News

Microsoft Launches Preview of Azure AD Activity Logs

• By Kurt Mackie
• 07/30/2018

A preview release of Azure Active Directory Activity Logs, which show up in Azure Monitor, is now available, Microsoft announced last week.

Azure AD Activity Logs describe the operations that were performed in an Azure tenancy, as well as when they occurred and who carried them out. Two Activity Logs reports are currently supported in Azure Monitor, a service component within the Azure Portal management console. There's an "audit logs activity report," which shows the history of the tasks that were performed in the tenancy, and there's a "sign-ins activity report," which identifies who carried out the tasks.

The preview currently doesn't support business-to-consumer (B2C) activity logs reporting, according to a Microsoft Azure "Overview" article.

The Azure AD Activity Logs preview supports a few storage and analytics options. The logs generate a large amount of data. For instance, for 1,000 users in a tenancy, the audit logs deliver about 900MB of data per month, while the sign-ins logs produce 4GB of data per month, according to Microsoft's "Overview" article.

The options for using Azure AD Activity Logs in the Azure Monitor include:

• Using an Azure Storage account to archive the log data.
• Streaming the log data using the Azure Event Hubs service, while a security information and event management (SIEM) software tool is used for the analysis.
• Using the log data with custom solutions and analytics tools.

Organization need to have an Azure account to use the service. Azure Monitor supports SIEM software tools built by QRadar, Splunk and Sumologic. However, only Splunk's SIEM tool currently supports using Azure Active Directory logs, the "Overview" article explained.

Microsoft eventually plans to add the Azure AD Activity Logs capability to its Azure Log Analytics service, the announcement explained, although the timing wasn't described.

In related Azure AD news, Microsoft announced earlier this month that a public preview is available for assessing conditional access using the Azure AD sign-ins report.

"This new information will help you troubleshoot conditional access policies and understand the usage of conditional access in your organization," explained Alex Simons, director of program management at the Microsoft Identity Division, in the announcement.

The preview provides a means for viewing "all the conditional access policies" and results that were associated with each user's sign-in activities. It's also possible to pull this information into an SIEM system and analysis tools using an "Azure AD reporting API."

Microsoft is touting this preview as a means of identifying end users that aren't protected by conditional access policies. The preview also can be used as a means for "blocking legacy authentication policy," Microsoft's announcement indicated.

Conditional access is typically used to test things before granting network access, such as the compliance of a device with an organization's policies.