How to Configure Azure AD Activity Logs for Effective Monitoring. Are you looking to improve the security and compliance of your Azure Active Directory (Azure AD) environment? Enabling and configuring Azure AD activity logs for effective monitoring is one way to achieve this goal.
In this article, I walk you through the steps to create a Log Analytics workspace in your Azure subscription for your log destinations. In addition we learn how to add a Diagnostic Setting and select the required Azure activity logs to add for monitoring.
Moreover, when creating a Diagnostic Setting, you must decide what logs to add for monitoring. To assist, I dedicated a section explaining the 14 categories of logs to add to your Diagnostic Setting.
Finally, the guide has a section that walks you through the steps to monitor and analyse logs using the Azure Active Directory Log Analytics.
Create a Log Analytics Workspace to Use for Audit Log Destination
When you Add a Diagnostic Setting to create Azure audit log monitoring (3rd section of this article), you must select a destination to save the audit logs. Azure AD Diagnostic setting offers 4 options as destinations – Send to Log Analytics workspace, Archive to a storage account, Stream to an event hub, or Send to partner solution.
An admin’s log destination choice depends on the organization’s log analysis requirements and goals. I’ll use the “Send to Log Analytics workspace” option. This option offers a cost-effective way to query and analyse Azure AD activity logs, create alerts, and visualize log data using Azure Monitor.
Furthermore, the Log Analytics workspace option allows admins to retain audit logs for long periods, perform in-depth investigations, and understand user activity in the Azure AD environment.
Follow the steps below to create a Log Analytics workspace in your Azure subscription.
1. Open the Azure Portal – portal.azure.com – sign in with an account assigned adequate permission to create a log analysis workspace.
2. Search for “Log Analytics workspace” and select Log Analytics workspaces.
3. On the “Log Analytics workspaces” page, click Create log analysis workspace.
4. Finally, enter the required details to create the log analysis workspace and click Review + Create. The Azure Portal takes a while to validate the log analysis workspace.
If the next page returns “Validation passed,” to create the log analysis workspace, click the Create (bottom lef) – see the second screenshot below.
Before proceeding to the next section below, wait for the Azure Portal to finish deploying the log analysis workspace.
Azure AD Diagnostic Setting Logs Explained
This section walks you through the steps to add a Diagnostic Setting to your Azure AD. To help you decide what log categories to include, I have explained the 14 log categories and the activities captured by each log category.
The information discussed in this section will help you decide what log categories to add for monitoring based on your organization’s needs and requirements.
1. AuditLogs in Azure Active Directory
Tracks all changes made in Azure AD. This log records changes made to users, groups, and applications.
Also helpful for compliance with specific regulations.
Furthermore, this log helps admins with the following questions:
- What changes did admins make to a user, and which admin made the change?
- Which Azure AD group (s) were created or modified, and who performed the activity?
- What application has been added, removed, or modified, and who authorized the change?
Before accessing the Azure AuditLogs report, you must be a Global Administrator, Global Reader, Security Administrator, Security Reader, or Reports Reader.
Finally, you access auditlogs via Azure AD -> Monitoring -> Audit Logs or Log Analytics nodes.
2. SignInLogs in Azure Active Directory
An activity log that tracks how users access Azure AD applications and services. With this log, Azure Admins analyse sign in patterns and the number of users that signs in during a specified period.
An Azure AD user review their sign-ins via mysignins.microsoft.com. Moreover, admins analyse all sign-in activities via this link – portal.azure.com.
In addition to viewing sign in activities admins also analyse Sign-in logs via the Log Analysis node.
Finally, an admin must have one of the following roles to access the sign-in logs of an Azure tenant – Global Admin, Security Admin, Security Reader, Global Reader, and Reports Reader.
3. NonInteractiveUserSignInLogs in Azure Active Directory
The standard sign in logs capture interactive user sign in activities involving accessing an Azure resource by a user with a username and password (see the previous subsection).
On the contrary, the NonInteractiveUserSignInLogs in Azure AD record non interactive user sign in activities like background or automated processes. Non interactive user sign ins do not involve direct user interactions.
Instead, these sign-in logs track sign-ins from PowerShell scripts, background tasks, or service accounts.
4. ServicePrincipalSignInLogs in Azure Active Directory
In the last subsection, I mentioned the NonInteractiveUserSignInLogs records sign in activities from service accounts. But, if you want to track service accounts in a separate log, use the ServicePrincipalSignInLogs.
This Azure activity log tracks and records the sign-in activities of service principals ( used by applications and services to access resources in an Azure AD tenant).
Therefore, monitoring this Azure Activity log helps admins observe how applications and services access resources in Azure AD. Help admins detecting unusual behaviours and take the necessary actions to mitigate risks.
5. ManagedIdentitySignInLogs in Azure Active Directory
Managed Identities grants access to such services to access other resources in your tenant.
6. ProvisioningLogs in Azure Active Directory
Azure admin provision users or groups from services outside the Azure AD portal. For example, admins create users or groups from Azure AD Connect, System for Cross domain Identity Management (SCIM), or other services for provisioning identities.
7. ADFSSignInLogs in Azure Active Directory
Some organizations allow users to access Azure AD via the Active Directory Federation Services (AD FS). An admin may want to monitor these users’ activity logs in such instances.
However, before an administrator views and analyses ADFSSignInLogs, the admin must install the latest Azure Active Directory Connect Health Agent version for AD FS on-prem.
In addition, the admin must also have the Global administrator or reports reader role.
8. RiskyUsers Log in Azure Active Directory
Following log records activities about users Azure identifies as risky. Adding the RiskyUsers log category to Diagnostic settings allows admins to analyse activities about these risk users with Log Analytics.
Also view the Risk Users report in the Azure Active Directory -> Security -> Reports section.
9. UserRiskEvents Log in Azure Active Directory
Records activity deemed as “risky,” such as a user signing in from an unusual location or a device infected by malware or virus.
This log helps you to identify and analyse such risky user events.
10. Azure Active Directory Log Categories In Preview
When I wrote this article in April 2023, 5 of the 14 logs categories were still in Preview. As of this date, the following log categories were available in Diagnostic settings, but (unless your organization was part of the preview) adding them will not generate any logs:
So, when you read this article, unless Microsoft has confirmed that these Azure AD log categories are in production (or your organization is included in the Preview), including them in your Diagnostic settings is unnecessary.
Get the latest update about the state of the listed log categories via Microsoft page, Integrate Azure AD logs with Azure Monitor logs. Then, scroll down to the “Send logs to Azure Monitor” section.
Add a Diagnostic Setting and Configure Log Data Collection
After you create the destination to save your Azure AD activity logs, you’re ready to enable tracking of activity logs. To do this, you must add a Diagnostic setting in Azure AD and select the logs you wish to monitor.
The procedure below outlines the detailed steps to accomplish this.
- From the log analysis page, click the Azure Portal menu and select Home. Alternatively, you can access the Azure Homepage by clicking this link – portal.azure.com.
2. Next, click Azure Active Directory in the “Azure services” category. Alternatively, you may search “azure active directory.”
3. Consequently, scroll down the menu options to the Monitoring section and click “Diagnostic settings.”
5. Then, on the “Diagnostic setting” configuration page, enter a name in the Diagnostic setting name field. After, select the log categories you wish to monitor.
6. Name your new “Diagnostic setting” and select the logs you want to monitor. Further, check the checkbox beside the log destination type you wish to send your logs to. In this example, I send the logs to the “Log Analytics workspace.”
So, I check the “Log Analytics workspace.” checkbox.
Next, select the log analysis workspace you created earlier, and click the Save on the top left.
7. Finally, when Azure finishes creating the new “Diagnostic setting,” click the Home button on the top left before proceeding to the next section of this article.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Managing Log Analytics Workspaces and Diagnostic Settings
In this article, I have shown how to create a Log Analytics Workspace to send logs when you configure new Diagnostic Settings required for effective monitoring of Azure AD Activity Logs. In addition, I also covered the steps to set up Diagnostic Settings.
After creating these, you may need to modify them to improve your Azure AD Activity Logs monitoring. I cover the steps to edit an existing Log Analytics Workspace and Diagnostic Settings in the following two subsections.
How to Modify or Use a Log Analytics Workspace
1. Sign in to Azure Portal and search “log analytics workspace.” Then, click Log Analytics Workspaces.
2. The Azure Portal should display all existing Log Analytics Workspaces. If the workspace you require is not listed, ensure that Subscription, Resources groups, and Locations are all set to “all.”
To open a log analytics workspace for editing, click it.
The workspace opens on the “Overview” page, offering vital editing options. Firstly, move the workspace to a different resource group by clicking the “move” link next to Resource group. Similarly, click the “move” link next to Subscription to move the workspace to a separate Azure subscription.
Another useful tab in a log analytics workspace is the Activity log tab. When you click this tab, you view the recent Azure activity logs.
By default “Last 6 hours” is selected as the Time span. To change this value, click Time span.
A log analytics workspace has more information that an admin finds helpful, but I mention the “Usage and estimated costs” tab before I move on. The data in this tab helps admins manage the cost of their Azure activity log consumption.
For example, an admin can view the cost of log data analytics in the past 31 days and also the estimated monthly cost.
However, the two most crucial settings all administrators must know are the “Daily cap” and “Data Retention” settings.
To enable a daily volume cap, click the Daily cap tab; then, flip the switch from Off to On and set the daily volume cap in GB.
Similarly, if an admin wishes to set data retention, please click the Data Retention tab. Then, on the flyout, move the slider to a desired value (in days) and click OK.
How to Edit Diagnostic Settings
After creating Diagnostic Settings, an admin may need to add or remove log categories or modify the location the log files are stored.
To edit- open Azure Active Directory. Then, on the Monitoring node, click Diagnostic Settings.
Next, click “Edit setting.” When the Diagnostic Settings opens for editing, modify it as you require, then click the Save on the top left.
Monitor and Analyze Azure AD Activity Logs
After configuring Azure AD Activity Logs, use the tools provided by Azure to analyse the logs. To access the logs, navigate to Azure Active Directory -> Monitoring.
An admin views Sign-in logs, Audit logs, and Provisioning logs. However, the most valuable is Log Analytics.
The most exciting feature of Azure Log Analytics is an admin’s ability to write SQL-like queries known as Kusto Query language.
Read Microsoft’s tutorial to learn more about Azure Log Analytics. Similarly, learn about the Kusto Query language via this link – Tutorial: Learn common operators.
Thank you for reading How to Configure Azure AD Activity Logs for Effective Monitoring. We shall conclude this article now.
How to Configure Azure AD Activity Logs for Effective Monitoring Conclusion
Azure offers businesses, big or small, existing tools to empower them to achieve their business goals. However, since organizations access Azure via the internet, it comes with risks.
The good news is that Microsft has excellent tools for Azure admins to secure their tenants. One such tool is the Azure Activity logs.
If used correctly, Azure Activity logs provide admins with the tools to track the activities of users, applications, and services. This guide aims to provide admins with the steps to configure Azure AD Activity Logs for effective monitoring.
We hope we achieved that goal!
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free