Monitor changes to federation configuration in your Azure AD
When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD.
Due to this established trust, Azure AD honors the security token issued by the on-premises identity provider post authentication, to grant access to resources protected by Azure AD.
Therefore, it's critical that this trust (federation configuration) is monitored closely, and any unusual or suspicious activity is captured.
To monitor the trust relationship, we recommend you set up alerts to be notified when changes are made to the federation configuration.
Set up alerts to monitor the trust relationship
Follow these steps to set up alerts to monitor the trust relationship:
- Configure Azure AD audit logs to flow to an Azure Log Analytics Workspace.
- Create an alert rule that triggers based on Azure AD log query.
- Add an action group to the alert rule that gets notified when the alert condition is met.
After the environment is configured, the data flows as follows:
Azure AD Logs get populated per the activity in the tenant.
The log information flows to the Azure Log Analytics workspace.
A background job from Azure Monitor executes the log query based on the configuration of the Alert Rule in the configuration step (2) above.
AuditLogs | extend TargetResource = parse_json(TargetResources) | where ActivityDisplayName contains "Set federation settings on domain" or ActivityDisplayName contains "Set domain authentication" | project TimeGenerated, SourceSystem, TargetResource.displayName, AADTenantId, OperationName, InitiatedBy, Result, ActivityDisplayName, ActivityDateTime, Type
If the result of the query matches the alert logic (that is, the number of results is greater than or equal to 1), then the action group kicks in. Let’s assume that it kicked in, so the flow continues in step 5.
Notification is sent to the action group selected while configuring the alert.
In addition to setting up alerts, we recommend periodically reviewing the configured domains within your Azure AD tenant and removing any stale, unrecognized, or suspicious domains.