Azure AD - Activity Details Test
Azure Active Directory provides Audit Logs, where changes/updates to the configuration of users, groups, and applications are logged. With the audit logs in Azure AD, administrators get access to records of system activities for compliance.
Whenever critical changes are made to an Azure organization - e.g., a password is changed, an application is updated, if the license of a user has changed etc. - administrators may want to know whether such changes were initiated by authorized services/users. This is because, unauthorized changes, if permitted, can have serious, long-standing repurcussions on the overall health and operations of the cloud organization. To quickly spot such changes, and to know what was changed and by whom, administrators need to review the audit logs periodically. The Azure AD - Activity Details test helps administrators in this exercise!
This test monitors the Azure AD audit logs at configured intervals, and notifies administrators every time a user-, group-, or application-related change/activity is logged in the audit log file.
Detailed diagnostics provide additional details about the change/activity, thereby enabling administrators to figure out who made the change and when. With the help of this information, administrators can quickly detect unauthorized changes, and take appropriate action.
Target of the Test: A Microsoft Azure Active Directory
Agent deploying the test: A remote agent
Output of the test: One set of results for the Azure AD tenant being monitored
| Parameters | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Tenant ID |
Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API |
|
Client ID, Client Password, and Confirm Password |
To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box. |
|
Proxy Host |
In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default. |
|
Proxy Username, Proxy Password and Confirm Password |
If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
| Measurement | Description | Measurement Unit | Interpretation |
|---|---|---|---|
|
Add user |
Indicates the number of 'add user' activities performed on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know when the addition occurred, who initiated the addition, the status of the attempt (success/failure), and the reason for the failure (if any). |
|
Delete user |
Indicates the number of 'delete user' actions that were performed on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know when the deletionion occurred, who initiated the deletion, the status of the attempt (success/failure), and the reason for the failure (if any). |
|
Update user |
Indicates the number of 'update user' actions that were performed on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know when the updation occurred, who initiated it, the status of the updation attempt (success/failure), and the reason for the failure (if any). |
|
Restore user |
Indicates the number of 'restore user' actions that were performed on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Disable user account |
Indicates the number of 'disable user account' actions that were performed on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Change user license |
Indicates the number of 'change user license' actions that were performed on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Change user password |
Indicates the number of attempts made to change user passwords. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Reset user password |
Indicates the number of attempts made to reset user passwords. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Set force change user password |
Indicates the number of attempts made to force-change user passwords. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
User password registration |
Indicates the number of attempts made to register user passwords. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Enable strong authentication |
Indicates the number of attempts made to enable strong authentication. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Create application password for user |
Indicates the number of attempts made to create an application password for users. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Delete application password for user |
Indicates the number of attempts made to delete an application password for users. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Admin generates a temporary password |
Indicates the number of attempts made by an admin to generate a temporary password. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add application |
Indicates the number of 'add application' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Delete application |
Indicates the number of 'delete application' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update application |
Indicates the number of 'update application' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Restore application |
Indicates the number of restore application' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add service principal |
Indicates the number of attempts made to add service principals. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add service principal credentials |
Indicates the number of attempts made to add service principal credentials. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update service principal |
Indicates the number of attempts made to update service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove service principal |
Indicates the number of attempts made to remove service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove service principal credentials |
Indicates the number of attempts made to remove service principal credentials. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add group |
Indicates the number of attempts made to add groups. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Create group settings |
Indicates the number of attempts made to create group settings. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Delete group |
Indicates the number of 'delete application' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Delete group settings |
Indicates the number of attempts made to delete group settings. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update group |
Indicates the number of 'update group' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update group settings |
Indicates the number of attempts made to update group settings. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Restore group |
Indicates the number of 'restore group' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Start applying group-based license to users |
Indicates the number of times the application of group-based licenses to users were started. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Finish applying group-based license to users |
Indicates the number of times the application of group-based licenses to users were completed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Set group license |
Indicates the number of attempts made to set group licenses. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Trigger group license recalculation |
Indicates the number of attempts made to trigger group license recalculation. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add policy |
Indicates the number of 'add policy' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add policy to application |
Indicates the number of attempts made to add policy to application. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add policy to service principal |
Indicates the number of attempts made to add policy to service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Delete policy |
Indicates the number of 'delete policy' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update policy |
Indicates the number of 'update policy' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add role definition |
Indicates the number of attempts made to add role definitions. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add role assignment to role definition |
Indicates the number of attempts made to add role assignment to role definitions. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add eligible member to role |
Indicates the number of attempts made to add eligible member to role. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add role from template |
Indicates the number of attempts made to add role from template. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Delete role definition |
Indicates the number of attempts made to delete role definitions. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove eligible member from role |
Indicates the number of attempts made to remove eligible member from role. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove role assignment from role definition |
Indicates the number of attempts made to remove role assignment from role definition. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove scoped member from role |
Indicates the number of attempts made to remove scoped member from role. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update role |
Indicates the number of 'update role' actions that were performed. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Update role definition |
Indicates the number of attempts made to update role definitions. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add owner to policy |
Indicates the number of attempts made to add owner to policy. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add owner to application |
Indicates the number of attempts made to add owner to application. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add owner to group |
Indicates the number of attempts made to add owner to group. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add owner to service principal |
Indicates the number of attempts made to add owner to service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove owner from group |
Indicates the number of attempts made to remove owner from group. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove owner from policy |
Indicates the number of attempts made to remove owner from policy. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove owner from application |
Indicates the number of attempts made to remove owner from application. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove owner from service principal |
Indicates the number of attempts made to remove owner from service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove member from group |
Indicates the number of attempts made to remove member from group. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove member from role |
Indicates the number of attempts made to remove member from role. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove member from administrative unit |
Indicates the number of attempts made to remove member from administrative unit. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add member to role |
Indicates the number of attempts made to remove member from administrative unit. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add member to group |
Indicates the number of attempts made to add member to group. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add member to administrative unit |
Indicates the number of attempts made to add member to administrative unit. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add app role assignment to service principal |
Indicates the number of attempts made to add app role assignment to service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add app role assignment to user |
Indicates the number of attempts made to add app role assignment to user. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Add app role assignment to group |
Indicates the number of attempts made to add app role assignment to group. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove app role assignment from service principal |
Indicates the number of attempts made to remove app role assignment from service principal. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove app role assignment from user |
Indicates the number of attempts made to remove app role assignment from user. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
|
Remove app role assignment from group |
Indicates the number of attempts made to remove app role assignment from group. |
Number |
Use the detailed diagnosis of this measure to know when the action occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any). |
Use the detailed diagnosis of the Add application, Update application, and Delete application measures to know when each of the corresponding actions (i.e., 'add application', 'update application', or 'delete application' action) occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any).
Figure 1 : The detailed diagnosis of the Add application measure
Figure 2 : The detailed diagnosis of the Delete application measure
Figure 3 : The detailed diagnosis of the Update application measure
Use the detailed diagnosis of the Add service principal, Update service principal, and Remove service principal measures to know when each of the corresponding actions (i.e., 'add service principal', 'update service principal', or 'delete service principal' action) occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any).
Figure 4 : The detailed diagnosis of the Add service principal measure
Figure 5 : The detailed diagnosis of the Update service principal measure
Figure 6 : The detailed diagnosis of the Remove service principal measure
Use the detailed diagnosis of the Add owner to application, Add owner to service principal, and Remove member from group measures to know when each of the corresponding actions occurred, who initiated it, the status of the action (success/failure), and the reason for the failure (if any).
Figure 7 : The detailed diagnosis of the Add owner to application measure
Figure 8 : The detailed diagnosis of the Add owner to service principal measure
Figure 9 : The detailed diagnosis of the Remove member from group measure
