The previous chapter covered planning and implementing our privileged access for administrator accounts and managing them with access reviews. This included the benefits of using privileged identity management and how to audit these privileged assignments. In this chapter, we will discuss how to analyze, review, and investigate our logs and events for protecting against risky sign-ins and elevated risk users.
We're going to cover the following main topics:
In this chapter, we will continue to explore configuring a tenant for Microsoft 365 and Azure. There will be exercises that will require access to Azure Active Directory. If you have not yet created the trial licenses for Microsoft 365, please follow the directions provided within Chapter 1, Preparing for Your Microsoft Exam.
In Chapter 9, Planning, Implementing, and Administering Conditional Access and Azure Identity Protection, we discussed how user and sign-in risk can be used as a condition for access and authorization to applications. Azure Identity Protection utilizes the activity logs to determine potential threats, vulnerabilities, and anomalous behavior among users. Sign-in logs are based on two types of reporting: activity and security.
Activity reporting within Microsoft shows what is taking place within the infrastructure. The various activities include the following:
Security reporting pertains to the identity protection activity within Azure AD. These include the risky sign-ins and user risks that are logged:
Activity and security report data can be accessed by the following Azure AD roles: Security Administrator, Security Reader, Global Reader, and Report Reader. Users that only require the ability to view these reports should be assigned the reader roles. Security Administrator allows a user to create and respond to alerts and configure reports for others to view. The Global Administrator role also has full access to these reports, but it is not recommended to assign someone that only requires access to these reports with this role when adhering to the principles of least privilege.
The ability to access sign-in activity is available with all Azure AD licenses. However, if you require the capabilities of Azure Identity Protection, such as sign-in risk and user risk detection, you will require the Azure AD Premium P2 license.
In the following steps, you will see how to access these reports to monitor sign-in activity and determine any sign-in patterns that may signify a potential threat:
Sign-in activity log data has a default retention period of 30 days, and the graph shows activity for those 30 days. Within the sign-in activity graphs, you have the capability to select a specific day and review the data for that day. Additional information about data retention can be found at this link: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-reports-data-retention. PowerShell commands to view these logs are also available at this link: https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadauditdirectorylogs?view=azureadps-2.0-preview.
The sign-in activity data shows the following information:
Figure 14.10 shows these options:
When you select one of the options, you can view the details of the user ID, user, username, application ID, application, client, location, IP address, date, MFA required, and sign-in status. On the user's page, the complete overview of all user sign-ins can be accessed by selecting the sign-ins within the Activity section.
The IP address does not provide a definitive connection between the IP address and the physical location of the device used to sign in. IP address mapping can be complicated by mobile provider information and VPN connections that are not necessarily the physical IP address of the device. Azure AD reports provide a best-effort conversion of an IP address to a physical location based on traces, registry data, reverse lookups, and other information.
If you want to gain insights into the usage of managed applications, there is an application-centric view of the sign-in data that provides the following:
The Enterprise applications overview provides an entry point to access the data for application usage graphs for the past 30 days. Figure 14.11 shows Enterprise applications in the Azure Active Directory menu:
Select a day on the graph to get detailed information on sign-in activities, as shown in Figure 14.12:
The sign-in activity for that day gives you an overview of the sign-in events for your enterprise applications.
Now that you have an understanding of sign-in logs and the information that they provide, in the next section, we will discuss how to review and monitor Azure AD audit logs.
In the previous section, we discussed sign-in logs and the information that they provide in terms of user and application sign-in activity. This section will discuss Azure AD audit logs and the information that they provide for reviewing and monitoring compliance.
Azure AD reports provide information that you will need to monitor and determine what is taking place within your environment and how it is doing. Azure AD audit logs provide information and records that pertain to activities for compliance.
The following steps cover how to access the audit reports and review the information:
Additional filters include the status filter, target filter, initiated by filter, and date range. These filters allow you to drill down into information based on different operations. The status filter can be set to all, success, or failure. The target filter searches a particular target name or User Principal Name (UPN). Initiated by defines the actor's name or UPN starts with identifier. The target name and initiated by filters are case-sensitive. The date range will filter data based on date windows of 7 days, 24 hours, or a custom range. A custom date timeframe allows you to configure a start time and end time.
The fully filtered audit report can be seen in Figure 14.18:
By selecting the Download button, filtered data can then be downloaded to a .csv or .json file for up to 250,000 records. The number of records is a constraint defined by Azure AD report retention policies.
The preceding steps explain how to access audit logs through Azure AD in the Azure portal. Audit data can also be accessed within the users and groups, and enterprise applications tiles.
To access audit logs within users and groups, navigate to one of these sections within Azure AD, as shown in Figure 14.19:
These audit logs can be found under the Activity section of the Users tab, as shown in Figure 14.19. These audit logs provide information regarding the types of updates applied to users, users that were changed and how many, password changes and how many, administrator activity within the directory, groups that have been added, group membership changes, owner changes within groups, and licenses assigned to groups or users. User information can be found within UserManagement and group information is in the GroupManagement category.
The final audit logs to discuss are the Enterprise applications audit logs. These application-based audit reports provide you with updates and additions to applications, removed applications, changes in application service principals, application name changes, and consent given to an application and by who. Access to review this data can be found in the filtered view under Audit logs, which is found in the Activity section of the Enterprise applications tile, as shown in Figure 14.20:
Selecting an application type provides the entry point to a preselected enterprise application and the targets of the application, as shown in Figure 14.21:
You now know how to access the audit logs to review and monitor identity and access compliance within Azure AD. In the next section, we will learn how to analyze Azure AD workbooks and provide additional reports from these workbooks.
The previous section explained how to access the different audit reports within Azure AD to review and monitor compliance. Activity logs and audit logs provide reports for our usage and compliance within Azure AD for users, groups, and applications. In addition to these reports, usage and insights reports can provide additional application-centric views into sign-in data.
The information within usage and insights can provide information such as the following:
The licensing within your tenant to access usage and data reports required is either an Azure AD Premium P1 or P2 license. Users are required to have the role of Security Administrator, Security Reader, Report Reader, or Global Administrator. As stated throughout this book, you should adhere to the principles of least privilege by only assigning the minimum level of access needed by the user. The Global Administrator role should be the last role that is considered if the user only requires access to Azure AD usage and insights. Individual users with an Azure AD Premium P1 or P2 license assigned and not one of the prior mentioned roles do have access to their own sign-in usage and insights.
The following steps are used to access usage and insights reports:
After you have set up and are able to view the usage and insights, you may want to configure notifications and alerts regarding issues on the Azure Active Directory Domain Services (Azure AD DS) domain. Within the monitoring of Azure is the ability to monitor the health status of Azure AD DS. From this health status, email notifications can be configured to report on health alerts as soon as an issue is detected on the domain. The notifications specify in the email the managed domain that has the alert, the time that the issue was detected, and a link to the health page in the Azure portal. You can then troubleshoot within the portal based on the advice provided to resolve the issue.
Before selecting any links within an email, be sure that the email has been sent by Microsoft by verifying the sender's address. These notifications will come from the [email protected] address.
Azure AD DS notifications are sent for important updates within the domain that are urgent issues that impact the service within the domain and that should be addressed immediately. These alerts are also located within the Azure portal on the Azure AD DS health page. Open alerts that are left unresolved will be resent every 4 days. Additional information on service health alerts for Azure AD DS can be found at this link: https://docs.microsoft.com/azure/active-directory-domain-services/check-health. Information on how to use the alerts to troubleshoot can be found at this link: https://docs.microsoft.com/azure/active-directory-domain-services/troubleshoot-alerts.
Email notifications should be sent to a list of administrators that should be responding to alerts and issues. There is a limit of five email recipients for these notifications. A distribution group can be created to send to additional recipients.
The following steps show how to configure email notification recipients. There is a cost to creating Azure AD Domain Services. You can go through these steps to create them, or you can simply read these steps for understanding and reference at a later date. This is not a major component of the exam:
You now understand how to configure an Azure AD DS domain and configure notifications. Next, we will provide a summary of what was discussed in this chapter.
In this chapter, we covered how to analyze and investigate sign-in logs and elevated risk users within Azure AD. This included sign-in logs and audit logs, and how to configure and filter reports for these logs. We looked at how to review usage and insights workbooks for activity. We also reviewed how to monitor, troubleshoot, and configure alert notifications for Azure AD Domain Services managed domains.
In the next chapter we will learn how to enable and integrate Azure AD Logs with SIEM Solutions.
13.59.218.147