How to monitor Azure AD step by step | eG Innovation (2023)

What is Azure AD (Active Directory)?

If you've reached this page but need a quick reminder of what Azure Active Directory is and why it's different from an Active Directory you may have installed locally, you may want to read this brief description first -Co to jest Azure Active Directory.

Why should you monitor Azure Active Directory?

I won't go into too much detail as to why you should monitor Azure Active Directory, but here are the top three reasons why we think everyone should monitor this service:

1. Security - Proactive monitoring of login logs enables quick detection of malicious attacks such as brute-force attacks. Spikes or unusual patterns in the logs may indicate that your Azure AD is under attack. Proactively controlling users and permissions to remove unnecessary access or dormant user accounts will minimize your organization's attack surface.
2. Compliance - The auditing features built into eG Enterprise are designed to ensure traceability processes are enforced. An audit report will help you demonstrate compliance with regulatory standards required by many industry sectors. Not only do you need to know who is accessing your cloud resources and from where, but you may need to prove that you collect this information and store it within the (often short) default retention timeframe for external Azure logins.
3. End-user experience - Proactively monitoring components such as Azure AD and Azure Connect (which connects Active Directory to Azure AD) can prevent users from having sign-in issues by detecting sync issues. Monitoring the expiration dates of certificates and sensitive information can ensure that users do not encounter resource expiration issues.

Which Azure Active Directory monitoring tool to use?

Unlike Active Directory, the younger Azure Active Directory is currently not supported by various monitoring tools. You have two options:

• Monitor Azure– Azure Monitor is a service that provides a single dashboard to monitor all Azure resources. It allows you to collect data from multiple sources, including Azure Resource Manager, Azure services, and on-premises resources, and visualize that data in a unified way. Azure Monitor also provides built-in alerts and actions to take automatic corrective action when issues are detected.
• Third-party monitoring tools such as eG Enterprise, a comprehensive monitoring platform that monitors every layer of applications running in the cloud and on-premises infrastructure. Detects, diagnoses and fixes application performance issues before end users are affected.

Both options have advantages and disadvantages, which we will discuss in the next section.

Monitor Azure Active Directory with Azure Monitor

Azure Monitor is a native Azure monitoring solution, just likecloud watchis a local monitoring solution for AWS (Amazon Web Services). Do-it-yourself installation and configuration is quick and easy, but it can become increasingly complex and costly.

Microsoft provides extensive documentation on getting started.

Advantages of Azure Monitor Azure Active Directory monitoring

• Native tools available with your Azure subscription.
• A simple GUI suitable for beginners trying out Azure on a small scale.
• Exhaustivedocumentand a lotSocial self-helpAvailable, such as "Getting Started" blogs and "How To" videos.

Disadvantages of Azure monitoring

• All thresholds, metrics, and alerts must be manually configured or require significant investment in custom scripts and automation tools.
• It only provides visibility and visibility to the Azure tier, so if an issue occurs outside of Azure, you'll need additional monitoring tools. Azure AD is commonly used with on-premises or legacy Active Directory systems via Azure AD Connect. This introduces a layer of complexity as your IT team will have to manually toggle and correlate what Azure Monitor says with what your third-party monitoring tool says.
• Who are youAlert fee for monitored metricsThis means your monthly bill may go up or your finance team may ask you to lower your monitoring costs, so you face less visibility because you can't afford to monitor all the metrics you need. Azure Monitor relies on Azure Log Analytics, so storage charges are associated.

Monitor Azure Active Directory with third-party monitoring tools

At the time of writing, there are very few third-party monitoring tools available for Azure Active Directory.

Benefits of third-party monitoring tools for Azure Active Directory

• End-to-end monitoring provides visibility across your entire IT infrastructure to quickly diagnose and pinpoint the root cause of performance issues.
• Predictable costs. (we coverHow to estimate Azure Monitor costsin the previous article).
• Often more cost effective, especially if you want to retain data beyond the default Azure period of 7/30 days.
• Pre-built dashboards, reporting and support tools. The tool with an easy-to-use graphical user interface eliminates the need for scripts, trawl logs and KQL (Kusto Query Language) queries andAvailable to L1/L2 service personnelNo knowledge of a specific AVD (Azure Virtual Desktop) domain.
• Comprehensive monitoring options availableFor bot users, active testing and base login workflows can be used.

Disadvantages of third-party monitoring tools

• YAMT (One More Monitoring Tool) - Unless one tool replaces another or adds significant value, it adds budget and overhead for management, lifecycle, patching, and auditing additional tools.
• Integration of many third-party tools, especially open source tools, requires a lot of work and skills, such as custom scripts or configurations.
• Many third-party tools, especially open-source and free tools, do not have any support contracts or commitments compared to commercial solutions supported by Microsoft or enterprise vendors. If something goes wrong, it is likely that no one will receive a support ticket or may not be obligated to help or resolve the issue. OSS (Open Source Software) and free software challenges are discussed at the endThis article.

5 things you need to monitor in Azure Active Directory

In fact, there are literally hundreds of metrics, events, and log entries that you can monitor against Azure Active Directory. The more that can be traced, the faster the diagnosis of the root cause will be. However, if you have a limited budget to use Azure Monitor, it makes sense to prioritize tracked metrics. Actually,AIOps domain analysisTechnologies such as eG Enterprise (Artificial Intelligence for IT Operations) modify sampling criteria and prioritize certain metrics to reduce costs and avoid excessive noise caused by machine learning algorithms.

Here are five areas where we believe tracking should be prioritized. eG Enterprise does it all for you right out of the box, no manual setup required and all thresholds are preset (static and dynamic), so you don't have to spend time configuring everything.

1. Track and monitor users in Azure Active Directory

Identity management is a big challenge in cloud environments, especially when users can log in from anywhere. In addition, users can often sign in and access cloud-hosted resources using different types of devices. Without a central source of authentication and authorization, it's hard to manage who can log in to what and what they can do with cloud resources. In addition, there may be thousands of identical identities from different organizations trying to leverage cloud resources. Microsoft solves all of the above challenges with Azure Active Directory (Azure AD).

User accounts in Azure AD can grow rapidly depending on business/organizational requirements. Because Azure AD is in the cloud, tenants are vulnerable to ransomware, password scramble, brute force, and more. Examples of recent Azure AD attacks and known security issues include:

• How Azure AD is vulnerable to brute force and DOS attacks
• No fix for new Azure Active Directory password brute force vulnerability

Ideally, the Azure admin needs to know (better yet,active monitoring) of the following in Azure AD:

• How many users are created in Azure AD?
• How many users are synced from on-premises Active Directory, where are they synced, and when was the last sync?
• How many users use weak passwords?
• How many users have their passwords in the non-expiring state?
• Are there unlicensed users in my Azure tenant?
• Are there any disabled accounts in the Azure tenant?
• Are there user accounts that don't belong to any Azure AD groups?
• Are there any stale user accounts in my Azure tenant?
• Are there any malicious login attempts?
• Have you had any risky logins recently?
• Will any application registration on a client secret or SSL (Secure Sockets Layer) certificate expire?
• What are the roles and permissions for app registration?
• Has the tenant recently experienced a violent attack?

Figure 2: User data actively recorded and monitored by eG Enterprise. When a problem occurs, the green tick is automatically replaced with an alert and a detailed diagnostic icon (magnifying glass) appears to provide a deeper look into the details of the problematic user account.

For a detailed guide to tracking and monitoring Azure Active Directory users, see:Monitor and manage Azure Active Directory users.

2. Monitor Azure Active Directory audit logs for compliance and security

As an Azure cloud administrator, you need to know who accesses your cloud resources, how they access them, what they access, what changes when they access them, where they access them from, and more.

Azure AD (Azure Active Directory) provides the answer to the above question by storing information in two logs. The information stored in it is very valuable for troubleshooting, monitoring and general security work, the logs are:

• Azure AD audit logs
• Azure AD login logs

The "Azure" audit log gives you access to the history of every task performed in your tenant. For example, information about changes applied to the tenant, such as user and group management, updates applied to tenant resources, and so on.

Figure 3: The information available to eG Enterprise includes details of failed actions.

For more detailed guidance on monitoring Azure Active Directory audit logs for compliance and security, see:How to ensure compliance and security by monitoring Azure AD audit logs.

3. Login logs actively detect attacks

Azure login logs help identify who performed the tasks reported by Azure audit logs. Azure AD login logs are an essential tool for troubleshooting and investigating security incidents in your tenant. In addition, proactive and continuous monitoring of logins can prevent breaches, alert administrators to malicious attacks and unusual usage patterns, and reduce security vulnerabilities by ensuring systems are configured to only allow access to users and services that require access - the latest certification mechanism best practices etc.

Figure 4: eG Enterprise provides out-of-the-box dashboards that provide a user-friendly overview of Azure AD-related login log data

Figure 5: Sharp and sudden spikes in login failures often indicate service failures that typically affect users in a specific location. Daily work patterns, such as logging in at 9 am or returning from the lunch rush at 1 pm, become crystal clear. Unusual behavior, such as a user logging in at 3am from an unusual location, should trigger a red flag.

To learn more about Azure Compliance Monitoring and detecting attacks by monitoring log logs, refer to this article:How to monitor Azure AD login logs and proactively detect attacks.

4. Monitor application registrations and track customer secrets and certificate expiration

Azure Active Directory (Azure AD) is a cloud-based identity and access management (IAM) service and identity provider (IdP) from Microsoft. Azure AD is the foundation of authentication for Microsoft 365 and thousands of cloud-based SaaS (Software as a Service) applications.

One of the features provided by your organization's Azure AD is the Microsoft Identity Platform. This feature helps developers build apps where users and customers can sign in to apps with their Microsoft identities or social accounts and access the App API (Application Programming Interface) or Microsoft APIs such as "Microsoft Graph Authorize access .

You must register your application with Azure AD to prove your identity and programmatically access resources in Azure and Office 365. Infrastructure as Code (IaC) and DevOps pipelines require your application to be registered with Azure AD for automation.

Read our full guide on monitoring Azure Active Directory client secrets and certificate expiration -Azure AD application client secret and certificate expiration monitoring and alerts.

5. Monitor Azure AD Connect (if using)

Azure AD Connect is a Microsoft tool designed as a bridge solution between on-premises Active Directory and Azure AD. Allows IT admins to federate on-premises user identities with Azure so users can use the same credentials to access on-premises apps and cloud services such as Microsoft 365.

It's included for free with your Azure subscription. It provides a variety of features including synchronization, federated integration, and health monitoring. By default, sync is one-way: from on-premises AD to Azure AD. However, you can configure writeback to synchronize changes from Azure AD back to on-premises AD. This way, for example, if a user changes their password using Azure AD self-service password management, the password will be updated in on-premises AD.

Synchronization errors and failures can cause problems with access to resources and applications. eG Enterprise includes component monitoring for Azure AD Connect and on-premisesactive directory.

Figure 6: eG Enterprise captures, reports, and alerts about the aforementioned metrics and data from Azure AD Connect.

For more information on monitoring the Azure AD Connector, see "What is the Azure AD Connector" in the article,Co to jest Azure Active Directory.

This is just a quick guide to monitoring Azure Active Directory. The next step is to follow this guide orGet started with Azure Monitor,or request30 day trial periodeG Enterprises.

With eG Enterprise, you can get started in minutes with built-in metrics and thresholds!

Related information

• In-depth coverage of everything you need to know about Azure AD and the interdependent components of Azure deployment -Co to jest Azure Active Directory
• Microsoft Documentation -Co to jest Azure Active Directory? – Azure Active Directory | Dokumentacja Microsoft
• Use Azure AD with Citrix technology; currently in preview is support based on Azure Active Directory groups, read more:Citrix Innovations to Support Hybrid Cloud Migration Citrix Blog
• CloudSimple's Azure VMware Solution - Using Azure AD as a Private Cloud Identity Source | Microsoft documentation
• Reducing deployment size by identifying and rationalizing unused resources and interfaces can improve security - often with the added benefit of Azure cost savings, see:Save on Azure costs by finding unused, wasted and orphaned resources (eginnovations.com)IWhat is Azure Advisor? |eG Innovation