Microsoft Azure Active Directory

Manufacturer

Microsoft

DSM name

Microsoft Azure Active Directory

RPM file name

DSM-MicrosoftAzureActiveDirectory-JSA-version-Build_number.noarch.rpm

Protocol

Microsoft Azure Event Hubs

Event format

JSON

Recorded event types

SignIn logs, Audit logs

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Azure Active Directory documentation

Log Source type

Microsoft Azure Active Directory

Protocol Configuration

Microsoft Azure Event Hubs

Log Source Identifier

The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Active Directory log sources, you might want to identify the first log source as AzureActiveDir-1, the second log source as AzureActiveDir-2, and the third log source as AzureActiveDir-3.

Add member to group - success

Group Member Added

{"time":"2019-09-03T20:01:53.7619661Z", "resourceId":"/tenants/1111a11a-111a-11a1-1111-1 11a1a2aa11a/providers/Microsoft.aadiam","operati onName":"Add member to group","operationVersion" :"1.0","category":"AuditLogs","tenantId":"1111a1 1a-111a-11a1-1111-111a1a2aa11a","resultSignature ":"None","durationMs":0,"correlationId":"1111a11 a-111a-11a1-1111-111a1a2aa11a","level":"Informat ional","properties":{"id":"Directory_AAA11_11111 ","category":"GroupManagement","correlationId":" 111a11a-111a-11a1-1111-111a1a2aa11a","result":"s uccess","resultReason":"","activityDisplayName": "Add member to group","activityDateTime":"2019-0 9-03T20:01:53.7619661+00:00","loggedByService":" Core Directory","operationType":"Assign","initia tedBy":{"user":{"id":"111a11a-111a-11a1-1111-111 a1a2aa11a","displayName":null,"userPrincipalName ":"username","ipAddress":null}},"targetResources ":[{"id":"111a11a-111a-11a1-1111-111a1a2aa11a"," displayName":null,"type":"User","userPrincipalNa me":"username","modifiedProperties":[{"displayNa me":"Group.ObjectID","oldValue":null,"newValue": "\"111a11a-111a-11a1-1111-111a1a2aa11a\""},{"dis playName":"Group.DisplayName","oldValue":null,"n ewValue":"\"AD_Roadmap\""},{"displayName":"Group .WellKnownObjectName","oldValue":null,"newValue" :null}]},{"id":"111a11a-111a-11a1-1111-111a1a2aa 11a","displayName":null,"type":"Group","groupTyp e":"azureAD","modifiedProperties":[]}],"addition alDetails":[]}}

Sign-in activity fail

User Login Failure

{"eventHubsAzureRecord":{"time":" 2018-08-08T12:41:15.3163732Z","resourceId":"/t enants/g1111111-1aaa-11a1-1111-1111aa1a1111/pr oviders/Microsoft.aadiam","operationName":"Sig n-in activity","operationVersion":"1.0","categ ory":"SignInLogs","tenantId":"h1111111-1aaa-11 a1-1111-1111aa1a1111","resultType":"50074","re sultSignature":"None","resultDescription":"Use r did not pass the MFA challenge.","durationMs ":0,"callerIpAddress":"192.0.2.0","corre lationId":"g1111111-1aaa-11a1-1111-1111aa1a1111 ","identity":"fname, lname","Level":4,"locati on":"NL","properties":{"id":"ia1111111-1aaa-11 a1-1111-1111aa1a1111","createdDateTime":"2018- 08- 08T12:41:15.3163732+00:00","userDisplayName ":"fname, lname","userPrincipalName":"user@exam ple.com","userId":"j1111111-1aaa-11a1-1111-1111 aa1a1111","appId":"k1111111-1aaa-11a1-1111-1111 aa1a1111","appDisplayName":"Microsoft App Acces s Panel","ipAddress":"192.0.2.0","status": {"error Code":50074,"failureReason":"User did not pass the MFA challenge.","additionalDetails":"MFA r equired in Azure AD"},"clientAppUsed":"Browser ","deviceDetail":"...","location":"...","mfaDe tail":{"authMethod":"Text message"},"correlati onId":"l1111111-1aaa-11a1-1111-1111aa1a1111"," conditionalAccessStatus":2,"conditionalAccessP olicies":"...","isRisky":false}}}