Azure Active Directory Logs: A Guide to Monitoring and Reporting in Microsoft Azure AD

July 31, 2023
|
7
min read
Josh Wittman
By:
Josh Wittman
Josh Wittman, co-founder of Simeon Cloud, excels in Microsoft 365 through governance, security, and automation. An expert in SaaS, DevOps, and cybersecurity, he innovates in the digital workplace.
Business hands using computers connected to the cloud

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It provides a wide range of features for monitoring and reporting, including activity logs, sign-in logs, audit logs, and provisioning logs. These logs are crucial for IT administrators to understand user behaviors, troubleshoot issues, and ensure the security and compliance of their organization.

In this guide to monitoring and reporting in Azure AD, let's take a look at various types of logs generated by Azure AD and how they can help ensure a more secure and compliant Microsoft 365 environment for your company.

This article covers:

Different Types of Azure AD Logs

Azure Active Directory (Azure AD) provides several types of logs that help administrators monitor activity, troubleshoot issues, and maintain the security of their organization. The main types of logs in Azure AD are:

  1. Activity Logs: These logs provide insights into the operation of a directory. They include information about users and group management, service status, and more. Activity logs are divided into two types: Audit logs and Sign-in logs.
  2. Audit Logs: These logs record changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources. They help administrators track changes made in their environment and understand the cause of such changes.
  3. Sign-in Logs: These logs provide information about who signed in, when, where, and through what method. They are a powerful tool for IT administrators to analyze and gain insights into how users access applications and services.
  4. Provisioning Logs: These logs record activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday. They help administrators track the provisioning activities in their environment.
  5. Security Reports: These are specialized reports that provide information about potential security issues within your environment. They include risky sign-ins, users flagged for risk, and more.
  6. Usage Reports: These reports provide information about how your organization is using Azure AD services. They include application usage, managed devices, user password reset activity, and more.

Each of these logs serves a different purpose and provides a different view into your Azure AD environment, helping you maintain security, compliance, and operational efficiency.

Azure AD Activity Logs

Activity logs in Azure AD provide insights into the operation of a directory. They include information about users and group management, service status, and more. Activity logs are divided into two types: Audit logs and Sign-in logs.

Azure AD Audit Logs

Audit logs record changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources. They help administrators track changes made in their environment and understand the cause of such changes. For example, if a user is added to a group or a new application is registered, this action is logged in the audit logs. The logs include details such as the date and time of the event, the user or service that performed the action, and the IP address from which the action was performed.

Azure AD Sign-in Logs

Sign-in logs provide information about who signed in, when, where, and through what method. They are a powerful tool for IT administrators to analyze and gain insights into how users access applications and services. For example, if a user signs in from a new location or device, or if there are multiple failed sign-in attempts, these events are logged. The logs include details such as the date and time of the sign-in, the user who signed in, the application or service they accessed, and the IP address from which the sign-in was performed.

Azure AD Provisioning Logs

Provisioning logs record activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday. They help administrators track the provisioning activities in their environment. For example, if a new user is provisioned or a group is updated, these actions are logged. The logs include details such as the date and time of the provisioning event, the user or service that performed the action, and the status of the provisioning action.

Azure AD Security Reports

Security reports in Azure AD provide information about potential security issues within your environment. They include risky sign-ins, users flagged for risk, and more. For example, if a user signs in from an unfamiliar location or performs an unusual activity, these events are flagged as risky and reported. The reports include details such as the user involved, the risk level, the risk event type, and the date and time of the risk event.

Azure AD Usage Reports

Usage reports in Azure AD provide information about how your organization is using Azure AD services. They include application usage, managed devices, user password reset activity, and more. For example, if a user accesses a particular application frequently or if a device is registered for conditional access, these events are logged. The reports include details such as the user or device involved, the application or service used, and the date and time of the usage event.

How to Monitor Your Azure Active Directory Log

Monitoring and reporting on Azure Active Directory (Azure AD) logs in Microsoft 365 (M365) can be achieved through the various built-in tools and services provided by Microsoft. Here are the steps to monitor and report on Azure AD logs:

Azure AD Portal

  1. Sign-in Logs: You can access sign-in logs directly from the Azure AD portal. Navigate to Azure Active Directory > Monitoring > Sign-ins. Here, you can view details about each sign-in event, including the user, location, date and time, and status of the sign-in.
  2. Audit Logs: Similarly, you can view audit logs by navigating to Azure Active Directory > Monitoring > Audit logs. These logs provide information about changes made within your Azure AD, such as user and group management activities.

Microsoft 365 Admin Center

  1. Security & Compliance Center: The Security & Compliance Center in Microsoft 365 provides a variety of reports related to security and compliance, including Azure AD logs. Navigate to https://protection.office.com and sign in with your admin account. Here, you can access reports like Risky sign-ins, Users flagged for risk, and more.
  2. Audit Log Search: The Audit log search tool allows you to search the unified audit log in Microsoft 365. To access this, go to Security & Compliance Center > Search & Investigation > Audit log search. Here, you can search for specific events or filter by date range, users, activities, etc.

Azure Monitor

Azure Monitor is a service that collects, analyzes, and acts on telemetry data from your Azure and non-Azure environments. It helps you understand how your applications are performing and proactively identifies issues affecting them. You can use Azure Monitor to set up alerts based on your Azure AD logs, create custom dashboards, and more.

Microsoft Graph API

The Microsoft Graph API provides programmatic access to Azure AD logs. This allows you to integrate Azure AD logs with your own custom applications or third-party SIEM tools. You can use the Microsoft Graph API to access sign-in logs, audit logs, and more.

Pros and Cons of Using Azure AD Audit Logs

Azure AD audit logs provide a centralized location to monitor changes and activities across your Microsoft 365 environment. This "single pane of glass" reporting enables admins to quickly identify patterns, anomalies, and potential security risks. Here are some other pros for using audit logs:

  • Activity Documentation: Azure AD logs capture details about who made changes, what was changed, and when. This transparency supports accountability and can help with internal audits.
  • Disaster Recovery Support: Audit logs can act as a reference point for troubleshooting issues or reverting to prior configurations in case of accidental changes or misconfigurations.
  • Security and Compliance Aid: Logs play a key role in aligning with security best practices and meeting regulatory compliance standards by providing clear, traceable records of changes and access.
  • Forensic Discovery: In the event of a security breach or legal investigation, Azure AD audit logs enable organizations to review the state of configurations, permissions, and activities before and after an incident.

While Azure AD audit logs provide insight into changes, they do not offer automated configuration backups. Here are some other cons to consider when using audit logs:

  • No Automatic Backups: Recovering a prior Azure AD configuration often requires additional tools or manual processes.
  • Granular Restore Limitations: Logs alone cannot perform granular restores of individual settings or configurations; this requires a separate backup and restore solution.
  • Multi-Tenant Challenges: For organizations managing multiple tenants, Azure AD logs do not inherently provide baseline comparison or multi-tenant management capabilities, potentially complicating standardization and consistency efforts.
  • Data Retention Constraints: Azure AD logs have retention limitations unless extended storage is implemented through external solutions like Azure Monitor or third-party tools.
  • Manual Analysis Requirements: Audit logs can generate vast amounts of data, requiring manual analysis or external tools for effective insights and actionable intelligence. Plus, logs are dispersed across different areas (Sign-ins, Audit, Conditional Access, Etc.), which requires extensive effort (and time) to correlate data.
  • Complexity for Non-Experts: Interpreting audit logs may require advanced knowledge, which can pose a challenge for organizations without dedicated IT security expertise.  

The Alternative to Microsoft Audit Logs: CoreView

CoreView is the easier way to troubleshoot issues and secure your tenant. With CoreView’s automated policy enforcement for Microsoft 365, you can auto-detect issues and remediate them fast.

See how this Canadian natural gas company used CoreView’s advanced audit logs and automation to respond to a potential cyberattack in just minutes.

Get a personalized demo today

Created by M365 experts, for M365 experts.
Get a demo