These features can play a critical role in the role of an Identity and Access Administrator. Enhanced logging and reporting can offer key insights on how your organization is interacting with Azure AD, ensure compliance, and proactively identify and mitigate potential security threats.
Understanding Sign-ins, Audit, and Provisioning Logs
These three types of logs provide distinct kinds of information:
- Sign-in logs: These offer insights into the user sign-in activities in your directory. They help you to understand, analyze, and gain insights from the data in Azure Monitor logs.
- Audit logs: These provide traceability through records of system activity. They contain all the changes done in your Azure AD like adding or removing users, assigning roles, policy assignments, etc.
- Provisioning logs: They provide information about the automatic creation, deletion, and update of user identities and groups as part of managing access to your applications.
Accessing and Analyzing the Logs using Azure AD Console
You can easily access these logs via the Azure portal. Once logged into the Azure portal, navigate to the Azure Active Directory section. Under the monitoring section, you can find the Sign-ins, Audit logs, and Provisioning logs.
To analyze these logs, select one of the logs such as the Sign-ins log. Here, you can view details about each sign-in event including the location, device, and more. You can filter, sort and group the data depending on what you are interested in analyzing. You can further drill down to a specific event to get more tactical data.
The Audit logs work similarly. These logs would be useful if, for instance, you wanted to track all the administrative operations in a given period. You can apply filters to get the specific changes you are interested in.
Finally, the provisioning logs provide information about problems that occurred during the provisioning process. You can use them to find out why a certain user wasn’t provisioned or de-provisioned from an app.
Sign-in Logs vs. Audit Logs vs. Provisioning Logs
The following table provides a comparison between the three types of logs available in Azure AD:
| Sign-in Logs | Audit Logs | Provisioning Logs | |
|---|---|---|---|
| Purpose | Record sign-in activities | Record system changes | Record automatic update of user identities and groups |
| Value | Understand how and when users are accessing applications | Ensure compliance by tracking modifications | Diagnose issues during the provisioning process |
| Available data | User, time, location, device, etc., of sign-ins | Change type, date, target, actor, etc., of system changes | Information about the creation, deletion, and update of user identities and groups |
In conclusion, as a Microsoft Identity and Access Administrator, you must understand how to use the Azure AD console for examining sign-in, audit, and provisioning logs. This understanding and ability to review and analyze these logs is crucial for effectively managing and securing digital identities. Whether it’s about maintaining compliance, tracking resources, or diagnosing issues, the Azure AD logs are an indispensable tool.
Practice Test
True or False: With Azure AD, it is possible to review and analyze sign-in logs.
- True
- False
Answer: True
Explanation: Azure AD provides access to sign-in logs that allow users to review and analyze the activities of their account.
In the context of Azure AD, what is the main purpose of audit logs?
- A. To track user sign-in activities
- B. To monitor server uptime
- C. To track changes made by administrators
- D. To monitor network traffic
Answer: C. To track changes made by administrators
Explanation: The main utility of audit logs in Azure AD is to track the changes made by administrators. It provides detailed tracking of activities such as changes to roles, updates to organization details and changes to the configuration settings.
What is the retention period for data in Azure Activity logs?
- A. 30 days
- B. 60 days
- C. 90 days
- D. 120 days
Answer: C. 90 days
Explanation: Azure retains data within activity logs for a period of 90 days.
True or False: Provisioning logs in Azure AD provide insights into the status of user role assignments.
- True
- False
Answer: False
Explanation: Provisioning logs primarily provide insight into the synchronization process of users, groups, and roles from source systems to target systems.
What is the maximum limit on the number of rows that can be exported from Azure AD sign-in logs?
- A. 10,000 rows
- B. 20,000 rows
- C. 50,000 rows
- D. 100,000 rows
Answer: D. 100,000 rows
Explanation: Azure AD allows export of up to 100,000 rows from sign-in logs to a CSV file.
Which of the following are examples of provisioning errors in Azure AD logs? Select all that apply.
- A. QuotaExceeded
- B. ObjectNotFound
- C. UnauthorizedAccess
- D. RoleNameNotFound
Answer: A. QuotaExceeded, B. ObjectNotFound
Explanation: QuotaExceeded and ObjectNotFound are specific examples of provisioning errors that are recorded in Azure AD logs.
True or False: Risk events are available as a part of Azure AD sign-in logs.
- True
- False
Answer: True
Explanation: Azure AD sign-in logs provide a record of risk events, including risky user behavior, sign-ins, and risk detections.
Which of the following would you use to track administratively defined configuration changes in Azure AD?
- A. Sign-in logs
- B. Audit logs
- C. Provisioning logs
- D. Activity logs
Answer: B. Audit logs
Explanation: Audit logs in Azure AD are specifically designed to keep track of administratively defined configuration changes.
True or False: You can set up an alert for specific events in Azure AD logs.
- True
- False
Answer: True
Explanation: Yes, you can set up alerts for specific events in Azure AD through Azure Monitor Alerts.
What role do you need in Azure AD to read audit logs?
- A. Global Administrator
- B. Security Administrator
- C. Security Reader
- D. All of the above
Answer: D. All of the above
Explanation: Global Administrator, Security Administrator, and Security Reader are all roles that have the ability to read Azure AD audit logs.
Interview Questions
What are the three types of logs accessible through the Azure AD console that help review and analyze sign-in, audit, and provisioning activities?
The three types of logs are Sign-in logs, Audit logs, and Provisioning logs.
What information does a sign-in log provide in Azure AD?
Sign-in logs provide information about who signed in, when they signed in, where they signed in from, and how the sign in was carried out (for instance, whether the sign-in was interactive or non-interactive).
What type of information can you find in the Azure AD audit logs?
Audit logs provide information about any changes made within Azure AD such as adding or removing users, updating user properties, changing passwords, adding roles etc.
What is the function of provisioning logs in Azure AD?
Provisioning logs provide information about the provisioning (creation, update, or deletion) of users, groups, and other directory objects within Azure AD or any integrated applications.
Where can you access the Sign-in logs in the Azure AD console?
You can access the Sign-in logs by navigating to Azure Active Directory > Monitoring > Sign-ins.
How long are the sign-in logs retained in Azure AD?
The sign-in logs are retained for 30 days in Azure AD.
What is the purpose of using Azure AD Audit logs?
Azure AD Audit logs provide insights for forensics and allow us to determine how your resources are accessed and/or modified.
Can I export these logs for further analysis and if so, how?
Yes, logs can be exported to a storage account for long-term retention, to Event Hubs for real-time analysis, or to Log Analytics for deep inspection and better visual capabilities.
What type of sign-in errors can you find in the sign-in logs?
You can find various sign-in errors like password-related issues, user account lockout situations, multi-factor authentication failures etc.
How can we configure log retention in Azure AD?
To configure log retention, navigate to Usage & insights > Activity log and select ‘Retention settings’.
What function does Azure AD User Provisioning serve?
Azure AD User Provisioning allows organizations to automate the creation, maintenance, and removal of user identities in cloud (SaaS) applications like Dropbox, Salesforce, and more.
Are Provisioning logs in Azure AD enabled by default?
Yes, Provisioning logs are enabled by default for every application in which provisioning is set up.
How long are Audit logs and Provisioning logs kept in Azure AD?
Both Audit logs and Provisioning logs are kept for 30 days in Azure AD.
How can we filter the information in Azure AD audit logs?
We can filter the audit logs by ‘Category’, ‘Activity’, ‘Target’, and ‘Initiated by’ fields.
Can you modify or delete entries in the sign-in, audit, or provisioning logs in Azure AD?
No, you cannot modify or delete entries in these logs. They are append-only logs, meaning once data is written, it cannot be changed or removed.
extutorials.com