Description:
Microsoft Entra is a unified identity and access management solution that helps manage Azure Active Directory (Azure AD) and Identity Governance services. Capturing Microsoft Entra activity logs is essential for monitoring security events, user activities, and administrative actions that affect your identity and access management environment. These logs can help you detect issues, maintain compliance, and identify security threats.
To ensure you are properly monitoring Microsoft Entra activities, you need to configure a diagnostic setting to send activity logs to an appropriate destination like Azure Log Analytics, Event Hub, or Storage Account for centralized analysis and retention.
Rationale:
By ensuring that Microsoft Entra activity logs are captured and sent to an appropriate destination:
Security monitoring: You can track sign-ins, user/group management actions, and security-related events.
Compliance and auditing: Ensures you have a record of all relevant activities for auditing purposes and compliance with regulatory standards.
Proactive issue resolution: Provides valuable data to detect unauthorized changes, security breaches, or misconfigurations in your identity infrastructure.
Impact:
Capturing Microsoft Entra activity logs in an appropriate destination helps improve visibility into the actions and events in your Azure AD environment. However, it may increase storage costs, especially when logs are stored in Log Analytics or Storage Accounts. Careful consideration should be given to log retention policies and query optimization to balance performance and cost.
Default Value:
By default, Microsoft Entra activity logs are not automatically sent to external destinations like Log Analytics or Storage Accounts. A diagnostic setting must be manually configured to send these logs to the desired destination.
Pre-requisites:
Azure subscription.
Microsoft Entra (Azure AD) environment configured.
Owner or Contributor role permissions to configure diagnostic settings and access activity logs.
Log Analytics workspace, Event Hub, or Storage Account created as a destination for log collection.
Audit:
Sign in to Azure portal as an Owner or Contributor.
Navigate to Microsoft Entra (Azure AD) and review the diagnostic settings to ensure that activity logs are being sent to the correct destination.
Verify that Microsoft Entra activity logs are being captured and sent to your designated Log Analytics workspace, Event Hub, or Storage Account.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Owner or Contributor permissions.
Navigate to Microsoft Entra (Azure AD):
In the Azure portal, search for Microsoft Entra (or Azure Active Directory) and select it.
Configure Diagnostic Settings:
In Microsoft Entra, go to Monitoring > Diagnostic settings under the Activity Logs section.
Click on + Add diagnostic setting to create a new diagnostic setting for activity logs.
Choose Log Categories:
Under Log categories, ensure that the relevant categories such as Sign-ins, Audit Logs, and Security Logs are selected for logging.
You can choose to include All logs for comprehensive monitoring or select specific categories based on your needs.
Select a Destination:
Choose an appropriate destination for sending the activity logs:
Log Analytics workspace: For querying and monitoring logs using Azure Monitor.
Event Hub: For exporting logs to third-party SIEMs or external systems.
Storage Account: For long-term log retention or archiving purposes.
Example:
Select Send to Log Analytics to send logs to a Log Analytics workspace for analysis and querying.
Configure Destination Settings:
If you selected Log Analytics workspace, choose the appropriate workspace to send the logs to.
If you selected Event Hub, provide the Event Hub namespace and Event Hub name.
If you selected Storage Account, choose the Storage Account to store the logs.
Set Log Retention and Retention Policies:
Configure the log retention period according to your organization’s needs. Logs can be retained for a period up to 2 years in Log Analytics or Storage Accounts.
Use retention policies to automatically delete old logs if necessary.
Review and Create the Diagnostic Setting:
Review your settings and ensure that all configurations are correct.
Click Save to create the diagnostic setting and start sending Microsoft Entra activity logs to your selected destination.
Verify Log Capture:
After configuring the diagnostic setting, verify that the logs are being sent to the destination by performing an action in Microsoft Entra (e.g., a user sign-in or policy change).
Check your Log Analytics workspace (or Event Hub or Storage Account) to confirm that the logs are captured.
Create Alerts (Optional):
You can create alerts in Azure Monitor to get notified when certain activities (e.g., failed logins, changes to user roles) occur.
In Azure Monitor, go to Alerts and create a new alert rule based on the Sign-ins or Audit Logs to notify administrators of specific activities.
Monitor and Review Logs:
Regularly review the activity logs using Azure Monitor or Log Analytics queries.
Use Dashboards in Azure Monitor to visualize the logs and make real-time decisions based on the data captured from Microsoft Entra.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Owner or Contributor permissions.
Navigate to Diagnostic Settings:
Go to Microsoft Entra (or Azure AD) in the Azure portal.
Remove or Modify Diagnostic Setting:
In Diagnostic settings, locate the diagnostic setting you created for sending Microsoft Entra activity logs.
Either delete the diagnostic setting or modify it to stop sending logs to the previously configured destination (e.g., Log Analytics, Event Hub, or Storage Account).
Verify the Backout:
After removing or modifying the diagnostic setting, check the selected destination (Log Analytics, Event Hub, or Storage Account) to ensure that logs are no longer being sent.
Test the Reverted Configuration:
Perform a test action (e.g., a sign-in) and verify that the logs are no longer captured or sent to the destination.