Who did what in Azure?

RT-7199 471 Reputation points
2023-02-27T21:33:43.9866667+00:00

How to track individual user activities across whole Azure. Like resource creation/deletion/AAD/policy updates...Any kind of changes a user makes within Azure. Are there any logs that can be referred to.

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
928 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
Accepted answer
  1. TP 75,646 Reputation points
    2023-02-27T21:40:51.8666667+00:00

    Hi,

    For Azure, please see Azure Monitor activity log:

    https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log

    For Azure AD, please see Azure AD audit logs:

    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

    If the above was useful please click Accept Answer.

    Thanks.

    -TP

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,506 Reputation points
    2023-02-27T21:44:08.1666667+00:00

    Hi @R.T

    You can track activities from Azure portal. To get more details read the following link :

    Access the activity logs in the portal

    Account provisioning

    Please don't forget to mark helpful answer as accepted

    0 comments
  2. David Broggy 5,681 Reputation points MVP
    2023-02-27T22:35:14.3+00:00

    I see there are 2 suggestions here already but I strongly believe that using Microsoft Sentinel is the best way to track your users.

    I don't disagree with my colleagues above, using the Azure activity logs and Azure monitor are quick and easy ways to get to your objective.

    Within Sentinel you can not only use KQL VERY simply to see all user activity "search <username>", but you can also configure any number of correlations to track specific user activity.

    In addition you have access to hundreds of threat hunts that are designed out of the box to identify unusual user activity.

    You also have the UEBA feature which will automatically monitor unusual user activity.

    Note that tracking just the Azure logs using Azure monitor is only giving you a piece of your user activity.

    You should be thinking about the big picture - monitoring ALL of your user activity inside Azure and out - Sentinel is built from the ground up for that purpose.

    Good luck!

    0 comments