Integrating Azure AD logs with Azure Monitor logs

Azure Monitor logs allows you to query data to find particular events, analyze trends, and perform correlation across various data sources. With the integration of Azure AD activity logs in Azure Monitor logs, you can now perform tasks like:

  • Compare your Azure AD sign-in logs against security logs published by Azure Security Center
  • Troubleshoot performance bottlenecks on your application’s sign-in page by correlating application performance data from Azure Application Insights

This blog post shows how to integrate Azure Active Directory (Azure AD) logs with Azure Monitor.

Prerequisites

 

To use this feature, you need:

  • An Azure subscription.
  • An Azure AD tenant.
  • A user who’s a global administrator or security administrator for the Azure AD tenant.
  • A Log Analytics workspace in your Azure subscription.

Send logs to Azure Monitor logs

 

Sign in to the Azure portal.

 

Select Azure Active Directory > Diagnostic settings.

Click Turn on diagnostics

 

In the Diagnostic settings menu, select the Send to Log Analytics workspace check box, and then select Configure.

Click Create new workspace

  • Provide a name for the new Log Analytics workspace,
  • Select a Subscription to link to by selecting from the drop-down list if the default selected is not appropriate.
  • For Resource Group, create a new one.
  • Select an available Location.

After providing the required information on the Log Analytics Workspace pane, click OK.

 Do either or both of the following:

  • To send audit logs to the Log Analytics workspace, select the AuditLogs check box.
  • To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.

Select Save to save the setting

After about 15 minutes, verify that events are streamed to your Log Analytics workspace.

To verify navigate to the Log Analytics workspace

 

Select Azure Active Directory, and then select Logs from the Monitoring section to open your Log Analytics workspace.

The workspace will open with a default query.

View the schema for Azure AD activity logs

The logs are pushed to the AuditLogs and SigninLogs tables in the workspace. To view the schema for these tables:

From the default query view in the previous section, select Schema and expand the workspace.

Expand the Log Management section and then expand either AuditLogs or SignInLogs to view the log schema.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s