Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft Azure Active Directory

 

The JSA DSM for Microsoft Azure Active Directory Audit logs collects events such as user creation, role assignment, and group assignment events. The Microsoft Azure Active Directory Sign-in logs collects user sign-in activity events.

To integrate Microsoft Azure Active Directory with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
    • DSMCommon

    • Protocol Common RPM

    • Microsoft Azure Platform DSM RPM

    • Microsoft Azure Active Directory DSM RPM

    • Microsoft Azure Event Hubs Protocol RPM

  2. Configure your Microsoft Azure Active Directory to forward events to an Azure Event Hub by streaming events through Diagnostic Logs.
  3. Configure Microsoft Azure Event Hubs to communicate with JSA.
  4. If JSA does not automatically detect the log source, add a Microsoft Azure Active Directory log source on the JSA Console by using the Microsoft Azure Event Hubs protocol.

Microsoft Azure Active Directory DSM Specifications

When you configure the Microsoft Azure Active Directory DSM, understanding the specifications for the Microsoft Azure Active Directory DSM can help ensure a successful integration. For example, knowing what protocol to use before you begin can help reduce frustration during the configuration process.

Table 1: Microsoft Azure Active Directory DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Azure Active Directory

RPM file name

DSM-MicrosoftAzureActiveDirectory-

JSA-version-Build_number.noarch.rpm

Protocol

Microsoft Azure Event Hubs

Event format

JSON

Recorded event types

SignIn logs, Audit logs

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Azure Active Directory documentation

Microsoft Azure Active Directory Log Source Parameters

When you add an Azure Active Directory log source on the JSAConsole by using the Microsoft Azure Event Hubs protocol, there are specific parameters you must use.

The following table describes the parameters that require specific values to retrieve Microsoft Azure Active Directory events from Microsoft Azure Active Directory:

Table 2: Microsoft Azure Event Hubs Protocol Log Source Parameters for the Microsoft Azure Active Directory DSM

Parameter

Value

Log Source type

Microsoft Azure Active Directory

Protocol Configuration

Microsoft Azure Event Hubs

Log Source Identifier

The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Active Directory log sources, you might want to identify the first log source as AzureActiveDir-1, the second log source as AzureActiveDir-2, and the third log source as AzureActiveDir-3.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages for the Microsoft Azure Active Directory DSM:

Note

Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Table 3: Microsoft Azure Active Directory Sample Message Supported by Microsoft Azure Active Directory

Event name

Low level category

Sample log message

Add member to group - success

Group Member Added

{"time":"2019-09-03T20:01:53.7619661Z", "resourceId":"/tenants/1111a11a-111a-11a1-1111-1 11a1a2aa11a/providers/Microsoft.aadiam","operati onName":"Add member to group","operationVersion" :"1.0","category":"AuditLogs","tenantId":"1111a1 1a-111a-11a1-1111-111a1a2aa11a","resultSignature ":"None","durationMs":0,"correlationId":"1111a11 a-111a-11a1-1111-111a1a2aa11a","level":"Informat ional","properties":{"id":"Directory_AAA11_11111 ","category":"GroupManagement","correlationId":" 111a11a-111a-11a1-1111-111a1a2aa11a","result":"s uccess","resultReason":"","activityDisplayName": "Add member to group","activityDateTime":"2019-0 9-03T20:01:53.7619661+00:00","loggedByService":" Core Directory","operationType":"Assign","initia tedBy":{"user":{"id":"111a11a-111a-11a1-1111-111 a1a2aa11a","displayName":null,"userPrincipalName ":"username","ipAddress":null}},"targetResources ":[{"id":"111a11a-111a-11a1-1111-111a1a2aa11a"," displayName":null,"type":"User","userPrincipalNa me":"username","modifiedProperties":[{"displayNa me":"Group.ObjectID","oldValue":null,"newValue": "\"111a11a-111a-11a1-1111-111a1a2aa11a\""},{"dis playName":"Group.DisplayName","oldValue":null,"n ewValue":"\"AD_Roadmap\""},{"displayName":"Group .WellKnownObjectName","oldValue":null,"newValue" :null}]},{"id":"111a11a-111a-11a1-1111-111a1a2aa 11a","displayName":null,"type":"Group","groupTyp e":"azureAD","modifiedProperties":[]}],"addition alDetails":[]}}

Sign-in activity fail

User Login Failure

{"eventHubsAzureRecord":{"time":" 2018-08-08T12:41:15.3163732Z","resourceId":"/t enants/g1111111-1aaa-11a1-1111-1111aa1a1111/pr

oviders/Microsoft.aadiam","operationName":"Sig n-in activity","operationVersion":"1.0","categ

ory":"SignInLogs","tenantId":"h1111111-1aaa-11 a1-1111-1111aa1a1111","resultType":"50074","re

sultSignature":"None","resultDescription":"Use r did not pass the MFA challenge.","durationMs ":0,"callerIpAddress":"192.0.2.0","corre lationId":"g1111111-1aaa-11a1-1111-1111aa1a1111

","identity":"fname, lname","Level":4,"locati on":"NL","properties":{"id":"ia1111111-1aaa-11 a1-1111-1111aa1a1111","createdDateTime":"2018- 08-

08T12:41:15.3163732+00:00","userDisplayName ":"fname, lname","userPrincipalName":"user@exam ple.com","userId":"j1111111-1aaa-11a1-1111-1111

aa1a1111","appId":"k1111111-1aaa-11a1-1111-1111 aa1a1111","appDisplayName":"Microsoft App Acces s Panel","ipAddress":"192.0.2.0","status": {"error

Code":50074,"failureReason":"User did not pass the MFA challenge.","additionalDetails":"MFA r equired in Azure

AD"},"clientAppUsed":"Browser ","deviceDetail":"...","location":"...","mfaDe

tail":{"authMethod":"Text message"},"correlati onId":"l1111111-1aaa-11a1-1111-1111aa1a1111","

conditionalAccessStatus":2,"conditionalAccessP

olicies":"...","isRisky":false}}}