query precise logs. Here are a few examples:
Filtering by a specific log type:
SecurityEvent
| project TimeGenerated, Computer, EventID, Activity
| where EventID == 4624
Filtering by a specific time range:
SecurityEvent
| where TimeGenerated > datetime(2023-01-01) and TimeGenerated < datetime(2023-02-01)
| project TimeGenerated, Computer, EventID, Activity
Counting the number of logs by a specific field:
SecurityEvent
| summarize Count = count() by Computer
| order by Count desc
Searching for a specific keyword:
SecurityEvent
| search "Failed login"
| project TimeGenerated, Computer, EventID, Activity
Aggregating data over time:
SecurityEvent
| summarize Count = count() by bin(TimeGenerated, 1h)
| project TimeGenerated, Count
Remember to replace SecurityEvent and table names with the appropriate log types in our Log Analytics workspace. KQL is quite flexible to customize/ combine these queries based on our needs.
Viewing the Schema for Azure AD Activity Logs
Understanding the schema for Azure AD Activity Logs is essential for crafting precise queries and enabling effective monitoring of RBAC. By providing a clear blueprint of the data structure, the schema allows for accurate interpretation and customization of log analysis, tailoring it to specific organizational needs. Additionally, staying informed about schema changes ensures ongoing adaptability, maintaining the relevance and reliability of our monitoring practices over time:
- The diagnostic settings send the AuditLogs and SigninLogs tables in the workspace.
- To view the schema for these tables:
- From the default query view in the previous section, select Schema and expand the workspace.
- Expand the Log Management section and then expand either AuditLogs or SignInLogs to view the log schema.
Azure AD RBAC Audit: Monitor and Analyze Azure AD Conclusion
In conclusion, the compliment of Azure Active Directory’s Role-Based Access Control (RBAC) and Azure Monitor presents a formidable alliance in fortifying our organization’s security posture. By actively monitoring and analyzing Azure AD activity, we gain visibility into potential vulnerabilities and empower ourselves to make informed decisions for refining access controls. With the ever-expanding threat landscape, this proactive approach becomes paramount, ensuring a resilient and adaptable defence against emerging security challenges in the dynamic world of cloud computing.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
Related posts:
- How to Configure Azure AD Activity Logs for Effective Monitoring
- Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity
- Automate Security Tasks and Workflows in Your Azure Environment
- How to Monitor Office 365 Activity Logs for Improved Security
- Azure AD Auditing: Enabling and Configuring Audit Logs