Great content delivered right to your mailbox

Thank you! Check your inbox for our monthly recap!

Access control and identity management are fundamental parts of cybersecurity. Managed service providers (MSPs) must get them right every single time. Fortunately, MSPs that manage Azure environments have some powerful tools available to them right on the platform. Azure AD monitoring tools log important activity, integrate easily with third-party and homegrown security tools and analytics, and include powerful native management capabilities.

Let’s dive into how Azure AD monitoring works and how it can enhance your security and SIEM practices!

What is Azure AD?

Azure Active Directory (AD) is Microsoft’s cloud-based identity and access management service built on its Azure cloud computing platform. It helps you manage your customers’ access to resources like the Azure portal, Microsoft 365, and other Microsoft and external cloud-based applications. You can also use Azure AD to manage access to resources on your customers’ intranets and MSP cloud apps you’ve developed.

System administrators at your MSP value this level of control because it allows them to use Azure AD to:

  • Automate standardized processes, like new user provisioning.
  • Configure multi-factor authentication (MFA) for critical resources.
  • Manage identity security to meet industry standards and maintain regulatory compliance more easily.

But administrators are just some of the MSP personnel who benefit from Azure AD monitoring. Developers can also use Azure AD to build single sign-on (SSO) authentication into apps you develop in-house or for your customers. It also includes robust APIs that allow you to securely build personalized experiences for users in apps, for example, by loading different features in an intranet portal based on a user’s role in your customer’s organization. So the CEO might see one set of dashboard tools, managers in the warehouse a different set, and accountants a third.

What Can You Do with Azure AD Monitoring Data?

Azure AD monitoring enables three key workflows for MSPs: archiving data to a storage account, sending logs to Azure Monitor, and sending logs to Event Hub.

Archiving data to a storage account

Azure storage accounts are used for long-term data retention and archiving. They’re an inexpensive method for retaining data for years at a time. When you provision an Azure storage account, you can set optional retention periods, manually manage retention, or switch back and forth as needed.

Sending logs to Azure Monitor

Azure Monitor is Azure’s analytics and indexed log search platform. It is powered by the Kusto Query Language (KQL), which supports advanced queries for pivots and filtering. You can also save your most important views. In addition, Azure Monitor includes some useful prebuilt queries right out of the box, and you can create alerts to be triggered by query results.

Sending logs to Event Hubs

Azure Event Hubs is a data ingestion service that receives log data from Azure AD monitoring and various other sources. It can stream that data in near-real time to whichever connected platforms you want to use. It can “integrate with other Azure and Microsoft services, such as Stream Analytics, Power BI, and Event Grid, along with outside services like Apache Spark.” It is highly scalable and can easily process millions of events per second.

Why conduct Azure AD monitoring?

Monitoring in Azure AD provides many important benefits such as:

Enhanced security

First and foremost, monitoring Azure AD gives you better insights into the security threats you and your customers face. Thanks to Event Hubs and other integrated tools, you can often conduct these real-time security analyses. Monitoring new sign-ins, authentication logs, and user activity can reveal potential threats through logs of unauthorized access attempts and unusual behavior. When you start using Azure AD monitoring tools, you will often uncover vulnerabilities or existing breaches you might not already know about.

More efficient operations

Azure AD monitoring can also reveal important insights about the health and performance of your Azure AD service health and performance. For example, you can track service availability, authentication latency, and utilization rates across your customer base or internal to each customer’s user base. Those insights can help you manage your directory services proactively, minimizing potential downtime.

Improved incident response

Real-time monitoring allows MSPs to respond immediately to administrative and security issues revealed in Azure AD logs. You can also configure alerts to trigger on critical events.

Azure Monitor includes some dedicated alerting capabilities. Alerts help you identify and respond to incidents before users notice them. Configured alerts proactively notify you when analysis reveals there might be a problem with one of your applications or infrastructure.

Detail audit and compliance reporting

Azure AD also includes comprehensive audit logs of every event that occurs within the service. Including all changes to users, groups, applications, and licenses. You can use this log data to generate compliance reports, investigate security incidents, and audit critical workflows. You can answer such questions as:

  • How many users were changed in a given update?
  • What changes has each administrator account made to a specific directory?
  • What licenses have been assigned to a group or user?
  • What applications have been removed in a given period?
  • Who gave consent for a user to access a specific application?

Use behavior analytics

Azure AD provides insights into user behavior by tracking sign-in activity, device information, and locations. As a result, MSP administrators can catch irregularities and potential policy violations before they lead to regulatory or security breaches.

Prerequisites for Enabling Azure AD Monitoring

To enable Azure AD monitoring, you must have a Global or Security Administrator account on that Azure tenant. You’ll also need the following:

  • An Azure AD premium license to access sign-in logs.
  • For archiving, you’ll need an Azure storage account on which you have ListKeys permissions.
  • You’ll need an Azure Event Hubs namespace to integrate with third-party SIEM solutions.
  • You’ll need an Azure Log Analytics workspace to send logs to Azure Monitor logs.

Want to Learn More About Azure AD Monitoring?

You’ve come to the right place

For more information about how we can support your MSP with our cloud marketplace and value-added services Contact us to start a conversation. Sherweb experts can help your MSP business deploy and manage Azure for your clients, including Azure AD and its monitoring services.


Written by The Sherweb Team Collaborators @ Sherweb