How to add group filter in the Azure AD "Sign-in Analysis" Workbook

Michal Ziemba 221 Reputation points
2022-10-26T16:18:08.89+00:00

Hi,
In the Azure AD in the "Monitoring" section, there are Workbooks.
One of them called "Sign-in Analysis" is very interesting but I can filter only by users.
I was trying to add filters and use Azure AD groups but it seems not so easy.

Can you tell me if this is possible and what the query would look like?

Thank you in advance
Mike

254424-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,689 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 9,576 Reputation points Microsoft Employee
    2022-10-28T14:03:37.187+00:00

    Adding to Givary provided:

    There are two parts here. First the drop down runs a query to get the list of groups. Selected group(s) go into a parameter. Looking at the users drop down settings will help reveal the settings. Though the query for groups will be slightly different. The query should return a list of groups (not certain where to find that at the moment).

    The next step is to use the new Groups parameter in the subsequent query tiles. Again, refer to the User dropdown parameter as a reference. You should be able to add or replace the user parameter in those tiles.

    1 person found this answer helpful.
    0 comments
  2. Givary-MSFT 28,486 Reputation points Microsoft Employee
    2022-10-27T07:36:59.51+00:00

    @Michal Ziemba Thank you for reaching out to us. As I understand you are looking to add the query functionality for Azure AD Groups within Sign in Analysis Workbook ( Azure AD - Monitoring - Workbooks )

    Researched on this requirement, there is no table present by default which has Azure AD Groups & Group membership information within log analytics workspace.

    Also if you notice the Diagnostic settings configuration ( from Azure AD blade ) - A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource, and one or more destinations that you would stream them to log analytics workspace, there you would notice audit logs which talks about audit activities related to group but not group or group membership.

    Reviewed the Sign in logs as well, couldnt find group related information for the user.

    Referring to this screenshot, we need to write a query to fetch the group/group membership information, as mentioned above there is no table as such by default which can provide this information, from my point of view this is not possible, however if you help us with your exact requirement why you need the group information within the workbook I can check with my team whether this task can be achievable or not.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

    254548-image.png

    Let me know if you have any further questions, please feel free to post back.