Azure Active Directory Logs: A Guide to Monitoring and Reporting in Microsoft Azure AD

Azure Active Directory Logs: A Guide to Monitoring and Reporting in Microsoft Azure AD

By
Josh Wittman
July 31, 2023

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It provides a wide range of features for monitoring and reporting, including activity logs, sign-in logs, audit logs, and provisioning logs. These logs are crucial for IT administrators to understand user behaviors, troubleshoot issues, and ensure the security and compliance of their organization.

In this guide to monitoring and reporting in Azure AD, let's take a look at various types of logs generated by Azure AD and how they can help ensure a more secure and compliant Microsoft 365 environment for your company.

Different Types of Azure AD Logs

Azure Active Directory (Azure AD) provides several types of logs that help administrators monitor activity, troubleshoot issues, and maintain the security of their organization. The main types of logs in Azure AD are:

  1. Activity Logs: These logs provide insights into the operation of a directory. They include information about users and group management, service status, and more. Activity logs are divided into two types: Audit logs and Sign-in logs.
  2. Audit Logs: These logs record changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources. They help administrators track changes made in their environment and understand the cause of such changes.
  3. Sign-in Logs: These logs provide information about who signed in, when, where, and through what method. They are a powerful tool for IT administrators to analyze and gain insights into how users access applications and services.
  4. Provisioning Logs: These logs record activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday. They help administrators track the provisioning activities in their environment.
  5. Security Reports: These are specialized reports that provide information about potential security issues within your environment. They include risky sign-ins, users flagged for risk, and more.
  6. Usage Reports: These reports provide information about how your organization is using Azure AD services. They include application usage, managed devices, user password reset activity, and more.

Each of these logs serves a different purpose and provides a different view into your Azure AD environment, helping you maintain security, compliance, and operational efficiency.

Azure AD Activity Logs

Activity logs in Azure AD provide insights into the operation of a directory. They include information about users and group management, service status, and more. Activity logs are divided into two types: Audit logs and Sign-in logs.

Azure AD Audit Logs

Audit logs record changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources. They help administrators track changes made in their environment and understand the cause of such changes. For example, if a user is added to a group or a new application is registered, this action is logged in the audit logs. The logs include details such as the date and time of the event, the user or service that performed the action, and the IP address from which the action was performed.

Azure AD Sign-in Logs

Sign-in logs provide information about who signed in, when, where, and through what method. They are a powerful tool for IT administrators to analyze and gain insights into how users access applications and services. For example, if a user signs in from a new location or device, or if there are multiple failed sign-in attempts, these events are logged. The logs include details such as the date and time of the sign-in, the user who signed in, the application or service they accessed, and the IP address from which the sign-in was performed.

Azure AD Provisioning Logs

Provisioning logs record activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday. They help administrators track the provisioning activities in their environment. For example, if a new user is provisioned or a group is updated, these actions are logged. The logs include details such as the date and time of the provisioning event, the user or service that performed the action, and the status of the provisioning action.

Azure AD Security Reports

Security reports in Azure AD provide information about potential security issues within your environment. They include risky sign-ins, users flagged for risk, and more. For example, if a user signs in from an unfamiliar location or performs an unusual activity, these events are flagged as risky and reported. The reports include details such as the user involved, the risk level, the risk event type, and the date and time of the risk event.

Azure AD Usage Reports

Usage reports in Azure AD provide information about how your organization is using Azure AD services. They include application usage, managed devices, user password reset activity, and more. For example, if a user accesses a particular application frequently or if a device is registered for conditional access, these events are logged. The reports include details such as the user or device involved, the application or service used, and the date and time of the usage event.

How to Monitor Your Azure Active Directory Log

Monitoring and reporting on Azure Active Directory (Azure AD) logs in Microsoft 365 (M365) can be achieved through the various built-in tools and services provided by Microsoft. Here are the steps to monitor and report on Azure AD logs:

Azure AD Portal

  1. Sign-in Logs: You can access sign-in logs directly from the Azure AD portal. Navigate to Azure Active Directory > Monitoring > Sign-ins. Here, you can view details about each sign-in event, including the user, location, date and time, and status of the sign-in.
  2. Audit Logs: Similarly, you can view audit logs by navigating to Azure Active Directory > Monitoring > Audit logs. These logs provide information about changes made within your Azure AD, such as user and group management activities.

Microsoft 365 Admin Center

  1. Security & Compliance Center: The Security & Compliance Center in Microsoft 365 provides a variety of reports related to security and compliance, including Azure AD logs. Navigate to https://protection.office.com and sign in with your admin account. Here, you can access reports like Risky sign-ins, Users flagged for risk, and more.
  2. Audit Log Search: The Audit log search tool allows you to search the unified audit log in Microsoft 365. To access this, go to Security & Compliance Center > Search & Investigation > Audit log search. Here, you can search for specific events or filter by date range, users, activities, etc.

Azure Monitor

Azure Monitor is a service that collects, analyzes, and acts on telemetry data from your Azure and non-Azure environments. It helps you understand how your applications are performing and proactively identifies issues affecting them. You can use Azure Monitor to set up alerts based on your Azure AD logs, create custom dashboards, and more.

Microsoft Graph API

The Microsoft Graph API provides programmatic access to Azure AD logs. This allows you to integrate Azure AD logs with your own custom applications or third-party SIEM tools. You can use the Microsoft Graph API to access sign-in logs, audit logs, and more.

Why Use Simeon Cloud to Monitor Your Azure AD Logs and Reports

Simeon Cloud is a comprehensive solution for monitoring Azure AD logs and provides several advantages that make it an excellent choice for organizations. Here are some of the key reasons to use Simeon Cloud for monitoring Azure AD logs:

  • Single Pane of Glass Reporting: Simeon Cloud offers a single pane of glass reporting and management dashboard. This means that all changes across your Microsoft 365 environments are documented and searchable from one place. This centralized visibility can help you maintain best practices and stay ahead of potential issues.
  • Automated Backups: Simeon Cloud automatically backs up your Azure AD configuration each time a change is implemented. This includes everything from enterprise app registrations to user directory settings to conditional access policies, and much more. This automatic backup feature ensures that you can quickly restore your configurations to a known good state if something goes wrong.
  • Detailed Documentation: In addition to backing up your configurations, Simeon Cloud also provides detailed documentation on who implemented each change and when. This level of detail can help ensure accountability within your organization and restrict access from unauthorized personnel.
  • Disaster Recovery: In the event of an accidental change or outage, Simeon Cloud's backup and restore service allows you to quickly recover. You can perform a granular restore of every single one of your configuration settings to any of its previous instances with one click.
  • Forensic Discovery: Having detailed documentation on your Azure AD configuration status also helps in the event of an investigation or lawsuit. It enables you to go back in time to view the state of things like user permissions and role assignments throughout your organization before and after an incident.
  • Multi-Tenant Management: For organizations managing multiple tenants, Simeon Cloud allows you to establish and maintain baseline configurations for multiple environments. This can greatly simplify management tasks and ensure consistency across your organization.
  • Security and Compliance: Simeon Cloud is not just a backup service. It's a full-scale security and compliance solution that lets you align your tenants to universal best practices. This can help enhance your organization's security posture and ensure compliance with various regulations.

Sign up for a free demo of Simeon Cloud to learn more about our Azure AD log monitoring features.