Azure AD Sign-In Logs – Managed Identities + Service Principals

Written by Ravi Yadav

Over the weekend, I realized Azure Active Directory (Azure AD) can now allow its Sign-In logs for both Service Principals (SP) and Managed (Service) Identities (MSI) to be collected and forwarded to Event Hubs, Log Analytics and/or a Storage Account. I would strongly advise any Azure AD environment to enable this setting as soon as possible as both MSI’s and SP’ pose a giant risk due to the lack of Conditional Access. Not having the ability to enforce Conditional Access on SPs and MSIs is a giant, giant security risk. And, as a minimum, one should enable log-in events to mediate if and when possible.

In my solution below, I have Azure AD to send its Audit and Sign-In logs to an Event Hubs namespace, which in turn is allowing a 3rd Party SIEM to collect the logs.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

SCOM & Other Geeky Stuff

A series of blog posts around Microsoft Cloud and Datacenter technologies, specifically Azure Cloud, System Center and other various Microsoft technologies.

Sharing is Caring:

Like this:

Related

Leave a Reply Cancel reply