Microsoft Azure Active Directory
The JSA DSM for Microsoft Azure Active Directory Audit logs collects events such as user creation, role assignment, and group assignment events. The Microsoft Azure Active Directory Sign-in logs collects user sign-in activity events.
To integrate Microsoft Azure Active Directory with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
DSMCommon
Protocol Common RPM
Microsoft Azure Platform DSM RPM
Microsoft Azure Active Directory DSM RPM
Microsoft Azure Event Hubs Protocol RPM
-
If you do not have an existing storage account, create a storage account. For more information, see Create a storage account.
Note:You must have a storage account to connect to an event hub.
-
If you do not have an existing event hub, create an event hub. For more information, see Quickstart: Create an event hub using Azure portal.
Configure your Microsoft Azure Active Directory to forward events to an Azure Event Hub by streaming events through Diagnostic Logs.
Configure Microsoft Azure Event Hubs to communicate with JSA.
If JSA does not automatically detect the log source, add a Microsoft Azure Active Directory log source on the JSA Console by using the Microsoft Azure Event Hubs protocol.
Microsoft Azure Active Directory DSM Specifications
When you configure the Microsoft Azure Active Directory DSM, understanding the specifications for the Microsoft Azure Active Directory DSM can help ensure a successful integration. For example, knowing what protocol to use before you begin can help reduce frustration during the configuration process.
Specification |
Value |
---|---|
Manufacturer |
Microsoft |
DSM name |
Microsoft Azure Active Directory |
RPM file name |
DSM-MicrosoftAzureActiveDirectory-JSA-version-Build_number.noarch.rpm |
Protocol |
Microsoft Azure Event Hubs |
Event format |
JSON |
Recorded event types |
SignIn logs, Audit logs |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Microsoft Azure Active Directory Log Source Parameters
When you add an Azure Active Directory log source on the JSAConsole by using the Microsoft Azure Event Hubs protocol, there are specific parameters you must use.
The following table describes the parameters that require specific values to retrieve Microsoft Azure Active Directory events from Microsoft Azure Active Directory:
Parameter |
Value |
---|---|
Log Source type |
Microsoft Azure Active Directory |
Protocol Configuration |
Microsoft Azure Event Hubs |
Log Source Identifier |
The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Active Directory log sources, you might want to identify the first log source as AzureActiveDir-1, the second log source as AzureActiveDir-2, and the third log source as AzureActiveDir-3. |
Microsoft Azure Active Directory Sample Event Messages
Use these sample event messages as a way of verifying a successful integration with JSA.
The following table provides sample event messages for the Microsoft Azure Active Directory DSM:
Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.
Event name |
Low level category |
Sample log message |
---|---|---|
Add member to group - success |
Group Member Added |
{"time":"2019-09-03T20:01:53.7619661Z","resource Id":"/tenants/ 1111a11a-111a-11a1-1111-111a1a2aa11a/providers/ Microsoft.aadiam","operationName":"Add member to group","operationVersion":"1.0","category":"Audi tLogs","tenantId":"1111a11a-111a-11a1-1111-111a1 a2aa11a","resultSignature":"None","durationMs":0 ,"correlationId":"1111a11a-111a-11a1-1111-111a1a 2aa11a","level":"Informational","properties": {"id":"Directory_AAA11_11111","category":"GroupM anagement","correlationId":"111a11a-111a-11a1-11 11-111a1a2aa11a","result":"success","resultReaso n":"","activityDisplayName":"Add member to group","activityDateTime":"2019-09-03T20:01:53.7 619661+00:00","loggedByService":"Core Directory","operationType":"Assign","initiatedBy ":{"user": {"id":"111a11a-111a-11a1-1111-111a1a2aa11a","dis playName":null,"userPrincipalName":"username","i pAddress":null}},"targetResources": [{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","di splayName":null,"type":"User","userPrincipalName ":"username","modifiedProperties": [{"displayName":"Group.ObjectID","oldValue":null ,"newValue":"\"111a11a-111a-11a1-1111-111a1a2aa1 1a\""}, {"displayName":"Group.DisplayName","oldValue":nu ll,"newValue":"\"AD_Roadmap\""}, {"displayName":"Group.WellKnownObjectName","oldV alue":null,"newValue":null}]}, {"id":"111a11a-111a-11a1-1111-111a1a2aa11a","dis playName":null,"type":"Group","groupType":"azure AD","modifiedProperties": []}],"additionalDetails":[]}} |
Sign-in activity fail |
User Login Failure |
{"eventHubsAzureRecord": {"time":"2018-08-08T12:41:15.3163732Z","resource Id":"/tenants/ g1111111-1aaa-11a1-1111-1111aa1a1111/providers/ Microsoft.aadiam","operationName":"Sign-in activity","operationVersion":"1.0","category":"S ignInLogs","tenantId":"h1111111-1aaa-11a1-1111-1 111aa1a1111","resultType":"50074","resultSignatu re":"None","resultDescription":"User did not pass the MFA challenge.","durationMs":0,"callerIpAddress":"19 2.0.2.0","correlationId":"g1111111-1aaa-11a1-111 1-1111aa1a1111","identity":"fname, lname","Level":4,"location":"NL","properties": {"id":"ia1111111-1aaa-11a1-1111-1111aa1a1111","c reatedDateTime":"2018-08-08T12:41:15.3163732+00: 00","userDisplayName":"fname, lname","userPrincipalName":"user@example.com","u serId":"j1111111-1aaa-11a1-1111-1111aa1a1111","a ppId":"k1111111-1aaa-11a1-1111-1111aa1a1111","ap pDisplayName":"Microsoft App Access Panel","ipAddress":"192.0.2.0","status": {"errorCode":50074,"failureReason":"User did not pass the MFA challenge.","additionalDetails":"MFA required in Azure AD"},"clientAppUsed":"Browser","deviceDetail":". ..","location":"...","mfaDetail": {"authMethod":"Text message"},"correlationId":"l1111111-1aaa-11a1-11 11-1111aa1a1111","conditionalAccessStatus":2,"co nditionalAccessPolicies":"...","isRisky":false}} } |