While most people rely on Azure AD Sign-in logs, there are some additional features which are worth implementing in your tenant. One of these features is the Insights and reporting feature for Conditional Access.
I was spending a few hours trying to automate the deployment. Somehow, was not able to complete all the steps and was not able to find some documentation on this. Maybe a lack of experience or simply not possible. If anyone knows the complete steps, please tell me!
Prerequisites
- Azure AD P1 or P2
- Pay-as-you-Go subscription (or different way to consume Azure resources)
Create a resource group + Log Analytics Workspace
By running the following PowerShell script, you create a new resource group (if does not exist) and Log Analytics Workspace based on the parameters on top of the script. Modify these to your desired naming scheme.
#Parameters - Log Analytics
$ResourceGroup = "rg-la-signin-monitor"
$Location = "Westeurope"
$WorkspaceName = "la-signin-monitor"
#Connect to Azure Tenant
Connect-AzAccount
# Create the resource group if needed
try {
Get-AzResourceGroup -Name $ResourceGroup -ErrorAction Stop
} catch {
New-AzResourceGroup -Name $ResourceGroup -Location $Location
}
# Create the workspace
New-AzOperationalInsightsWorkspace -Location $Location -Name $WorkspaceName -ResourceGroupName $ResourceGroup
Create DiagnosticSetting
Reminder: This is the part which I was unable to automate using PowerShell. If someone does, please tell me.
Within the Azure Portal, go to Azure Active Directory -> Diagnostic settings or click here.
Click Add diagnostic setting.
Select the following categories:
- AuditLogs
- SignInLogs
- NonInteractiveUserSignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitySignInLogs
- ProvisioningLogs
- ADFSSignInLogs Active Directory Federation Services (ADFS)
- RiskyUsers
- UserRiskEvents
- AADServicePrincipalRiskEvents
Note: Do not select NetworkAccessTrafficLogs and RiskyServicePrincipals as these are in preview. These will not generate logging unless you are enrolled in the private preview for these features.
Select Send to Log Analytics workspace and select the resource group which was created by the PowerShell script before. If you didn’t modify the script you will see a Log Analytics workspace called la-signin-monitor.
Admin-Experience
Gathering data will take some time. I’ve waited for 12 hours and then found some nice insights and reporting shown up in the Azure Portal.
Navigate to Azure Active Directory -> Security -> Conditional Access -> Insights and reporting or click here.
- The first chart (left) shows the total amount of Azure AD Joined, Azure AD registered and Unmanaged devices.
- The second chart (middle) shows the device platforms used (Windows 10, Windows 11, iOS, etc)
- The third chart (right) shows the application categories (Mobile Apps and Desktops, Browser, Authenticated SMTP, etc)
Below, the is some additional GEO and Risk information. The GEO information made me aware of some unexpected logon attempts. Because of this dashboard, I started the investigate the Azure AD Sign-in logs and found out attackers are trying to Access our data via the SMTP Authentication protocol which was not needed anymore.
Note: The SMTP protocol is enabled tenant-wide by default. When you disable Legacy Authentication via Conditional Access policies, SMTP Authentication is NOT disabled!
This dashboard gives an nice overview of sign-ins happening in your tenant. I’m sure there’s much more data to collect while building your own (custom) queries. All this information comes from Azure AD Sign-in logs. These logs are great but are not giving a clear overview of what’s happening. This dashboard does!