iCompaas Support

Description:

Microsoft Graph activity logs provide valuable information regarding interactions with Microsoft Entra (formerly Azure Active Directory) via the Microsoft Graph API. These logs capture activities such as user management, application interactions, and directory updates. Sending these logs to an appropriate destination, like Log Analytics, Event Hub, or Storage Accounts, is essential for monitoring, auditing, and compliance purposes.

By ensuring that a diagnostic setting is configured to send Microsoft Graph activity logs to a destination, you can centralize your log management, monitor user activities, and detect potential security threats or unauthorized access attempts.

Rationale:

Ensuring that Microsoft Graph activity logs are captured and sent to an appropriate destination enables:

• Centralized logging and monitoring: Streamline analysis of Graph-related activities for compliance and security monitoring.
  

• Real-time event tracking: Capture and track interactions with Microsoft Entra through Microsoft Graph.
  

• Auditing and compliance: Maintain a record of API calls made through Microsoft Graph for auditing purposes, helping to meet regulatory requirements.
  

• Proactive incident detection: Quickly detect and respond to any anomalous activities through the collected logs.
  

Impact:

Capturing Microsoft Graph activity logs and sending them to a centralized destination such as Log Analytics, Event Hub, or Storage Account enhances visibility into the interactions within your Azure AD environment. However, this could lead to increased storage costs depending on the amount of log data generated and the retention policies applied. It is essential to configure log retention and query optimizations to balance performance and cost.

Default Value:

By default, Microsoft Graph activity logs are not automatically sent to external destinations. A diagnostic setting must be manually configured to ensure the logs are sent to a specified destination like Log Analytics or Event Hub.

Pre-requisites:

• Azure subscription with Microsoft Entra (Azure AD) configured.
  

• Owner or Contributor role permissions to configure diagnostic settings.
  

• Log Analytics workspace, Event Hub, or Storage Account set up as a destination for the logs.
  

• Microsoft Graph activity logging enabled.
  

Audit:

1. Sign in to Azure portal as an Owner, Contributor, or Security Administrator.
   

2. Navigate to Microsoft Entra (Azure AD) and review the diagnostic settings to ensure that Microsoft Graph activity logs are being captured and sent to the appropriate destination.
   

3. Verify that Microsoft Graph activity logs are flowing into your chosen destination (e.g., Log Analytics workspace, Event Hub, or Storage Account).
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Administrator permissions.
     

2. Navigate to Microsoft Entra (Azure AD):
   

   • In the Azure portal, search for and select Microsoft Entra (formerly Azure Active Directory).
     

3. Go to Diagnostic Settings:
   

   • Under Monitoring in Microsoft Entra, select Diagnostic settings. This is where you will configure how logs are sent to external destinations.
     

4. Add a New Diagnostic Setting:
   

   • Click on + Add diagnostic setting to create a new diagnostic setting.
     

5. Select Logs to Capture:
   

   • Under Log categories, select Microsoft Graph activity logs (or the relevant categories if available).
     You may also want to select other related logs like Audit logs, Sign-ins, or Security logs if applicable.

6. Choose a Destination:
   

   • Select where the logs will be sent:
     

     • Log Analytics workspace: Choose this option if you want to query, monitor, and analyze the logs within Azure Monitor.
       

     • Event Hub: Choose this option if you want to forward the logs to an external system (such as a third-party SIEM).
       

     • Storage Account: Choose this option if you need to retain logs for a longer period or for archival purposes.
       

7. Example destinations:
   

   • Select Send to Log Analytics and choose the appropriate Log Analytics workspace.
     

   • If you are using Event Hub, select your Event Hub namespace and Event Hub name.
     

   • If you are using Storage Account, choose the relevant Storage Account.
     

8. Set Retention Policy (Optional):
   

   • Configure the retention policy to specify how long the logs should be retained.
     

   • You can set different retention periods based on the destination. For example, Log Analytics can keep data for up to 2 years.
     

9. Review and Create:
   

   • Review the configuration to ensure the correct log categories and destination are selected.
     

   • Click Save to create the diagnostic setting and start sending Microsoft Graph activity logs to the selected destination.
     

10. Verify Log Capture:
    

    • After setting up the diagnostic setting, verify that the Microsoft Graph activity logs are being captured by performing an action that generates a log (e.g., a sign-in or user management event).
      

    • Check your Log Analytics workspace (or Event Hub or Storage Account) to confirm that the logs are flowing.
      

11. Set Up Alerts (Optional):
    

    • You can set up alerts in Azure Monitor based on specific logs.
      

    • In Azure Monitor, go to Alerts and create a new alert rule based on the logs from Microsoft Graph.
      

    • Set the conditions for when you want to be notified (e.g., failed login attempts, unauthorized changes).
      

12. Monitor Logs and Review:
    

    • Regularly monitor the Microsoft Graph activity logs using Azure Monitor, Log Analytics, or a third-party SIEM connected via Event Hub.
      

    • Use dashboards to visualize the logs and identify trends, failures, or security incidents.
      

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Administrator permissions.
     

2. Navigate to Microsoft Entra (Azure AD):
   

   • Go to Microsoft Entra (Azure AD) in the Azure portal.
     

3. Remove or Modify the Diagnostic Setting:
   

   • In Diagnostic settings, find the diagnostic setting you created for Microsoft Graph activity logs.
     

   • You can either delete the diagnostic setting or modify it to stop sending logs to the previously configured destination.
     

4. Verify Log Collection Stopped:
   

   • After removing or modifying the diagnostic setting, verify that no more logs are being sent to the destination (Log Analytics, Event Hub, or Storage Account).
     

5. Test the Reverted Configuration:
   

   • Perform a test action (e.g., a sign-in or policy change) to ensure that no logs are being captured or sent to the destination.
     

References:

• Configure Diagnostic Settings in Azure AD
  

• Azure Monitor - Diagnostic Settings Overview
  Azure Monitor - Log Analytics Overview