Auditing is a crucial aspect of managing and securing your Microsoft Azure environment. The end-to-end monitoring provided by auditing in Azure Active Directory (AD) enables organizations to detect potential vulnerabilities and irregular activities. This post will introduce you to how you can configure auditing in Azure AD, including diagnostic settings that are essential to pass the MS-101: Microsoft 365 Mobility and Security exam.
1. Understanding Auditing in Azure AD
Azure AD auditing helps track all changes made in the directory, such as added or removed users, changed passwords, and so on. The Azure portal provides a way to view these audit logs. Moreover, Azure AD also allows you to integrate with Microsoft Cloud App Security and Azure Monitor logs.
2. Accessing the Audit Logs
To access the audit logs, follow the steps below:
- Go to the Azure portal.
- Navigate to Azure Active Directory.
- Go to “Monitoring” and then “Audit logs.”
Here, you will see all your activity logs. You can filter these based on the date, initiated by (user/service/principal), activity (the name of the event), and target.
3. Configuring Auditing in Azure AD
Auditing in Azure AD can be configured by setting up activity-based retention policies and integrating with Microsoft Cloud App Security.
a. Setting Up Retention Policies
By default, Azure AD retains audit logs for 30 days. However, you can set up a longer retention period based on your organization’s needs. You can configure your retention policies under “Diagnostic settings” in the portal.
b. Integration with Microsoft Cloud App Security
You can also set up a policy to track specific activities or detect unusual behavior using Microsoft Cloud App Security. For example, setting a policy that sends an alert when someone from outside the organization accesses an Azure AD resource or if there’s a sudden spike in activity.
4. Working with Diagnostic Settings
Diagnostic settings in Azure AD contribute to the comprehensive monitoring of your environment. They help in sending platform logs and metrics to different outputs like Log Analytics workspaces, event hubs, or storage accounts.
To configure diagnostic settings, follow these steps:
- Go to the Azure portal.
- Navigate to Azure Active Directory.
- Go to “Diagnostic settings.”
From here, you can add a diagnostic setting, define the categories of logs you want to audit, set the destination for your data, and specify the retention policy for each setting.
Note: Azure AD supports two categories of logs – AuditLogs and SignInLogs.
- AuditLogs: Contains multiple types of events including, changes in users, groups, applications, and directory roles.
- SignInLogs: Records of sign-in activity in your environment.
5. Exporting Azure AD logs to Log Analytics workspace
In some cases, you may want to export your logs to a Log Analytics workspace. To do this:
- Go to “Diagnostics settings” in Azure AD.
- Click on “Add diagnostic setting.”
- Check the categories of logs you want to export.
- Select “Send to Log Analytics.”
- Choose the appropriate Log Analytics workspace.
- Hit “Save.”
In conclusion, understanding and utilizing auditing in Azure AD helps maintain the security and integrity of your Azure environment. Configuring your activity logs, setting up diagnostic settings, and exporting your data to a Log Analytics workspace are all valuable skills for the MS-101: Microsoft 365 Mobility and Security exam and will make Azure AD administration smoother in your daily operations.
Practice Test
True or False: Azure Active Directory (AD) auditing logs show sign-in activity only.
- True
- False
Answer: False
Explanation: Besides sign-in activity, Azure AD auditing logs also show information about changes made within the directory such as changes made on user identities, applications, groups, and directory roles.
What are the types of logs provided by Azure Active Directory (AD) auditing?
- a) Sign-in logs
- b) Audit logs
- c) Diagnostic logs
- d) Both a and b
Answer: d) Both a and b
Explanation: Azure AD provides two types of logs: sign-in logs and directory audit logs. Sign-in logs contain the user sign-in activities whereas the audit logs show the changes made within the directory.
True or False: Azure AD logs can be configured to send data to Log Analytics workspace, an event hub, or an Azure storage account.
- True
- False
Answer: True
Explanation: You can configure the Azure AD logs send data to Azure Monitor Logs, which includes Log Analytics and Azure Sentinel, an event hub for integration with SIEM tools, or an Azure storage account for archival purposes.
Which service does Azure AD use to export logs and other telemetry outside of Azure?
- a) Azure Monitor
- b) Azure Security Center
- c) Microsoft Defender
- d) Microsoft Graph API
Answer: a) Azure Monitor
Explanation: Azure Monitor is a service in Azure that provides performance and availability monitoring for applications and services in Azure, other cloud environments, or on-premises.
True or False: Azure AD provides an option to retain logs forever.
- True
- False
Answer: False
Explanation: Logs are retained only for a limited period of time. Sign-ins and audit logs are retained for 30 days for free and paid licenses you have additional retention for up to 1 year.
Single-Select: What information does the Audit log provide you in Azure AD?
- a) Failed and successful sign-ins
- b) Role management
- c) Directory activities
- d) All of the above
Answer: D) All of the above
Explanation: Audit logs provide traceability and visibility into what’s happening in your Azure AD, such as changes made by IT admins, role management activity, directory activities and more.
In Azure AD, sign-in logs contain what kind of information?
- a) User creation
- b) User deletion
- c) Failed and successful sign-ins
- d) Directory synchronization
Answer: c) Failed and successful sign-ins
Explanation: Sign-in logs contain information related to the use of managed applications and user sign-in activities.
True or False: Diagnostic settings in Azure AD must be set on each resource.
- True
- False
Answer: True
Explanation: Each Azure resource’s diagnostic settings must be configured individually, although you can also configure them at scale with Azure Policy.
What is a prerequisite for configuring diagnostic settings in Azure AD?
- a) Azure Storage Account
- b) Azure Monitor
- c) Azure Defender
- d) None of the above
Answer: a) Azure Storage Account
Explanation: Azure Storage Account is required to store the diagnostic logs. This must be created before configuring diagnostic settings.
True or False: You can’t route your Azure AD logs to multiple locations.
- True
- False
Answer: False
Explanation: You can indeed route your Azure AD logs to multiple locations. For example, you can send them to a storage account for long-term archival, stream them to an event hub for real-time telemetry, or send them to Azure Monitor logs for further analysis.
Azure Security Center provides visibility into the security state of which resources?
- a) Azure Resource Manager resources
- b) Azure DevOps resources
- c) Hybrid Cloud Workloads
- d) Both a and c
Answer: d) Both a and c
Explanation: Azure Security Center provides visibility into the security state of Azure resources, non-Azure resources, and hybrid workloads.
Interview Questions
What is auditing in Azure Active Directory?
Auditing in Azure Active Directory is a feature that allows administrators to track changes made in the directory. This information includes activity logged by various applications and services and can help identify configuration errors, track changes and potentially resolve security-related issues.
What is included in the Audit activity reports in Azure Active Directory?
The audit activity reports in Azure AD cover all the activities related to user activity, group activity, application activity, and more. This includes user password changes, user sign in activity, addition or changes to group members, application registrations, and so on.
How are audit logs and sign-in logs stored in Azure AD?
By default, audit logs and sign-in logs in Azure AD are retained for 30 days. However, for longer retention, you can archive the data to an Azure storage account or stream it to an Azure event hub or Azure Monitor logs.
What is the purpose of diagnostic settings in Azure AD auditing?
The diagnostic settings in Azure AD auditing help you stream audit logs and sign-in logs to an analytics workspace, event hub, or storage account for custom processing, longer retention as per your compliance requirements, and visualization of detailed trends and analytics.
How can you configure auditing in Azure AD?
Auditing in Azure AD can be configured from the Azure portal. You navigate to Azure Active Directory, then proceed to ‘Monitoring’ and then ‘Audit logs’. From here, you can view, search and filter the audit logs as per your requirements.
What is the role of Azure Monitor Logs in the Azure AD auditing?
With Azure Monitor Logs, you can archive logs from Azure AD to a Log Analytics workspace for longer duration retention, cross-resource querying, and alerting. This comes handy in scenarios wherein compliance mandates require organizations to retain logs for a specific period.
How can Azure AD audit logs be exported?
Azure AD audit logs can be exported by setting up the diagnostic settings to route the logs to a storage account, event hub, or Log Analytics workspace. Then, these logs can be exported from the respective destinations for further analysis or archival.
How can you view the audit activities in Azure AD?
You can view the audit activities in Azure AD from the Azure portal itself. Navigate to Azure Active Directory> Monitoring > Audit Logs. Here you can view all the activities and apply filters date-wise, activity-wise or by user.
How to stream the Azure AD logs to an Azure Event Hub?
In the Azure AD audit logs or sign-in logs page, select ‘Diagnostic settings’ then click on ‘Add diagnostic setting’, and then select ‘Stream to an event hub’. Then, select a service bus namespace and event hub instance as the destination.
Where can you access sign-in logs in Azure AD?
The sign-in logs can be accessed from Azure portal. Navigate to Azure Active Directory> Monitoring > Sign-ins. Here you can view the detailed sign-in activities and apply filters for specific time period or individual users.
Is it possible to set up alerts based on activities logged in Azure AD?
Yes, it is possible to set up alerts based on activities logged in Azure AD. This can be achieved by streaming the logs to Log Analytics workspace and defining alert rules there.
Can you explain the process to send Azure AD logs to Log Analytics workspace?
From your Azure AD’s diagnostic settings, choose ‘Send to Log Analytics’ option, select a subscription, and choose or create a Log Analytics workspace. All future logs would then be sent to this workspace for analysis, alerting, and longer retention.
What is the advantage of sending Azure AD audit logs to Event Hubs?
Sending Azure AD audit logs to Event Hubs allows the logs to be consumed using real-time analytics providers or custom software development tools. This provides flexibility to analyze and process logs in real-time for quick response to significant events.
What is the significance of ‘User Principal Name’ in Azure AD audit logs?
The ‘User Principal Name’ in the Azure AD audit logs identifies the user who initiated the action or event. It helps in user-wise tracking of activities and investigation in case of any suspicious activity.
How is ‘Target’ defined in the Azure AD audit logs?
The ‘Target’ in the Azure AD audit logs specifies the object that was acted upon during a particular activity. It could be a user, a group, an application, or any other directory object.
extutorials.com