Azure Monitor: Route AAD Activity Logs using diagnostic settings
Today in partnership with the Azure Active Directory (AAD) team we are excited to announce the public preview of AAD Activity Logs using Azure Monitor diagnostic settings. Azure Monitor diagnostic settings enable you to stream log data from an Azure service to three destinations: an Azure storage account, an Event Hubs namespace, and/or a Log Analytics workspace. This allows you to easily route logs from any Azure service to a data archive, SIEM tool, or custom log processing tool. With today’s announcement, you will now be able to route your AAD audit and sign in logs to these same destinations, centralizing all of your Azure service logs in one pipeline.
Until now, all log data handled by Azure Monitor came from an Azure resource deployed within an Azure subscription. We often describe this type of data as “resource-level log data,” and it is configured using a resource diagnostic setting. AAD log data is the first type of log data from a tenant-level service made available through Azure Monitor. Tenant-level services aren’t deployed as resources within an Azure subscription, rather they function across an entire AAD tenant. To handle this new type of “tenant-level log data,” Azure Monitor has introduced a new type of diagnostic setting, a tenant diagnostic setting. For AAD logs, you can setup a tenant diagnostic setting by navigating to Audit Logs in the AAD area of the portal and clicking “Export Data Settings.”
This will pull up the familiar Azure Monitor diagnostic setting experience, where you can create, modify, or delete diagnostic settings.
image To learn more about the feature and get started, check out Alex Simons’s post on the Enterprise Mobility and Security blog. Please also be aware that during the public preview AAD activity logs cannot yet be routed to Log Analytics, but we are working to enable this by October 2018. For a full list of services that expose logs through Azure Monitor, visit our documentation.