Tutorial / Cram Notes
Azure AD maintains three primary types of logs:
- Sign-In Logs: These logs contain details about the sign-in activity of users. Information recorded includes the time of sign-in, the application being accessed, the user’s IP address, the device information, any conditional access policies applied, and whether the sign-in attempt was successful or not.
- Audit Logs: Audit logs capture administrative activities within Azure AD, such as users being created or deleted, password updates, group membership changes, role assignments, and any other changes made to Azure AD resources.
- Provisioning Logs: These logs provide information about the automatic provisioning activities for integrated applications, including start and end times for provisioning cycles, status messages, changes applied, and any errors encountered during the provisioning process.
Accessing the Logs in the Azure AD Console
To access these logs, you must have the required permissions, such as being a Security Administrator, Global Administrator, or Report Reader.
- Navigate to the Azure portal.
- Go to “Azure Active Directory” in the left navigation panel.
- Select “Monitoring” and then choose the type of log you want to review: Sign-ins, Audit logs, or Provisioning logs.
Reviewing and Analyzing Sign-In Logs
When you access the Sign-in logs, you can filter the view based on criteria such as a specific user, application, date range, or the status of the sign-in attempt. This filtering capability makes it easier to pinpoint issues, troubleshoot authentication problems, or identify potentially malicious sign-in attempts.
Example of a Sign-in Log Entry:
| User | Application | Date & Time | Location | Status |
|---|---|---|---|---|
| [email protected] | Microsoft Office | 2023-04-01, 10:00 | New York, NY | Success |
In the Azure AD console, administrators can delve into individual log entries to obtain more detailed information, such as the authentication method used and any conditional access policies that were triggered during the sign-in attempt.
Auditing Administrative Actions with Audit Logs
The Audit logs enable administrators to track who did what, when, and where within Azure AD. This is essential for meeting regulatory compliance requirements and for maintaining an audit trail for security purposes.
Example of an Audit Log Entry:
| Activity | Target | Performed By | Date & Time | Result |
|---|---|---|---|---|
| Add user | [email protected] | [email protected] | 2023-04-01, 09:30 | Success |
| Change password | [email protected] | [email protected] | 2023-04-01, 09:45 | Success |
These logs can be filtered by activity, date, the actor (who performed the action), and the target resource. Additionally, the Azure AD console provides options to export the logs for offline analysis or to integrate with other security information and event management (SIEM) tools.
Monitoring Provisioning Activities with Provisioning Logs
The provisioning logs are instrumental when configuring and managing automated user provisioning to various cloud applications such as Salesforce, Google Apps, and more. They allow administrators to monitor the status of provisioning activities and to troubleshoot any issues that arise during the process.
Example of a Provisioning Log Entry:
| Service | Status | Activity Date | Duration | Changes Applied | Error Details |
|---|---|---|---|---|---|
| Salesforce | Success | 2023-04-01, 11:00 | 2m | 5 new users | – |
| Google Workspace | Failure | 2023-04-01, 11:05 | 1m | – | Connection Timeout |
Provisioning logs provide a clear overview of each cycle, showing what changes were made, and helping administrators ensure that users have the necessary access to perform their roles effectively.
Best Practices for Using Azure AD Logs
- Regularly review and audit sign-in and audit logs to detect irregular patterns that can indicate potential breaches or misuse.
- Set up alerts for anomalous activities such as sign-ins from unfamiliar locations or repeated failed sign-ins, which can initiate prompt investigation.
- Use the export functionality to archive logs for the required retention period as per industry regulations and company policies.
- Integrate the logs with SIEM tools to enhance real-time monitoring and correlation with other event sources, creating a comprehensive security posture.
By effectively leveraging the sign-in, audit, and provisioning logs in the Azure AD console, organizations can enhance their identity and access management, improve security monitoring and response efforts, and meet compliance obligations.
Practice Test with Explanation
True/False: Azure Active Directory sign-in logs are only retained for 90 days for all Azure AD license levels.
- Answer: False
Explanation: Sign-in logs are retained for 30 days for Azure AD Free and Azure AD Office 365 licenses. For Azure AD Premium P1 and P2, logs are retained for 180 days.
True/False: You can integrate Azure Active Directory logs with Azure Monitor without any additional cost.
- Answer: False
Explanation: While it is possible to integrate Azure AD logs with Azure Monitor, there may be additional costs depending on the volume of data and the retention period configurations.
Multiple Select: Which of the following can be viewed in Azure AD’s audit logs? (Select all that apply)
- A) Password changes
- B) Group membership changes
- C) Application SSO sign-in failures
- D) License assignment changes
- Answer: A, B, D
Explanation: Password changes, group membership changes, and license assignment changes are all recorded in Azure AD’s audit logs. Application SSO sign-in failures are captured in sign-in logs, not audit logs.
Single Select: What would you typically use to review provisioning logs in Azure AD?
- A) Azure AD Identity Protection
- B) Azure Security Center
- C) Provisioning logs in the Azure AD console
- D) Sign-in logs in the Azure AD console
- Answer: C
Explanation: Provisioning logs can be reviewed through the Azure AD console specifically under the ‘Provisioning logs’ section to track the status of user, group, and license provisioning events.
True/False: Azure AD sign-in logs can be exported automatically to third-party SIEM tools.
- Answer: True
Explanation: Azure AD sign-in logs can be automatically exported to third-party Security Information and Event Management (SIEM) tools using Azure Monitor or Azure AD’s log integration capabilities.
Single Select: Which Azure service can be used to set alerts for specific activities indicated in sign-in logs?
- A) Azure Advisor
- B) Azure Monitor
- C) Azure AD Identity Protection
- D) Azure Policy
- Answer: B
Explanation: Azure Monitor allows admins to set alerts for specific activities found in the Azure AD sign-in logs.
True/False: You can use the Azure AD console to analyze sign-in logs for federated domains.
- Answer: True
Explanation: The Azure AD console allows you to analyze sign-in logs for all types of authentications, including those for federated domains.
Single Select: To investigate potential compromised accounts, which log type should you prioritize reviewing?
- A) Audit logs
- B) Sign-in logs
- C) Provisioning logs
- D) Directory logs
- Answer: B
Explanation: Sign-in logs provide information about the user’s sign-in activities and are instrumental in identifying irregular sign-in patterns that may indicate compromised accounts.
True/False: You can filter Azure AD audit logs by ‘Category’ to see a specific event type, such as ‘UserManagement’.
- Answer: True
Explanation: The Azure AD audit logs can be filtered by various criteria, including the ‘Category,’ to view specific types of events.
Multiple Select: Which of the following attributes can be used to filter sign-in logs in the Azure AD console? (Select all that apply)
- A) User Principal Name (UPN)
- B) Location
- C) Application
- D) Device ID
- Answer: A, B, C
Explanation: Sign-in logs can be filtered by the User Principal Name (UPN), location, and application. Device ID is not a filter option for sign-in logs.
True/False: Provisioning logs in Azure AD include details about automatic user account provisioning to SaaS applications.
- Answer: True
Explanation: Provisioning logs provide details regarding the automatic provisioning and deprovisioning of user accounts to SaaS applications integrated with Azure AD.
Single Select: What is the primary purpose of using Azure AD’s audit logs?
- A) Tracking real-time security threats
- B) Understanding user sign-in patterns
- C) Documenting the configurations and changes made in the Azure AD tenant
- D) Preventing data breaches through automated response
- Answer: C
Explanation: The primary purpose of audit logs is to keep track of configurations, modifications, and managed resources within the Azure AD tenant.
Interview Questions
What are sign-in logs in Azure AD?
Sign-in logs provide information about user sign-ins to your Azure AD environment. This information includes details such as the user’s identity, the type of sign-in, the location of the sign-in, and the success or failure of the sign-in attempt.
What is the purpose of reviewing sign-in logs?
The purpose of reviewing sign-in logs is to monitor and track user activity in your Azure AD environment. This can help you identify potential security risks or compliance issues.
How can you access sign-in logs in the Azure AD console?
To access sign-in logs in the Azure AD console, navigate to the Azure AD Activity Logs under the Monitoring section and select the sign-in logs.
What filter options are available when reviewing sign-in logs in the Azure AD console?
You can filter sign-in logs by date range, user, application, and other criteria.
What are some potential security risks that can be identified by reviewing sign-in logs?
Some potential security risks that can be identified by reviewing sign-in logs include unauthorized access attempts, suspicious login patterns, and compromised user accounts.
How can you use automation tools to monitor sign-in logs?
Automation tools can be used to automatically alert you when specific events or patterns are detected in the sign-in logs, such as failed login attempts or suspicious activity.
What is the purpose of the sign-in activity report in Azure AD?
The sign-in activity report in Azure AD provides a summary of sign-in activity in your environment, including the number of successful and failed sign-ins, the top users and applications by sign-ins, and sign-ins by location.
How can you use the sign-in activity report to identify potential security risks?
You can use the sign-in activity report to identify patterns or anomalies in sign-in activity that may indicate potential security risks, such as unauthorized access attempts or compromised user accounts.
How can you export sign-in logs from the Azure AD console?
Sign-in logs can be exported from the Azure AD console in CSV format, which can be opened in Excel or other data analysis tools.
How can you integrate Azure AD sign-in logs with third-party tools and services?
Azure AD sign-in logs can be integrated with third-party tools and services through Azure Monitor and Azure Sentinel, which provide more advanced querying and visualization capabilities.
I’m preparing for the SC-300 exam and find the Azure AD console a bit overwhelming. Any tips for prioritizing what to focus on?
Can someone explain the difference between Azure AD audit logs and sign-in logs?
The GUI of Azure AD console is just great. It makes navigating through logs quite intuitive.
How can I filter the logs to see failed sign-in attempts only?
Appreciate the comprehensive blog post.
Is there any way to automate the review of these logs using PowerShell?
I always struggle with interpreting the Provisioning logs. Any advice on how to approach them?
Is there a retention policy for these logs? How long are they available?