Many of my customers want to get alerts whenever a specific user logs into Azure, like their break-glass administrator account—the account you use when everything else fails. The account does not have multi-factor authentication enabled, and there's no simple way to get these events and logs out of Azure Active Directory (Azure AD or AAD) and then into an Azure Monitor Log Analytics workspace to trigger an alert. Fortunately, now there is, and it is easy to configure.

David O´Brien

David has been a consultant for over 10 years and reinvented himself a couple of times, always staying up to date with the latest in technology around automation and the cloud. He is a multi-year Microsoft MVP for Azure, a cloud architect at XIRUS in Australia, a regular speaker at conferences, and IT trainer.

Latest posts by David O´Brien (see all)

Configure Azure AD diagnostic settings ^

Currently it's still in preview, but in your Azure portal, you can browse to the Azure AD tab and check out Diagnostic Settings. Just like on most other Azure resources that support this, you can now also forward your AAD logs and events to either an Azure Storage Account, an Azure Event Hub, Log Analytics, or a combination of all of these. These targets all serve different use cases; for this article, we will use Log Analytics.

If you have not created a Log Analytics workspace yet, go ahead and create one via the portal or using the command line or Azure Cloud Shell:

This will create a free Log Analytics workspace in the Australia SouthEast region. The next step is to configure the actual diagnostic settings on AAD.

Diagnostic settings overview

Diagnostic settings overview

Unfortunately, there is no straightforward way of configuring these settings for AAD from the command line, although articles exist that explain workarounds to automate this configuration. Usually, this should really be a one-time task because companies generally tend to have only one or a very small number of AADs. Not being able to automate this should therefore not be a massive deal.

Configure AAD diagnostic settings

Configure AAD diagnostic settings

In this dialogue, select an existing Log Analytics workspace, select both types of logs to store in Log Analytics, and hit Save.

There will be a note that to export the sign-in logs to any target, you will require an AAD P1 or P2 license. You can check the documentation to find all the other features you will unlock by purchasing P1 or P2, a highly recommended option.

With these licenses, AAD will now automatically forward logs to Log Analytics, and you can consume them from there.

Querying AAD logs with Log Analytics ^

In the Log Analytics workspaces > platform - Logs tab, you gain access to the online Kusto Query Language (KQL) query editor. In my environment, the administrator I want to alert has a User Principal Name (UPN) of auobrien.david@outlook.com. We can run the following query to find all the login events for this user:

Kusto query to find sign in events

Kusto query to find sign in events

Executing this query should find the most recent sign-in events by this user. If there are no results for this time span, adjust it until there is one and then select New alert rule.

Log Analytics query results

Log Analytics query results

You can now configure a threshold that will trigger this alert and an action group to notify in such a case. An action group can be an email address in its easiest form or a webhook to call.

Creating an Azure alert for a user login

Creating an Azure alert for a user login

It is important to understand that there is a time delay from when the event occurred to when the event is available in Log Analytics, which then triggers the action group. This can take up to 30 minutes.

In just a few minutes, you have now configured an alert to trigger automatically whenever the above admin now logs in.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+

Users who have LIKED this post:

  • avatar
Share
3 Comments
  1. Swapnil Kambli 9 months ago

    Sign-in diagnostics logs many times take a considerable time to appear. For many customers, this much delay in production environment alerting turns out to be infeasible. For a real-time Azure AD sign-in monitoring and alert solution consider 'EMS - Cloud App Security' policy solution. EMS solution requires an additional license. I personally prefer using log analytics solutions for historical security and threat analytics.

    0

  2. mybaplc login 9 months ago

    Hello
    after reading ur detailed article i was able to login to my account , i just have another simple question , is it possible to login to my account with different 2 passwords ?
    thanks again for sharing this great article

    0

    • Swapnil Kambli 9 months ago

      Azure AD supports multiple authentication methods such as password, certificate, Token as well as the use of multiple Authentication factors. However, It does not support multiple passwords for the same account.

       

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account