Skip to content

SCOM & Other Geeky Stuff

A series of blog posts around Microsoft Cloud and Datacenter technologies, specifically Azure Cloud, System Center and other various Microsoft technologies.

  • About Ravi
Follow SCOM & Other Geeky Stuff on WordPress.com

Categories

  • Automation
  • Azure
  • Cloud
  • Cybersecurity
  • DSC
  • Hyper-V
  • IBM
  • Linux
  • Log Analytics
  • OMS
  • OperationsManager
  • Orchestrator
  • PowerShell
  • SCCM
  • SCOM
  • SCVMM
  • SQL Server
  • Storage
  • StorWize
  • System Center
  • Uncategorized
  • Virtualization
  • VMware
  • Windows OS
  • Windows Server

Recent Posts

  • Azure Backup Center
  • Azure MSI & Policy Governance
  • Azure AD Sign-In Logs – Managed Identities + Service Principals
  • Azure Default Service Principals vs Customer Created
  • Azure Virtual WAN – Now supports 3rd Party Network Virtual Appliances (NVA)

Recent Comments

Azure MSI & Poli… on What’s an Azure Service Princi…
Hariharan Mk on Creating a Site-to-Site (S2S)…
John on New Features in SCOM 2016…
Ravi Yadav on Forcefully Revoke Azure AD Use…
C.M.Ramos on Forcefully Revoke Azure AD Use…

Archives

  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • March 2019
  • February 2019
  • September 2018
  • August 2018
  • July 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • September 2015
  • August 2015
  • January 2015
  • November 2014
  • October 2014
  • June 2014

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.com

Azure AD Sign-In Logs – Managed Identities + Service Principals

Written by Ravi Yadav

Over the weekend, I realized Azure Active Directory (Azure AD) can now allow its Sign-In logs for both Service Principals (SP) and Managed (Service) Identities (MSI) to be collected and forwarded to Event Hubs, Log Analytics and/or a Storage Account. I would strongly advise any Azure AD environment to enable this setting as soon as possible as both MSI’s and SP’ pose a giant risk due to the lack of Conditional Access. Not having the ability to enforce Conditional Access on SPs and MSIs is a giant, giant security risk. And, as a minimum, one should enable log-in events to mediate if and when possible.

In my solution below, I have Azure AD to send its Audit and Sign-In logs to an Event Hubs namespace, which in turn is allowing a 3rd Party SIEM to collect the logs.

Sharing is Caring:

  • Twitter
  • LinkedIn
  • Facebook
  • Email

Like this:

Like Loading...

Related

August 24, 2020August 25, 2020 · Posted in Azure, Cybersecurity · Tagged Azure AD, Event Hubs, Log Analytics, Managed Service Identities, Service Principals, Sign-In Logs ·

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Google photo

You are commenting using your Google account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Post navigation

« Azure Default Service Principals vs Customer Created
Azure MSI & Policy Governance »
Create a free website or blog at WordPress.com.
Cancel
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
%d bloggers like this: