Azure AD Log Export Security Considerations

Please, use the log export features of Azure AD, but first, consider this…

The built-in Sign-ins and Audit logs in Azure AD are extremely valuable for troubleshooting, monitoring and for general security related work. It’s a gold mine for your SOC!

AzureADLogs

Microsoft will retain the Azure AD logs for you, according to the following table:

Report Azure AD Free Azure AD Premium P1 Azure AD Premium P2
Audit logs 7 days 30 days 30 days
Sign-ins 7 days 30 days 30 days

Source: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention

There are many reasons why you would want to export these logs to a more long term storage location.

  • Analysis over time
  • Compliance reasons
  • SIEM integration
  • Internal policies
  • Monitoring and alerts
  • Automation
  • And so on…

I encourage you to turn on the log exports but first, there are some things you need to consider when exporting Azure AD logs.

Personally, I prefer the Azure Log Analytics integration since it is so easy to enable and because you instantly gets access to all the Azure AD insight workbooks in the Azure portal. These will help you troubleshoot or to plan upcoming configuration around identity, MFA, security and Conditional Access. These will also help you to get rid of legacy authentication protocols.

But, when you enable the log export, the logs starts to stream from Azure AD, where access is managed with Azure AD admin roles like Global Admin, Security Admin and Security Reader, to Azure Resource Manager, where access is managed with a completely different RBAC structure, applied to resource groups and resources in Azure.

In a small organisation, this might not be an issue, but if your Azure AD/M365 team is separated from your Azure devs and operations, remember that if you export Azure AD logs, they will become available for anyone with read access to the Log Analytics workspace, which is an Azure resource in your Azure subscription.

The sign-ins and audit logs contains a lot of sensitive information about users and their activities:

  • Who logged in?
  • When and from where (work patterns, physical locations)?
  • What did they do? Apps, services, tasks.
  • What changed?
  • Tons of Personal Identifiable Information (GDPR).
  • Directory security and configuration.
  • Office 365 group information.
  • And much more.

So, when exporting Azure AD logs to Log Analytics, remember to first look over your Azure Resource Manager RBAC permissions and to secure the Log Analytics Workspace so it has the same level as the Azure AD logs. You might even consider a different Azure subscription for your Azure AD related resources. You can also use Azure AD PIM (Privileged Identity Management) for Azure Resource Manager access as well.

Make sure you always monitor and alert for configuration changes on the workspace and make sure you don’t leave it open for external users like developers that you might have in your Azure subscriptions. The key takeaway form this blog post is that even if you export Azure AD logs within your own Microsoft tenant, different access mechanisms might apply in different locations.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s