Active Directory & Office 365 Reporting Tool

How to Monitor Azure AD Activity for Improved Security. Do you need to monitor Azure AD activity logs for improved infrastructure security? Azure AD offers multiple logs that assist in detecting and mitigating risks.

This article discusses how to utilize those logs.

To start, we outline the licensing and role requirements. Next, we explain the Azure AD activity logs and describe the information the logs provide for risk detection and mitigation.

Licensing and Role Requirements

Users with the free, Azure AD Premium P1, or Azure AD Premium P2 license access various levels of Activity logs. Additionally, users must fulfil the role prerequisites to access these logs. 

For a detailed explanation of the license and role requirements read the “Licensing and Role Requirements” section of our Azure AD Identity Protection article. 

Azure AD Activity Logs for Improving Security

Azure Active Directory features 3 fundamental logs – Sign-in, Audit, and Provisioning.

Sign-in logs are activity logs that help IT admins analyse user sign-in patterns and frequency. This log also records the status of sign-ins.

The Audit log is used to monitor improved security. They track changes, such as modifications to users and groups. 

Furthermore, the Provisioning log is crucial in Azure Active Directory security. It enables organizations to track and monitor activities performed by provisioning services. 

In addition to the three logs, Azure AD Identity Protection has 4 more for advanced risk detection and mitigation. 

First is the “Risky sign-ins” report. This Azure AD Identity Protection report records detected risks, such as malware linked IP addresses or leaked credentials. 

Secondly, the “Risky users” report registers users determined as at risk and the status of the log entry. 

The last logs that monitor Azure AD for improved security are the “Risky workload identities,” and “Risk detections.” 

They keep track of risky sign-ins from workload identities. On the other hand, the “Risk detections” logs record information about each risk detection, including the type. 

Additionally, it registers other risks started simultaneously and the sign-in attempt location. 

Monitor Azure AD Audit Activity Logs for Improved Security

Although “Audit logs” capture a wide variety of data, we focus on records that gives IT admins  info to detect and fix security vulnerabilities

1. Track Password Reset and Registration Activity

Enabling Azure AD self-service password reset makes resetting passwords convenient for users. Additionally, this capability reduces helpdesk costs.

However, allowing users to reset their password from any location poses a considerable risk. Azure Active Directory security best practice recommends tracking password resets and registration to learn of and mitigate potential risks. 

The azure audit log report records all user password resets and registration activities. 

To view password reset activities in the audit log, open Azure Active Directory and click “Audit logs” in the menu. On the audit logs page, click the Service filter, select “self-service password management,” and click Apply. 

2. Review Account Provisioning Activity and Errors

Monitoring provisioning logs allows the tracking of activities of  3rd party apps on Azure AD. It helps to mitigate risks associated with their use. 

Provisioning logs are located in the Monitoring section of Azure Active Directory. Filter the report by Date, Status, or Action

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

3. Monitor Azure AD Privileged Identity Management Activity for Improved Security

Privileged Identity Management (PIM) is an Azure AD service for managing, controlling, and monitoring access to critical resources.

With monitoring of Azure AD PIM activity, you reduce the possibility of malicious individuals accessing confidential data,  leading to improved security. 

Additionally, reviewing privileged identity management logs decreases the chances of unauthorized access to sensitive information. Furthermore, PIM logs help to identify and reduce the number of people accessing sensitive data. 

PIM data is viewed in Audit, and Sign-in logs.

Beyond the PIM information in Sign-in and Audit logs, Azure AD Privileged Identity Management allows viewing specific user activities in various resources. 

To check out the activities of a specific user, open Azure AD Privileged Identity Management and click Azure Resources. 

Next, click the resource you want to view its activity, select Roles or Members, and finally, select a user

See the complete steps.  

4. Audit Activity History for Group Assignments

If you manage Azure AD Groups with Privileged Identity Management, you can view group activities like membership or ownership changes. That helps to detect users that shouldn’t own or be in groups and remove them. 

To view the activities of groups managed with PIM for groups, open Azure AD Privileged Identity Management.

Then, click “Groups (Preview)” and select the group you want to view its activity history. 

Once the group’s page opens, click “Resource audit” on the Activity menu. 

Monitor Azure AD Risk Detection and Anomalous Activity Reports for Improved Security

Azure AD categorizes certain activities as “risks.” Example: signing in from an anonymous IP address and exhibiting unfamiliar sign-in behaviours.

Additionally, leaked credentials and password spray pose additional risks. In order to enhance Azure AD security, IT admins must actively monitor these user activities.

1. Check for Users with Leaked Credentials Using the Risky Users Report

The “Risky Users” log records users with leaked credentials. It records username and password pairs exposed to malicious individuals or available on the dark web. 

Hackers access usernames and passwords through phishing and malware attacks. However, passwords may also be leaked by re-use. 

To minimize the risks of leaked credentials enable leaked credentials alerts in Azure AD. This alert monitors “Risky Users” Azure AD activity log for improved security.

Enabling leaked credential detection is available when configuring Password Hash Sync for hybrid accounts. 

2. Check for users with Irregular Sign-in Activities with the Risky Sign-ins Logs

With Azure AD Premium P2 subscription, you access premium sign-in logs that record risky sign-in activities. It detects irregular user sign-in activities like “Atypical travel,” “Impossible travel,” or “New country.”

These types of risk detection indicate a user signing in from 2 geographically diverse locations simultaneously or signing in from a location not previously signed in. 

Note that you require an Azure AD Premium P2 license to access the irregular sign-in detections described above. 

3. Monitor Sign-ins from Possibly Infected IP Addresses and Devices

In addition to recording irregular sign-ins, the risky sign-in log also records sign-ins from infected IPs and devices. 

The risky sign-in log records risky IP sign-in detection type as “Malware linked IP address.” Then, if a device’s IP used to access Azure is known to communicate actively with bot servers, Azure AD flags the device as “infected with malware.”

These reports help with detecting sign-ins from infected IP addresses and devices. IT admins proactively harden their Azure AD infrastructure against cyberattacks with the information obtained. 

How to Monitor Azure AD Activity for Improved Security Conclusion

Monitoring Azure AD activity is vital for enhancing an organization’s infrastructure security

First, we discussed the licensing prerequisites for accessing Azure AD logs for monitoring user activities. Additionally, we identified the specific Azure AD logs that need monitoring to secure Azure Active Directory effectively.

Next, we examined methods to employ these logs for improving Azure AD security by proactively detecting and addressing potential risks. Specifically, we emphasized the importance of tracking password resets and registration activities, account provisioning, and privileged identity management to identify vulnerabilities and take proactive measures.

Furthermore, we highlighted the significance of auditing activity history for group assignments, which enables maintaining control over access rights and detecting unauthorized changes. Additionally, we emphasized the value of leveraging Azure AD risk detection and anomalous activity reports to identify users with leaked credentials, irregular sign-in activities, and suspicious sign-ins from potentially infected IP addresses and devices.

By implementing these monitoring strategies, you significantly strengthen the security of your Azure AD environment and effectively mitigate risks.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *