Active Directory & Office 365 Reporting Tool

Azure AD RBAC Audit / Reporting: Monitor and Analyze Azure AD. In the ever-evolving realm of cloud security, keeping a vigilant eye on access controls is a cornerstone of a robust defence strategy. Azure Active Directory’s Role-Based Access Control (RBAC) offers a powerful mechanism for governing resource access. In this article, we delve into monitoring Azure AD RBAC using Azure Monitor, unveiling essential insights that empower organizations to scrutinize and optimize their access policies for heightened security and compliance.

Azure AD RBAC Audit: Monitor and Analyze Azure AD

We can build applications deployed on Azure on top of an architecture that is siloed and highly dynamic. Monitoring the applications and services maximizes their availability, performance, reliability, and consumption. Microsoft has long been a leader in offering enterprise-grade platform services that enable increasingly complex applications’ reliable and scalable operation.

They need great baselines to flag from a monitoring and management standpoint. Because of its complex and overlapping offerings, monitoring an Azure environment using first-party tools can be challenging for even the most skilled and expert team

Overview of Azure Monitor and Log Analytics

Azure Monitor is a robust alerting and monitoring tool offered by Microsoft Azure. Azure Monitor provides an all-inclusive solution for gathering, evaluating, and working with telemetry from the user’s cloud and on-premise settings, optimizing the supply and performance of our apps and services.

Key Responsibility of Azure Monitor

Azure Monitor assists in comprehending the functionality of our applications and proactively detects problems that impact them and the resources they require.

We use it for insights into our environment’s and applications’ behaviour and running. We then respond proactively to the faults in our system.

Well, Azure Monitor ingests information from designated sources like applications, operating systems, resources, subscriptions, and tenants. The data type received determines the available data types: metrics, logs, or a combination. These data types undergo additional processing to facilitate various functions such as analysis, visualization, alerting, automation, and integrations.

Metric-based data types center around numerical, time-sensitive values that portray specific facets of the designated resource. On the other hand, log-based data types focus on querying content data stored in organized, record-based log files associated with the target resource.

Azure Metrics

Metrics are measures of a resource’s specific characteristics over a given period. Some examples of metrics are CPU utilization, disk IOPS, and number of connections. Since the system maintains them as values with a standard collection interval, they are appropriate for presenting as graphs to help us view results over time.

Numerical quantities describing one system aspect at a time are called metrics. We collect metrics almost instantly via Azure Monitor. In addition, we sample these metrics, which makes them useful for alerting. Lastly, we use a few algorithms to compare one measure to another and track trends over time.

The best use case for this data store is time-stamped data analysis. Metrics are suited for alerting and quickly detecting issues because they tell us about system performance. We combine them with logs to identify the root cause of problems if needed.

Logs include time-stamped details regarding resource modifications. Every log source records a different kind of data. We organize logs into records with different sets of properties for each record type.

Although most logs contain text data rather than numerical values, some, like Azure Monitor metrics, may contain numerical values. Azure records in the most popular kind of log entry. Instead of happening on a set timetable or at regular intervals, events can happen randomly.

We create events with applications and services that provide the context for the events. Azure keeps the metrics in logs and then combines them with other monitoring data for analysis. Azure logs Azure Monitor data into a Log Analytics workspace.

Integrating Azure Active Directory Logs with Azure Monitor

Azure Monitor logs enable the querying of data to identify specific events, analyse patterns, and establish correlations across diverse data sources. Including Azure AD activity logs in Azure Monitor logs facilitates tasks such as comparing Azure AD sign-in logs with security logs from Azure Security Center and pinpointing performance bottlenecks on an application’s sign-in page by correlating data from Azure Application Insights on application performance.

Sending Logs to Azure Monitor Logs

To fully realize the benefits of monitoring Azure AD  RBAC, we go into this subsection’s critical procedure of submitting records to Azure Monitor Logs. Unravel the intricacies of this integration to establish a solid foundation for comprehensive analysis and proactive management of our organization’s access controls.

  1. Log in to the Azure portal.
  2. Navigate to Azure Active Directory > Diagnostic settings.
  3. Turn on diagnostics.
  4. Choose Send to Log Analytics workspace in the Diagnostic settings menu and click Configure.
  5. Click Create new workspace.
  6. Specify a name for the new Log Analytics workspace.
  7. Choose a Subscription from the drop-down list or create a new one for Resource Group.
  8. Select Location.
  9. Provide the details on the Log Analytics Workspace pane, and click OK.
  10. Optionally, select either or both of the following:
    • To send audit logs, check the AuditLogs box.
    • To send sign-in logs, check the SignInLogs box.

11. Click Save.
12. Wait approx 15 mins and verify that events stream to the Log Analytics workspace.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Verifying the Logs

After that, verify if the logs are now in our workspace:

  1. Select Azure Active Directory, then select Logs from the Monitoring section to open our Log Analytics workspace.
  2. The workspace opens a default KQL query.

As we mentioned before, we use KQL to query precise logs. Here are a few examples:

Filtering by a specific log type:

| project TimeGenerated, Computer, EventID, Activity 
| where EventID == 4624

Filtering by a specific time range:

| where TimeGenerated > datetime(2023-01-01) and TimeGenerated < datetime(2023-02-01) 
| project TimeGenerated, Computer, EventID, Activity

Counting the number of logs by a specific field:

| summarize Count = count() by Computer 
| order by Count desc

Searching for a specific keyword:

| search "Failed login" 
| project TimeGenerated, Computer, EventID, Activity

Aggregating data over time:

| summarize Count = count() by bin(TimeGenerated, 1h) 
| project TimeGenerated, Count 

Remember to replace SecurityEvent and table names with the appropriate log types in our Log Analytics workspace. KQL is quite flexible to customize/ combine these queries based on our needs.

Viewing the Schema for Azure AD Activity Logs

Understanding the schema for Azure AD Activity Logs is essential for crafting precise queries and enabling effective monitoring of RBAC. By providing a clear blueprint of the data structure, the schema allows for accurate interpretation and customization of log analysis, tailoring it to specific organizational needs. Additionally, staying informed about schema changes ensures ongoing adaptability, maintaining the relevance and reliability of our monitoring practices over time:

  1. The diagnostic settings send the AuditLogs and SigninLogs tables in the workspace. 
  2. To view the schema for these tables:
    • From the default query view in the previous section, select Schema and expand the workspace.
    • Expand the Log Management section and then expand either AuditLogs or SignInLogs to view the log schema.

Thank you for reading Azure AD RBAC Audit / Reporting: Monitor and Analyze Azure AD. We shall conclude.

Azure AD RBAC Audit: Monitor and Analyze Azure AD Conclusion

In conclusion, the compliment of Azure Active Directory’s Role-Based Access Control (RBAC) and Azure Monitor presents a formidable alliance in fortifying our organization’s security posture. By actively monitoring and analyzing Azure AD activity, we gain visibility into potential vulnerabilities and empower ourselves to make informed decisions for refining access controls. With the ever-expanding threat landscape, this proactive approach becomes paramount, ensuring a resilient and adaptable defence against emerging security challenges in the dynamic world of cloud computing.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *