Today, were turning on the public preview of Azure AD Activity Logs in Azure Monitor (Azures platform-wide monitoring service) offering you long-term retention as well as seamless integration. These improvements and new capabilities offer you:
- Long-term retention by routing logs to your own Azure storage account.
- Seamless SIEM integration without writing or maintaining any custom scripts.
- Seamless integration with your own custom solutions, analytics tools or incident management solutions.
Many of our largest customers participated in the private preview of this feature. Id like to thank all of them for their help and feedback. On average, they saw a 60 percent reduction in the time admins spent getting Azure AD Activity Logs. They also reported how easy the service is to use. Azure AD Activity Logs in Azure Monitor Diagnostics is simple to configure and only requires an Azure subscription. With a simple click, you can route the logs to your storage account or Event Hub. In addition, you can set this up with your SIEM tool, custom apps, or any service management systems through Event Hub integration within minutes.
Here is a quick screenshot walkthrough showing Splunk integration with a dashboard view of the Sign-ins:
Figure 1: Azure Monitor Diagnostic settings for Azure AD Logs.
Figure 2: Azure AD Logs in Splunk through Event Hub.
Figure 3: Splunk reports based on Azure AD Sign-ins.
This strategy for routing logs is consistent with other Azure resources as well. (You can find the details here about which Azure resources offer this functionality.)
To help get you started with Azure AD Activity Logs in Azure Monitor Diagnostics, weve put together some helpful resources:
- Overview of Azure AD Activity Logs in Azure Monitor DiagnosticsAn in-depth look at the feature.
- Planning guideOutlines the costs involved for using this feature.
- Archive data using storage accountSupport to help you configure your Azure AD logs to be routed to your Azure storage account.
- Stream data to Event HubSupport to help you configure your Azure AD logs to be routed to your Azure event hub.
- Configuration examples from our SIEM partnersLearn which SIEM tools are currently supported and who supports Event Hub integration.
Based on feedback we received from our private preview customers, we will integrate the feature with Azure Log Analytics. As we work to bring this feature to general availability, we look forward to your feedback on the Azure AD Reporting forum.
Alex Simons (Twitter:@Alex_A_Simons)
Director of Program Management
Microsoft Identity Division
Source: EM+S Blog Feed