Share via

providing team to Azure AD logs in centralized law

Wool Sock 261 Reputation points
2023-01-27T08:48:19.1366667+00:00

Hello,

I would need give access to one of our teams to Azure AD sing-in logs which are located in our centralized law. Azure AD logs are one of most important logs for many perspective so I would need come up with solution that could restrict access to just specific logs. Basically team need access to only SigninLogs table.

I came up with threee possible solutions

  1. Sending those Azure AD logs to different law where I can give them access. I'm not just sure is this possible even yet? Sending logs to event hub or storage account is possible but don't think at will help me now.
  2. Creating custom rbac that allows access only to SigninLogs table with something like this

"Actions": [ "Microsoft.OperationalInsights/workspaces/read", "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/query/SigninLogs/read" ],

  1. Export with Logic apps which allows me to Parse JSON if needed to delete some rows but is exporting to another laws supported...?

Are there any another solutions that could be also possible here? End place for the data do not need to be log analytics but data needs to be in that kind of format that it is possible to read and create queries / dashboards / workbooks.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,669 questions
0 comments
Accepted answer
  1. Clive Watson 7,866 Reputation points MVP Volunteer Moderator
    2023-01-27T13:21:26.8466667+00:00

    Table Level RBAC should work for this (a Sentinel example, but works for Log Analytic): See link

    You will have to Grant access for those that needed it and exclude for those that dont [https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal#set-table-level-read-access

    If this was helpful, please accept the answer

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,526 Reputation points
    2023-01-27T13:42:35.0233333+00:00

    Hi,

    I can suggest few options you can try and explore:

    • Archive Azure AD activity logs to an Azure storage account.
    • Stream Azure AD activity logs to an Azure event hub for analytics, using popular Security Information and Event Management (SIEM) tools such as Splunk, QRadar, and Microsoft Sentinel.
    • Integrate Azure AD activity logs with your own custom log solutions by streaming them to an event hub.
    • Send Azure AD activity logs to Azure Monitor to enable rich visualizations, monitoring, and alerting on the connected data.

    Check this article and good options that might assist you, delegation is also a option that should be explored and depends on the Security rules or policies you have in your org. - [https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.