Analyze Azure AD activity logs with Azure Monitor logs
After you integrate Azure AD activity logs with Azure Monitor logs, you can use the power of Azure Monitor logs to gain insights into your environment. You can also install the Log analytics views for Azure AD activity logs to get access to pre-built reports around audit and sign-in events in your environment.
In this article, you learn how to analyze the Azure AD activity logs in your Log Analytics workspace.
This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.
To follow along, you need:
- A Log Analytics workspace in your Azure subscription. Learn how to create a Log Analytics workspace.
- First, complete the steps to route the Azure AD activity logs to your Log Analytics workspace.
- Access to the log analytics workspace
- The following roles in Azure Active Directory (if you're accessing Log Analytics through Azure Active Directory portal)
- Security Admin
- Security Reader
- Reports Reader
- Global Administrator
Navigate to the Log Analytics workspace
Sign in to the Azure portal.
Select Azure Active Directory, and then select Logs from the Monitoring section to open your Log Analytics workspace. The workspace will open with a default query.
View the schema for Azure AD activity logs
The logs are pushed to the AuditLogs and SigninLogs tables in the workspace. To view the schema for these tables:
From the default query view in the previous section, select Schema and expand the workspace.
Expand the Log Management section and then expand either AuditLogs or SigninLogs to view the log schema.
Query the Azure AD activity logs
Now that you have the logs in your workspace, you can now run queries against them. For example, to get the top applications used in the last week, replace the default query with the following and select Run
SigninLogs | where CreatedDateTime >= ago(7d) | summarize signInCount = count() by AppDisplayName | sort by signInCount desc
To get the top audit events over the last week, use the following query:
AuditLogs | where TimeGenerated >= ago(7d) | summarize auditCount = count() by OperationName | sort by auditCount desc
Alert on Azure AD activity log data
You can also set up alerts on your query. For example, to configure an alert when more than 10 applications have been used in the last week:
From the workspace, select Set alert to open the Create rule page.
Select the default alert criteria created in the alert and update the Threshold in the default metric to 10.
Enter a name and description for the alert, and choose the severity level. For our example, we could set it to Informational.
Select the Action Group that will be alerted when the signal occurs. You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps. Learn more about creating and managing alert groups in the Azure portal.
Once you've configured the alert, select Create alert to enable it.
Use pre-built workbooks for Azure AD activity logs
The workbooks provide several reports related to common scenarios involving audit, sign-in, and provisioning events. You can also alert on any of the data provided in the reports, using the steps described in the previous section.
- Provisioning analysis: This workbook shows reports related to auditing provisioning activity. Activities can include the number of new users provisioned, provisioning failures, number of users updated, update failures, the number of users de-provisioned, and corresponding failures.
- Sign-ins Events: This workbook shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, and a summary view tracking the number of sign-ins over time.
- Conditional access insights: The Conditional Access insights and reporting workbook enables you to understand the effect of Conditional Access policies in your organization over time.