search

Azure AD Logs shall be collected

hashtag
Description

Azure AD logs should be a collected and periodically reviewed to detect any anomalies. Log information should be centralized in a SIEM tool, like Microsoft Sentinel, so that it can be audited and queried. Audit logs should be retained in a storage account for a minimum of 90 days.

Log events that can be collected are as follows: AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, and ServicePrincipalRiskEvents.

hashtag
Policy

  • Azure AD Log data is sent to a SIEM and/or external storage

  • Log data is periodically reviewed.

  • Log data is sent to an internal or external SOC for monitoring

hashtag
Licensing Considerations

To retain Azure AD log data more than 7 days, an Azure AD P1 License is required. This license retains data for 30 days and is available to purchase standalone or as part of the following bundles:

  • Microsoft 365 Business Premium

  • EMS+ E3 or EMS + E5

  • Microsoft 365 E3

  • Microsoft 365 E5

hashtag
Set Up Instructions

Analyzing Sign-Ins Analyze sign-ins with the Azure AD sign-ins log - Microsoft Entra | Microsoft Learnarrow-up-right

Route logs to a storage account: Tutorial - Archive directory logs to a storage account - Microsoft Entra | Microsoft Learnarrow-up-right

Everything you want to know about Security and Audit logging in Office 365 Everything you wanted to know about Security and Audit Logging in Office 365 | The Cloud Technologistarrow-up-right

Sign In logs in Azure AD: Sign-in logs (preview) in Azure Active Directory - Microsoft Entra | Microsoft Learnarrow-up-right

Connect AD data to Microsoft Sentinel: Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Learnarrow-up-right

hashtag
End-User Impact

circle-info

Level: None

There is no end user impact to review and collect Azure AD logs.

circle-info

Tips

None Currently

hashtag
PowerShell Scripts

Documenting with PowerShell: Downloading and storing the Office 365 Audit logs (With search!) (cyberdrain.com)arrow-up-right

Automating with PowerShell: Storing Office 365 audit logs longer than 90 days (cyberdrain.com)arrow-up-right

Monitoring with PowerShell: Monitoring failed logins for Office365 (cyberdrain.com)arrow-up-right

Azure AD PowerShell cmdlets for reporting - Microsoft Entra | Microsoft Learnarrow-up-right

hashtag
Videos

LogoAudit Logs and Sign in logs in AAD | A deep-dive session on Azure AD Audit Logs and Sign-in LogsYouTubechevron-right
PreviousPasswords shall not expireNextOnly Admins shall be allowed to register 3rd party applications

Last updated