question

Ag-8821 avatar image
1 Vote"
Ag-8821 asked AnuragSingh-MSFT commented

Azure AD Sign-in logs not sending to log analytics workspace on two different tenants and subscriptions. Problem with the service?

I have been facing an issue with trying to send AAD sign-in logs to a log analytics workspace on two disjoined tenants and subscriptions. They are an AAD P1 and P2 licensed tenant. Which makes me think there is a problem with the service? What does get sent however are the audit logs but all selected signin log types are not sent, the tables are not even created in the log analytics workspace. And this is after waiting multiple days.

azure-monitorazure-ad-sign-in-logs
· 17
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Nj-8821,

Welcome to Microsoft Q&A! Thanks for posting the question.

I understand that you are trying to forward signin logs from Azure AD to LogAnalytics workspace and that the signin logs are not available in the workspace. In this regard, can you please

1. Ensure that you are querying the correct log analytics workspace. To confirm the LogAnalytics workspace, please click on "Diagnostic settings" in Azure Active directory --> select "Edit setting" on the setting created. Ensure that AuditLogs and SignInLogs are selected and confirm the LogAnalytocs Workspace name.

2. Are you able to view signin logs from "Sign-in logs" option of AAD?

3. In the corresponding LogAnalytics workspace, what happens when you run the query below. Some tables are not visible unless they have data in them. Does the query return error?

SigninLogs

Please let me know if you have any questions.

Edited 04/21

0 Votes 0 ·

I do not believe that cross-tenant forwarding of AAD logs using diagnostic settings is supported. That is one of the reasons Lighthouse is used in a multi-tenant support scenario to gain visibility into multiple tenants.

You may also find this link helpful: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

0 Votes 0 ·
Ag-8821 avatar image Ag-8821 AndrewBlumhardt-1137 ·

@AnuragSingh-MSFT, sorry but this is such a non answer that it doesn't help at all. This is not my first time setting this up.

@AndrewBlumhardt-1137 I'm not talking about cross tenant support. I'm talking about trying to forward logs and it failing on 2 different tenants

0 Votes 0 ·

@ Nj-8821, thank you for the reply. Let me investigate it further and get back to you.

0 Votes 0 ·

Any updates about this issue? I'm facing the same thing, configured AAD Logs (SingIn, Audit, NonInteractive ...) to be sent to Storage Account and Log Analytic workspace. I can query Audit logs, but for SignIn ones no results were found. Ïs there an issue in the Microsoft side related to SignIn logs?
Btw, we have a P1 license.

Thanks in advance,
Valentino.

0 Votes 0 ·
Ag-8821 avatar image Ag-8821 ValentinoDefelice-5847 ·

No updates, still facing the same issue and Microsoft is not helping.

0 Votes 0 ·

@Nj-8821, I wanted to check if you had a chance to review the answers below. If you have any questions, please let us know. Thank you

0 Votes 0 ·

@Ag-8821, @ValentinoDefelice-5847, @AndreasWikstrm-5324, @ColinEdwards-1496 - I apologize for the unpleasant experience you are facing because of this issue. I have posted private comments to your replies below. These private messages are independent of each other and visible only to the user to whom it is addressed. Please reply directly to the respective private comment with the requested information and I will take a look further into this issue.

Please let me know if you have any questions.


0 Votes 0 ·

I'm having the exact same problem in two different tenants (unrelated to each other). AuditLogs work fine but SigninLogs does not. I've been trying to solve the issue by re-creating the resource groups and LA-workspaces but it hasn't made any difference.

0 Votes 0 ·
Ag-8821 avatar image Ag-8821 AndreasWikstrm-5324 ·

Please also open a Microsoft case and refer to this thread so they can see it's a general issue.

0 Votes 0 ·

I opened a case yesterday :)

0 Votes 0 ·

Update!


My issue has now been resolved and I have verified that the Signin Logs are being sent to Log Analytics for the tenant that I originally created a Support Request for.

Also! By curiosity I checked one of the other tenants where the same problem occurred - the issue was resolved in that one too! Not sure if MS found a misconfiguration backend that will fix the problem for everyone or if this was a coincidence. I'm waiting for a reply from MS and I will update this thread when I have more details.

0 Votes 0 ·

I have the same issue, and have had a ticket open with Microsoft for about 2 weeks with basically no progress.

My tenant stopped logging (or displaying) SignIn data on 3/24/22.

I actually first noticed a problem in the AAD Security Blade > Authentication Methods > Monitoring | Activity > Usage tab. No data being displayed there (for all of the charts, like "Sign-ins by authentication method") is what prompted me to open the ticket. Then I looked at Log Analytics and saw there was no SignIn data there, and I'm assuming it's the same root cause for the missing data in both places. I'm curious if others here have the same problem.

I do have Sign-In data in AAD Blade > Monitoring | Sign-in Logs.

0 Votes 0 ·
Ag-8821 avatar image Ag-8821 ColinEdwards-1496 ·

I feel like Microsoft is taking no action on this at all.

0 Votes 0 ·

@Nj-8821 that's pretty much how I feel. I do know a bunch of people that manage other tenants and don't have this issue, so convincing Microsoft that there's a problem that's not being caused by the client is crucial. And to that end, I'm happy to see some other people reporting the same issue here.

The last update from MS on my ticket was a request for logs/traces from Fiddler, which makes me think that the people working my ticket think that there's something on my client (or a firewall/IPS/etc in between) that's preventing the data from being displayed. And I've asked them to confirm the data exists on the back end of the tenant, because I don't think they are approaching this problem correctly. Stuff like this really makes me miss the visibility that you get with on-prem systems. I want to see data, logs, pcaps, etc to drive towards a solution and point the vendor to where the problem exists.

0 Votes 0 ·

@Ag-8821 I magically have logs showing within the last 24 hours.
I ran a query for SigninLogs on 5/4/2022, 12:02 PM that returned 0 results.
And today, I ran a query 5/5/2022, 9:03 AM, and there are 19 results returned.

Any changes to your tenant(s)?

0 Votes 0 ·
Show more comments

1 Answer

AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

@Ag-8821, @ValentinoDefelice-5847, @AndreasWikstrm-5324, @ColinEdwards-1496,

I apologize for the inconvenience caused because of this issue. Also, thank you for your continued support to help us investigate it and improve Azure.
Based on these reported issues, our internal team investigated and currently a long-term solution is under review/deployment to avoid it from happening again in future. Many of the premium tenants would have already started seeing the sign-in logs in LogAnalytics workspace after enabling the diagnostics setting in Azure AD.

Please let us know if you have any questions.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It seems like whatever Microsoft just did resolve the issue for my 3 tenants and for others that were facing the issue in this thread. Still not clear what the root cause is but I'm happy it's working now.

0 Votes 0 ·

@AnuragSingh-MSFT Can you provide any details on what was wrong and how it was fixed? There have been no updates on my ticket for 3 days (since before the tenant started logging data again). It would be helpful if customers can provide details to Microsoft if our tenants break again and we need to open a new ticket.

Thank you,
Colin

0 Votes 0 ·

@Ag-8821, @ColinEdwards-1496 apologies for the delayed response as I had been on leave. Here are additional information for the cause and mitigation of this issue.

Root cause. This issue occurred because a job that updates Azure AD tenant licensing info to ensure tenants have appropriate licenses for streaming logs to Azure Monitor was relying on a data source that failed to update license status. When the data source failed to update correctly, a subset of organization's data was not exported to Azure Monitor, preventing those tenants from exporting logs to Azure Monitor.

Resolution. Azure AD reporting engineering team is migrating the reporting license check to a new data source that includes anomaly detection to avoid similar incidents in the future.

Thank you. Please let me know if you have any questions.

0 Votes 0 ·