- Azure AD without on-prem Windows Active Directory? - Mon, Oct 25 2021
- An overview of Azure security - Mon, Mar 29 2021
- An introduction to Azure AD administrative units - Wed, Jan 6 2021
Hybrid services have become mainstream due to products such as O365. Organizations are quickly adopting the hybrid approach with SharePoint and Exchange due to the price and reliability. Without proper management, however, hybrid services create management headaches. Regulatory compliance requirements, for example, are more difficult to satisfy with multiple points of management, and configuration mistakes can open an organization to vulnerabilities given that hybrid services rely on internet connectivity.
Microsoft offers solutions for reporting, but these can be spread across multiple portals. Cloud native reporting lacks monitoring for on-premises services. Reporting data is available for creating advanced reports for most cloud services, but most small and medium-sized businesses have limited in-house resources to develop and maintain custom reports. This is where Cygna Labs Auditor comes into play.
The Cygna Labs Auditor installation is well-documented and straightforward. In my example, two servers were deployed. The first was a Microsoft SQL 2016 server for the database. The second server was used to support the collector service and web interface. While these roles can be combined for testing, splitting them provides better performance. The Cygna Labs Auditor server required IIS with Windows Authentication and ASP.Net 4.6 Role installed, along with the ASP.NET 4.6 feature (see Figures 1 and 2).
Figure 2. Required Feature for Cygna Labs Auditor
The Cygna Labs Auditor setup process is similar to other Windows application setups. Once you install Cygna Labs Auditor, log in with the Windows account used to install the application to finish the setup. Once you are logged in, you will see three tiles labeled Configuration, Delegation, and System Status (Figure 3).
To begin setup, click the Configuration tile and then select Office 365. The Cygna service has to be assigned rights to connect to the O365 tenant and pull log information. Click the Authenticate button on the Office 365 screen to start this process. An O365 authentication window will appear. Log in there with an account that has sufficient rights to the tenant. Once the authentication is completed, Cygna Labs Auditor will have rights to read log data from O365.
Notice in the screenshot above that you can also set the polling interval for new events at this screen In this example, it’s set to 3 minutes. The Cygna Labs Auditor service can be reauthorized from this location if required, and there is an option to verify O365 connectivity if needed for troubleshooting.
Next, configure the email server settings for reports and alerts under the Email settings tab (Figure 5). I used Papercut installed on the local server to test email delivery, hence the loopback address for the SMTP server shown in the example. Update this screen with your SMTP information. In this location, you can also update the service account under the Service tab and add a proxy address under the Proxy tab.
Clicking the License tile mentioned above displays the Active License tab (Figure 6), where you can verify your license information, the Cygna Customer Portal tab, where you can change the Cygna portal password, and the Manual License Entry tab, where you can manually add a license if needed.
Cygna Labs Auditor relies on O365 Security and Compliance logging. Some O365 tenants are deployed in a “dehydrated” state, that is, at a high level, less frequently used items in a Microsoft tenant are consolidated to save space. Before logging can be enabled, the tenant has to be “hydrated.” This is done with the Enable-OrganizationCustomization command. I ran into the “hydration” issue with my test tenant. It took about 24 hours after running the command for any logging activity to show up for Exchange and SharePoint online. Also, be aware that if you plan to use Azure AD auditing, you will need an Azure P1 or P2 license.
Azure Active Directory ^
I started by reviewing the capabilities of Cygna Labs Auditor and Azure AD. Once you log into the web portal, you can populate all available services using an easy-to-navigate interface.
Clicking on the Azure AD (Active Directory) tile shown above opens the Azure AD section. There you will see an option to display data “widgets” in each section. This is useful as a quick reference to visualize the data from your environment (see Figure 8). Each section has several pre-defined widget options.
Each section offers the functions shown in Figure 9.
The Search function helps you find specific items within a given context. For example, if you wanted to know who added a user to a new Azure AD Role and when, you would choose the “Add member to role” search option shown in Figure 10.
This search will return a list of users who have been assigned new roles (see Figure 11). In this instance, the report shows that user “Test2” was added to the Report Reader role.
While searching is useful for finding specific information, Cygna Labs Auditor also features an Azure AD reporting option to keep track of predetermined events. For example, if you wanted to track all failed login attempts in an environment, you could do so with the “All Failed Azure AD Logins” report. The reports can be found under the Reports tile (see Figure 9) for each service. Figure 12 shows an example output from the “Failed Logins” report. Notice that an option to export the results is available.
Cygna Labs Auditor provides many other preset reporting options along with an option to create custom reports. This is a great option if you need to specify information for different regulatory or compliance requirements. Such custom reports are created by selecting Custom Reports under the Reports tile. Figure 13 shows a custom report that lists all logins by the admin account.
Cygna Labs Auditor provides an alerts function to notify designated recipients of audit events that need immediate attention. This feature is found under the Alerts tile. The available alert options vary depending on the service. Alerts have two parts: a condition and an action. Entering alert conditions is done in a manner similar to creating reports. In the example in Figure 14, the alert conditions were set to send an alert any time a user is added.
The next step in creating an alert is to add an action. For this action, you can choose SMS (text message) or email. The alert set in Figure 15 sends an email to the designated recipients when the event condition is met. Once you enter the desired email addresses, be sure to click the “+” sign next to the “enter email address” box before you click the Save button.
When you click Save, you will see the dialog box shown in Figure 16. Name the alert and, if desired, add a description and tag and then click Save again.
With this example alert, when a new user is added, the email alert shown in Figure 17 is triggered and sent.
Office 365 ^
Cygna Labs Auditor is not limited to monitoring and reporting activity on Azure AD. By adding modules such as the O365 module, you can extend monitoring, reporting, and alerting to Microsoft Exchange and SharePoint. The SharePoint portal is shown in Figure 18.
The O365 module is set up in a fashion similar to the Azure AD module. As with Azure AD, a selection of widget, search, report, and alert options is available.
IMAGE SharePoint Online
Cygna Labs Auditor provides many options for monitoring and reporting on SharePoint and OneDrive services. One of these that may be helpful is auditing shared OneDrive or SharePoint links. The report shown in Figure 18 presents the audit results for shared links to external users from OneDrive.
Two great advantages of Cygna Labs Auditor is the consistent interface and capabilities for each of the modules. These advantages extend to the Exchange module. For this example, I created a report that lists the mailboxes that were added or removed in the past week. I created the report using the same steps I used for the Azure AD “failed login” report. The information produced by reports like this is useful for ongoing monitoring and management tasks. Figure 19 shows the Exchange module report’s listing of mailboxes created and removed in the past seven days.
Subscribe to 4sysops newsletter!
Hybrid services have become commonplace in most environments, and managing security and regulatory compliance requirements can be difficult when these hybrid systems span numerous environments. This management is made easier, however, with Cygna Labs’ suite of auditor products. In particular, in addition to the modules outlined above, Cygna Labs Auditor contains modules for monitoring and managing local file services and Active Directory. Overall, Cygna Labs Auditor is a full-featured tool for managing a Microsoft hybrid cloud environment.