Let’s discuss Export Azure AD Logs to Azure Monitor | Analyse the Logs using KQL Queries. In this post, we are going to cover the type of logs, how you can export them, what the options are to export them, how to export them to Azure monitor, what are the live logs options in Azure AD, and what are the application logs option in Azure AD, where you can analyze logs using KQL Queries, etc.
Azure Active Directory (Azure AD) logs enable you to assess many aspects, including troubleshooting or forensic analysis of your Azure AD tenant. Preserving Azure Active Directory (Azure AD) logs for an extended duration is crucial for various reasons.
Organizations often adhere to specific standards or regulatory requirements mandating the retention of these logs for an extended period. Therefore, it becomes essential to maintain Azure AD logs by the applicable standards or regulations governing your organization’s operations.
Suppose you have any roles, such as Reports Reader, Security Reader, Security Administrator, Global Reader (sign-in logs only), and Global Administrator. In that case, you can check the Azure AD logs such as Sign-in-logs, Audit logs, etc. Microsoft released the details of new Azure AD Logs, such as Microsoft Graph Activity Logs and Enriched Office365 Audit Logs.
What are the Types of Azure AD Logs?
The types of Azure AD Logs include Audit logs, Anomalous active reports logs, Risk detection, and Azure AD identity protection and sign-in logs. This is just a subset of logs audit and a few logs, but Microsoft continuously adds new logs to the Azure Active Directory logs list.
What are the License and Other Requirements to Export Azure AD logs to Azure Monitor?
Azure subscription requires a log analytics workspace to export the logs. You need a minimum Azure AD premium P1 or P2 license, Global Administrator or Security Administrator access for the Azure AD tenant, and also required a Log Analytics workspace in your Azure subscription.
What is the List of Azure AD Logs Data?
Let’s check the list of Azure AD Logs categories. Different types or categories of logs are available within the Azure active directory. They are as follows.
Video – Export Azure AD Logs to Azure Monitor
Let’s discuss Export Azure AD Logs to Azure Monitor in this video. Export the Azure Ad logs analytics using diagnostic settings.
The Process to Export Azure AD Logs to Azure Monitor
Let’s see the process to export Azure AD logs to Azure monitor or log analytics workspace. First, you need to open Azure Active Directory from the Azure portal. Select Diagnostic settings from the left side of Azure Active Directory.
- Click Add Diagnostic settings from Diagnostic settings.
A diagnostic setting specifies a list of categories of platform logs and metrics you want to collect from a resource. And one or more destinations that you would stream them too. Select the log categories you need to export to the destination. The logs category includes Audit logs, SigninLogs, NoninterativeUserSignInLogs, etc.
- The destination details show the Send to Log Analytics Workspace.
- The Send to Log Analytics Workspace shows the Subscription and Log Analytics Workspace.
- Select to export Azure AD logs to Azure monitor.
- So you need to select the subscription and then log analytics workspace.
- You can create a trial subscription if you don’t have a subscription.
How to create a Trial subscription – Transfer Azure Subscription to Different Azure AD Directory. You can check the following section to know more about how to create Azure Log Analytics Workspace.
The below window shows four or five logs are basically in preview. So even if you add these logs and export these into diagnostic settings and log analytics workspace. The logs would not show these because our tenant is not in preview. It is a private preview setting, probably once it is available.
- To export Sign-in data, your organization needs Azure AD P1 or P2 license.
- Start a free trial if you don’t have a P1 or P2.
How to Create Log Analytics Workspace
Let’s search for a log analytics workspace and create a workspace. Search the log analytics workspace in the below search box and select the Log Analytics workspaces. Once you open the Log Analytics workspaces, click the Create button from the below window.
A Log Analytics workspace is the basic management unit of Azure Monitor Logs. There are specific considerations you should take when creating a new Log Analytics workspace. Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all your resources.
- Select the subscription, Resource group, and Instance details, such as Name and Region. from the Basic menu.
- Create Log Analytics workspace, including the Tags and Review + Create steps. After completing all the steps, select the Create button to create the Log Analytics workspace.
The below screenshot shows that the Log Analytics workspace creation is going on. It takes one or two minutes or less than that to create a Log Analytics workspace.
|Log Analytics Workspace
The Diagnostic settings, Provide a Diagnostic settings name, select all the Logs and select the destination. You can see AED Logs, and you should choose AADLogs, the new workspace we created just now.
- Click the Save button to create this diagnostic setting
- After clicking the Save button, all the categories of logs will be sent to the new diagnostic settings log analytics workspace
Editing Existing Azure AD Diagnostics Settings
You can easily Edit the existing Azure AD Diagnostics Settings. If you want to edit the existing Log files, click Edit settings from the below window.
Suppose you need to Edit the existing log files. You can click the Edit settings and select SigninLogs and click Save. These SigninLogs will also be sent to the Device-Mgmt log analytics workspace under the Microsoft Azure sponsorship subscription.
Go to All Products, select Enterprise Mobility + security E5, and select the Service plan details. The service plan details show the Azure Active Directory Premium P1 and Azure Active Directory Premium P2 licenses are already available in this tenant.
This is the Log Analytics workspace to which we are sending the data. While selecting AADLogs, there are no Azure Active Directory Logs files because it takes some time to populate them from Azure AD to Azure monitor. On the HTMD workspace, you can see 4 LogManagement.
KQL Queries for Azure AD Logs – NonInteractiveUserSignInLogs
Select HTMD Workspace Logs and select the Logs tab on the left side of the below window. After choosing the onInteractiveUserSignInLogs, you can see a lot of data is available with the latest information, and you can see the source and all the other details.
You can easily filter on some of the columns if you want to filter on some of the columns. You can type “Where tokenIssuerType equal to and let’s put a code over there, then press Azure AD. It will filter on tokens issued by Azure AD.
- Click the Run Button; then it will only show the Azure AD filter
- You can also set the Time range option by clicking the time range dropdown arrow
AADNonInteractiveUserSignInLogs | Where TokenIssuerType == ‘Azure AD‘ and Identity == ‘Krishna‘
Check Logs from Azure AD Directly
Open the Azure active directory and link the log name such as Sign-in-logs, Audit Logs, etc. With the help of this, you will get the live information, which will send to the Diagnostic and log analytics Azure monitor. This is useful for live troubleshooting.
About Author – Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.