Monitor Sign ins

Monitor Azure AD Sign-ins for more than 30 days? Here’s how!

George KavvalakisInformation Security
Spread the love

One of the common things that many ask me is that they want to know how to check Azure AD sign-ins.

There is an sign-in activity report that is available in all editions of Azure AD. In case you have P1 or P2 license then you also have access that report through the Microsoft Graph API.

The option can be found in the Monitoring section of the Azure Active Directory menu in the Azure Portal.

Open sign-in logs

A sign-ins log has a default list view that shows:

  • The sign-in date
  • The related user
  • The application the user has signed in to
  • The sign-in status
  • The status of the risk detection
  • The status of the multi-factor authentication (MFA) requirement

How long does that information is being retained?

The main question that I get at that point is that my customers want to check the retention period of that logs.

Well, the answer is straight forward.

If you are checking the sign-in logs that retention period is 30 days.

Can I keep the logs more than 30 days?

So, the question that follows is when the client wants to keep track for the sign-ins for more than 30 days.

One easy way to do this is just to export the aforementioned log and save it as CSV.

This is a manual procedure that you have to do every 30 days. Not the best case, but it is a quick solution.

Of course, there is another solution that can help you keep that information for more than just 30 days and that is through Azure Sentinel. But there are some prerequisites for that.

Monitor Azure AD Sign-ins with Microsoft 365 Defender Threat Hunting

You can also check Azure AD Sign-ins from within Microsoft 365 Defender. You can perform a sign-in investigation including conditional accesses evaluation by querying AADSignInEventsBeta table with KQL (Kusto Query Language).

The AADSignInEventsBeta table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. Customers need to have an Azure Active Directory Premium P2 license to collect and view activities for this table. All sign-in schema information will eventually move to the IdentityLogonEvents table.

Monitor Azure AD Sign-ins in Microsoft Sentinel

You can start by using Microsoft Sentinel’s built-in connector to collect data from Azure AD and stread it into Sentinel.

The connector allows you to stream the following log types:

  • Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.

The Azure AD connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:

  • Non-interactive user sign-in logs, which contain information about sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user.
  • Service principal sign-in logs, which contain information about sign-ins by apps and service principals that do not involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
  • Managed Identity sign-in logs, which contain information about sign-ins by Azure resources that have secrets managed by Azure. For more information, see What are managed identities for Azure resources?
  • Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.
  • Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service.

Connect to Azure Active Directory

  1. In Microsoft Sentinel, select Data connectors from the navigation menu.
  2. From the data connectors gallery, select Azure Active Directory and then select Open connector page.
  3. Mark the check boxes next to the log types you want to stream into Microsoft Sentinel (see above), and select Connect.

After the connection has been established then you will have the data appear in Logs where you can find the following tables:

  • SigninLogs
  • AuditLogs
  • AADNonInteractiveUserSignInLogs
  • AADServicePrincipalSignInLogs
  • AADManagedIdentitySignInLogs
  • AADProvisioningLogs

In our case, we are interested for the SigninLogs.

Visualizing the data

One way to visualize our data is to use the built-in workbooks that help us go deeper into the events that have been generated.

It is recommended that you install the Azure AD workbook. This workbook gives us the choice to have either or both the Azure AD sing-ins and the Azure AD audit logs.

Azure AD sign-ins workbook analyzes the sign-ins over time to see if there are anomalies. It provides failed sign-ins by applications, devices and locations. This is very helpful as you can spot anomalies at a glance.

On the other hand, Azure AD audit logs workbook analyzes admin activities like changes in users, groups etc.

Unified Audit Log in Compliance Center

This is a solution that helps keep the sing-ins log from 90 days up to 1 year, but you have to remember that this solution starts storing data after it is enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *