Categories
Azure-AD Identity

Manage Azure-AD logs with Azure Monitoring

Many organizations is starting to understand the power of using Azure-AD as an idP (identity provider) for both SaaS applications and on-prem applications these days. During the last year i’ve been involved with several projects where customers is starting to centralize their identity to Azure-AD for the benefits of all security features.
It’s simply great to be able to use features like Conditional Access, Identity Protection,Microsoft Cloud App Security to control access to data for many of your applications.
When expanding the usage of Azure-AD it becomes even more relevant to make sure that you manage the Azure-AD logs with an security mindset.
In this blogpost, we will focus on how you can export your Azure-AD logs to Azure Monitoring (Log analytics)

Why you need to expand Log Retention

We know from several reports during the last couple of years that it often takes several months before an security breach is detected.
Therefore it’s important from several different aspects that we make sure to export our Azure-AD logs to a more permanent location so we can achieve an extended retention of the Azure-Logs.
In many organizations, there is several other reasons why you might need to retain this kind of data for a longer time period than 30 days, so it’s often a win-win situation both from a compliance and security perspective.

Default Azure-AD Log Retentions

The default retention times for Azure-AD logs

ReportAzure AD FreeAzure AD Premium P1Azure AD Premium P2
Audit logs7 days30 days30 days
Sign-ins7 days30 days30 days
Source: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data

Perks with using Azure Monitoring

  • Long time log storage
  • Ability to create custom alerts
  • Get awesome workbooks through Azure AD Insights reports that will help you to gain insights about Conditional Access,sign-ins from legacy authentication protocols,Failed sign-ins and much more.

Pre requirements before we implement Azure Monitoring

Before we can start to integrate our Azure-AD logs to Azure Monitoring we need to make sure that we fulfill the requirements for it:

  • We need an Azure Subscription (Recommend to create a separate subscription for managing your Azure-AD logs due to GDPR and compliance reasons)
  • We need an Log Analytics workspace
  • We need an Azure-AD Premium P1 or P2 license

Create a dedicated Azure Subscription for managing Azure-AD logs

Since the Azure-AD logs contains a lot of sensitive data about our users, its key to separate this kind of information from other administrators that manage other Azure-resources in your organization. By creating an separate Azure Subscription for only this purpose, we can make sure that no one by mistake will get access to this data.

If you have a license partner through CSP, you might need to ask your provider to add a new Azure Subscription
Since this is done in a demo environment, we will simply add an “Pay-as-you-go” subscription, this might be relevant to small organizations as well:

  1. Sign-in to the Azure-Portal
  2. Click on “Subscriptions”

3. Click on + Add

4. Select the offer Pay-As-You-Go

6. Add your payment method and sign-up for the subscription

7. Open the newly created subscription and rename it if needed

Create a new Log Analytics Workspace

Now we need to create a Log Analytics Workspace in our subscription

  1. Open the Azure Portal
  2. Search for Log Analytics Workspaces and open it

3. Click on Create

4. Select your Azure Subscription,resource group,configure a name for the new Log Analytics workspace and select region

5. Go through the pricing tier/tags and then create the workspace

Configure Azure-AD to send logs to Log Analytics

  1. Open Azure Active Directory
  2. Click on the Diagnostic settings
  3. Add diagnostic setting

4. Name the Diagnostic
5. Select the Auditlogs & the Signinlogs
6. Select “Send to Log Analytics workspace
7. Select the Subscription and the Log Analytics workspace
8. Click on Save
9. The logs will now start to stream to the Log Analytics workspace, and should be available in the next 15 minutes

Unable to save the Diagnostic settings?

If you get an error message like “(Failed to update diagnostics for ‘/providers/microsoft.aadiam’.{“code”:”Conflict”,”message”:”The subscription ‘XXXXXXX-XXXX-XXX-XXX-XXXXXXXX’ is not registered to use microsoft.insights.”}.)”
Then the Azure subscription isnt registred for microsoft.insights.


You can enable this easily in the azure portal:
1. Open your Azure Subscription
2. Go to Resource providers
3. Register for “microsoft.insights”

If “microsoft.insights” already is registred, but you are still reciving the error message, try to “re-register”.

Try to add the Diagnostic settings againe,and it should work just fine 😊

What about costs for Azure Monitor?

Microsoft provides the following cost estimate when running Azure-AD Sign-in logs and Audit logs integrated with Azure Monitor

Log categoryNumber of usersEvents per dayEvents per month (30 days)Cost per month in USD (est.)
Audit and Sign-ins10000016,500,000495,000,000$1093.00
Audit1000001,500,00045,000,000$246.66
Sign-ins10000015,000,000450,000,000$847.28
Audit and Sign-ins6000990,000297,000,00$65,58
Audit and Sign-ins3000495,000148,5000,0$32,79
Audit and Sign-ins1500247,500742,500,0$16,39

You can read more about the cost considerations here and here

Retention within Log Analytics workspace

Now we need to configure the data retention for our dedicated log analytics workspace we have configured.
This will simply set the amount of days that you will store the Azure-AD sign-in logs and Audit logs within the workspace.

  1. Open the Azure Portal
  2. Search for Log Analytics Workspaces and open it

3. Open the newly created workspace
4. Click on usage and estimated costs

4. Click on Data Retention

5. Select the amount days you need for retention

Key takeaway

The default retention times for Azure-AD Logs is almost in all cases to short, we need to make sure that we have access to those logs in case of an account breach within the platform.

Azure Monitoring is an easy and straightforward function to implement that will give you an extended retention,lots of insight and a new level of insights to a relative low cost.
I hope that this will help you to start your Azure Monitoring journey!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s