Monitor your Azure AD Break Glass Accounts with Azure Monitor

I’ve previously blogged about how important it is for all organisations to have a break glass routine in place for their Azure AD/Office 365 tenant. Break glass accounts are excluded from many important security mechanism like Conditional Access and MFA because of their purpose to help you get back in when everything turns south. Therefor, it’s important to keep an extra eye or two on these accounts. It is also a good idea to monitor sensitive group changes, Azure AD role changes and Conditional Access policy changes.

This post will help you to get started with your Azure AD monitoring design using Azure Monitor.

Important Alert Rules

This is a list of some important alert rules everyone should have in place. They will help you to get started with your own alert rules implementation. If you’ve never created Azure Monitor alert rules before, I’m explaining how to do that further down in this blog post.

But first, let’s have a look at the recommended alert rules:

Azure Monitor Alert Rule Name Azure Monitor Query Explanation
A high-risk sign-in was detected in Azure AD SigninLogs | where RiskLevelDuringSignIn == “high” Azure AD Identity Protection analyses all sign-in attempts in Azure AD. The attempts are risk evaluated and receives a risk score (low, medium, high).

This alert rule will trigger on all high-risk sign-ins.

A sensitive user account signed in SigninLogs | where ResultType == 0 and (UserPrincipalName == “admin1@TENANTNAME.onmicrosoft.com” or UserPrincipalName == “admin2@TENANTNAME.onmicrosoft.com”) Sensitive accounts, not protected by Conditonal Access and MFA, like break glass accounts and service accounts, requires extra monitoring.

This alert rule triggers on successful sign-ins from sensitive accounts.

A sensitive user account tried to sign in but failed SigninLogs | where ResultType != 0 and (UserPrincipalName == “admin1@TENANTNAME.onmicrosoft.com” or UserPrincipalName == “admin2@TENANTNAME.onmicrosoft.com”) This alert rule triggers on failed sign-ins from sensitive accounts.
A sensitive user account was updated AuditLogs | where OperationName == “Update user” and (TargetResources[0].userPrincipalName in (“admin1@ TENANTNAME.onmicrosoft.com”) or TargetResources[0].userPrincipalName in (“admin2@ TENANTNAME.onmicrosoft.com”)) | project TimeGenerated, InitiatedBy.user.userPrincipalName, TargetResources[0].userPrincipalName, TargetResources[0].modifiedProperties This alert rule triggers on account changes on sensitive accounts. This includes password changes and attribute changes.
A member was added to a sensitive security group AuditLogs | where TargetResources[1].id in (‘c6754fc8-fffe-4065-a98a-f5a9ed3c43d6’) and ActivityDisplayName == “Add member to group” | project ActivityDateTime, ActivityDisplayName, TargetResources[0].userPrincipalName, InitiatedBy.user.userPrincipalName You probably have some sensitive security groups in Azure AD that needs extra monitoring. An example of this is the Conditional Access exclude group which you use to exclude break glass accounts from all Conditional Access policies.

This alert rule triggers when a new member is added to a sensitive security group.

Change the object ID of the group in the query.

A member was removed from a sensitive security group AuditLogs | where TargetResources[1].id in (‘c6754fc8-fffe-4065-a98a-f5a9ed3c43d6’) and ActivityDisplayName == “Remove member from group” | project ActivityDateTime, ActivityDisplayName, TargetResources[0].userPrincipalName, InitiatedBy.user.userPrincipalName This alert rule triggers when a member is removed from a sensitive security group.
A user was added to a privileged role in Azure AD (outside of PIM) AuditLogs | where ActivityDisplayName == “Add member to role” and InitiatedBy.app.displayName != “MS-PIM” | project ActivityDateTime, ActivityDisplayName, TargetResources[0].userPrincipalName, TargetResources[0].DisplayName, TargetResources[0].modifiedProperties[1].newValue, InitiatedBy.user.userPrincipalName It’s important to monitor changes to Azure AD admin roles. You should always use Azure AD Privileged Identity Management to manage admin accounts but this is a great complement.

This alert rule triggers when a user is added to an Azure AD role.

A Conditional Access policy was changed AuditLogs | where ActivityDisplayName == “Update policy” | project ActivityDateTime, ActivityDisplayName, TargetResources[0].displayName, InitiatedBy.user.userPrincipalName Conditional Access is the wall between your organisations cloud services and the outside world. Ones you’ve implemented your Conditional Access design, it’s important to monitor policy changes.

This alert rule triggers on Conditional Access policy changes.

A new Conditional Access policy was created AuditLogs | where ActivityDisplayName == “Add policy” | project ActivityDateTime, ActivityDisplayName, TargetResources[0].displayName, InitiatedBy.user.userPrincipalName This alert rule triggers when a new Conditional Access policy is created.
A Conditional Access policy was deleted AuditLogs | where ActivityDisplayName == “Delete policy” | project ActivityDateTime, ActivityDisplayName, TargetResources[0].displayName, InitiatedBy.user.userPrincipalName This alert rule triggers when a Conditional Access policy is deleted.

Export Azure AD Logs to Azure LogAnalytics

If you’ve never created alert rules in Azure Monitor before, I will now teach you the basics.

Before we can setup any alert rules, we need to setup log export in Azure AD. We will export the Sing-Ins log and the Audit log to Azure Log Analytics. Log Analytics is basically a database where we can store log data and then use Azure Monitor to query this database and trigger on certain conditions.

To create a Log Analytics workspace, go to the Azure portal and search for Log Analytics workspaces. Click Add to create a new workspace.

Alerts1

Fill in the create form something like this.

Alerts2

When the workspace has been deployed, go to Azure Active Directory and click on Diagnostic settings.

Alerts3

Fill in the create form like this and make sure to select both AuditLogs and SignInLogs. We’ll need both logs for our rules.

Alerts4

Save the settings and wait. Log entries will now be exported to your new Log Analytics workspace but it might take a couple of minutes before you see any data for the first time.

Setting Up Alert Rules in Azure Monitor

Azure Monitor builds on top of Azure Log Analytics so the easiest way to create new alerts is to first perform the query in Log Analytics.

In the Azure portal, go to your Log Analytics workspace and click on Logs to open the query editor.

Alerts5

Put in the query you would like to create an alert rule from and click on Run to try it out. This is a great place to develop and test your queries.

Alerts6

When you are happy with your query, click on New alert rule.

Alerts7

This will take you to Azure Monitor. Click on the condition to edit its settings.

Alerts8

Modify Alert logic and Evaluated based on to query Log Analytics every five minutes.

Alerts9

If you don’t already have an action group, you’ll have to create one. An action group contains actions to perform when an alert is triggered, like send email, send SMS, and so on.

Alerts10

Create the action group and add actions according to your needs.

Alerts11

Finally, add email subject, alert rule name, a description and severity. Click on Create alert rule.

Alerts12

Your alert rule is now created and enabled! Repeat for the rules you need.

Conclusion

Azure Monitor is a powerful alert engine combined with Azure AD logs and it’s relatively easy to set up. I recommend all organisations to take break glass monitoring seriously and to get inspired by this blog post to create a suiting alert strategy.

Please follow me here, on LinkedIn and on Twitter.

@DanielChronlund

2 thoughts on “Monitor your Azure AD Break Glass Accounts with Azure Monitor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s