Azure AD - Integrating Azure AD logs with Azure Monitor

Azure AD - Integrating Azure AD logs with Azure Monitor
Photo by Vidar Smits / Unsplash

Hey, let's ship Azure AD platform logs to a Log Analytics workspace :) For many smaller orgs, this will likely be free, and it provides a huge amount of insights that help facilitate things like removal of Legacy Authentication and fine tuning of Conditional Access policies

This will be a short thread, the documentation for this is over here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics… The general process - create a Log Analytics Workspace, then configure Azure AD Diagnostic settings to send the logs Start by logging into the Azure Portal: http://portal.azure.com

Let's start by searching for Log Analytics and open that service I haven't added any yet, so I'm going to click Create I have no Resource Groups either, so I have to create one of those. Think of this as a logical container to store services inside of, like Log Analytics :)

Image
Image
Image
Image

Now, you could just click Review and Create which will do Pay-as-you-go, but you may want to click Next and customize payment options Some subscriptions have a Free tier that just stop ingesting after the free 5GB/month Tags can be helpful in large orgs :) And click Create!

Image
Image
Image

Next, go into Azure AD, then click Diagnostic Settings You can split out logs to different workspaces or even send them to multiple workspaces depending on your needs Click Add diagnostic settings, select the logs we want, then select our LA workspace, and hit Save That's it!

Image
Image
Image

Next, go into Azure AD, then click Diagnostic Settings You can split out logs to different workspaces or even send them to multiple workspaces depending on your needs Click Add diagnostic settings, select the logs we want, then select our LA workspace, and hit Save That's it!

Image
Image
Image
Mastodon