Microsoft Azure Active Directory

The JSA DSM for Microsoft Azure Active Directory Audit logs collects events such as user creation, role assignment, and group assignment events. The Microsoft Azure Active Directory Sign-in logs collects user sign-in activity events.

To integrate Microsoft Azure Active Directory with JSA, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
- DSMCommon
- Protocol Common RPM
- Microsoft Azure Platform DSM RPM
- Microsoft Azure Active Directory DSM RPM
- Microsoft Azure Event Hubs Protocol RPM
If you do not have an existing storage account, create a storage account. For more information, see Create a storage account.

Note:
You must have a storage account to connect to an event hub.
If you do not have an existing event hub, create an event hub. For more information, see Quickstart: Create an event hub using Azure portal.
Configure your Microsoft Azure Active Directory to forward events to an Azure Event Hub by streaming events through Diagnostic Logs.
Configure Microsoft Azure Event Hubs to communicate with JSA.
If JSA does not automatically detect the log source, add a Microsoft Azure Active Directory log source on the JSA Console by using the Microsoft Azure Event Hubs protocol.

Microsoft Azure Active Directory DSM Specifications

When you configure the Microsoft Azure Active Directory DSM, understanding the specifications for the Microsoft Azure Active Directory DSM can help ensure a successful integration. For example, knowing what protocol to use before you begin can help reduce frustration during the configuration process.

Table 1: Microsoft Azure Active Directory DSM Specifications
Specification	Value
Manufacturer	Microsoft
DSM name	Microsoft Azure Active Directory
RPM file name	DSM-MicrosoftAzureActiveDirectory-`JSA-version-Build_number`.noarch.rpm
Protocol	Microsoft Azure Event Hubs
Event format	JSON
Recorded event types	SignIn logs, Audit logs
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	Azure Active Directory documentation

Microsoft Azure Active Directory Log Source Parameters

When you add an Azure Active Directory log source on the JSAConsole by using the Microsoft Azure Event Hubs protocol, there are specific parameters you must use.

The following table describes the parameters that require specific values to retrieve Microsoft Azure Active Directory events from Microsoft Azure Active Directory:

Table 2: Microsoft Azure Event Hubs Protocol Log Source Parameters for the Microsoft Azure Active Directory DSM
Parameter	Value
Log Source type	Microsoft Azure Active Directory
Protocol Configuration	Microsoft Azure Event Hubs
Log Source Identifier	The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Active Directory log sources, you might want to identify the first log source as `AzureActiveDir-1`, the second log source as `AzureActiveDir-2`, and the third log source as `AzureActiveDir-3`.

Microsoft Azure Active Directory Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages for the Microsoft Azure Active Directory DSM:

Note:

Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Table 3: Microsoft Azure Active Directory Sample Message Supported by Microsoft Azure Active Directory
Event name	Low level category	Sample log message
Add member to group - success	Group Member Added	{"time":"2019-09-03T20:01:53.7619661Z","resource Id":"/tenants/ 1111a11a-111a-11a1-1111-111a1a2aa11a/providers/ Microsoft.aadiam","operationName":"Add member to group","operationVersion":"1.0","category":"Audi tLogs","tenantId":"1111a11a-111a-11a1-1111-111a1 a2aa11a","resultSignature":"None","durationMs":0 ,"correlationId":"1111a11a-111a-11a1-1111-111a1a 2aa11a","level":"Informational","properties": {"id":"Directory_AAA11_11111","category":"GroupM anagement","correlationId":"111a11a-111a-11a1-11 11-111a1a2aa11a","result":"success","resultReaso n":"","activityDisplayName":"Add member to group","activityDateTime":"2019-09-03T20:01:53.7 619661+00:00","loggedByService":"Core Directory","operationType":"Assign","initiatedBy ":{"user": {"id":"111a11a-111a-11a1-1111-111a1a2aa11a","dis playName":null,"userPrincipalName":"username","i pAddress":null}},"targetResources": [{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","di splayName":null,"type":"User","userPrincipalName ":"username","modifiedProperties": [{"displayName":"Group.ObjectID","oldValue":null ,"newValue":"\"111a11a-111a-11a1-1111-111a1a2aa1 1a\""}, {"displayName":"Group.DisplayName","oldValue":nu ll,"newValue":"\"AD_Roadmap\""}, {"displayName":"Group.WellKnownObjectName","oldV alue":null,"newValue":null}]}, {"id":"111a11a-111a-11a1-1111-111a1a2aa11a","dis playName":null,"type":"Group","groupType":"azure AD","modifiedProperties": []}],"additionalDetails":[]}}
Sign-in activity fail	User Login Failure	{"eventHubsAzureRecord": {"time":"2018-08-08T12:41:15.3163732Z","resource Id":"/tenants/ g1111111-1aaa-11a1-1111-1111aa1a1111/providers/ Microsoft.aadiam","operationName":"Sign-in activity","operationVersion":"1.0","category":"S ignInLogs","tenantId":"h1111111-1aaa-11a1-1111-1 111aa1a1111","resultType":"50074","resultSignatu re":"None","resultDescription":"User did not pass the MFA challenge.","durationMs":0,"callerIpAddress":"19 2.0.2.0","correlationId":"g1111111-1aaa-11a1-111 1-1111aa1a1111","identity":"fname, lname","Level":4,"location":"NL","properties": {"id":"ia1111111-1aaa-11a1-1111-1111aa1a1111","c reatedDateTime":"2018-08-08T12:41:15.3163732+00: 00","userDisplayName":"fname, lname","userPrincipalName":"user@example.com","u serId":"j1111111-1aaa-11a1-1111-1111aa1a1111","a ppId":"k1111111-1aaa-11a1-1111-1111aa1a1111","ap pDisplayName":"Microsoft App Access Panel","ipAddress":"192.0.2.0","status": {"errorCode":50074,"failureReason":"User did not pass the MFA challenge.","additionalDetails":"MFA required in Azure AD"},"clientAppUsed":"Browser","deviceDetail":". ..","location":"...","mfaDetail": {"authMethod":"Text message"},"correlationId":"l1111111-1aaa-11a1-11 11-1111aa1a1111","conditionalAccessStatus":2,"co nditionalAccessPolicies":"...","isRisky":false}} }

Table 3: Microsoft Azure Active Directory Sample Message Supported by Microsoft Azure Active Directory

Event name

Low level category

Sample log message

Add member to group - success

Group Member Added

{"time":"2019-09-03T20:01:53.7619661Z","resource
Id":"/tenants/
1111a11a-111a-11a1-1111-111a1a2aa11a/providers/
Microsoft.aadiam","operationName":"Add member
to
group","operationVersion":"1.0","category":"Audi
tLogs","tenantId":"1111a11a-111a-11a1-1111-111a1
a2aa11a","resultSignature":"None","durationMs":0
,"correlationId":"1111a11a-111a-11a1-1111-111a1a
2aa11a","level":"Informational","properties":
{"id":"Directory_AAA11_11111","category":"GroupM
anagement","correlationId":"111a11a-111a-11a1-11
11-111a1a2aa11a","result":"success","resultReaso
n":"","activityDisplayName":"Add member to
group","activityDateTime":"2019-09-03T20:01:53.7
619661+00:00","loggedByService":"Core
Directory","operationType":"Assign","initiatedBy
":{"user":
{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","dis
playName":null,"userPrincipalName":"username","i
pAddress":null}},"targetResources":
[{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","di
splayName":null,"type":"User","userPrincipalName
":"username","modifiedProperties":
[{"displayName":"Group.ObjectID","oldValue":null
,"newValue":"\"111a11a-111a-11a1-1111-111a1a2aa1
1a\""},
{"displayName":"Group.DisplayName","oldValue":nu
ll,"newValue":"\"AD_Roadmap\""},
{"displayName":"Group.WellKnownObjectName","oldV
alue":null,"newValue":null}]},
{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","dis
playName":null,"type":"Group","groupType":"azure
AD","modifiedProperties":
[]}],"additionalDetails":[]}}

Sign-in activity fail

User Login Failure

{"eventHubsAzureRecord":
{"time":"2018-08-08T12:41:15.3163732Z","resource
Id":"/tenants/
g1111111-1aaa-11a1-1111-1111aa1a1111/providers/
Microsoft.aadiam","operationName":"Sign-in
activity","operationVersion":"1.0","category":"S
ignInLogs","tenantId":"h1111111-1aaa-11a1-1111-1
111aa1a1111","resultType":"50074","resultSignatu
re":"None","resultDescription":"User did not
pass the MFA
challenge.","durationMs":0,"callerIpAddress":"19
2.0.2.0","correlationId":"g1111111-1aaa-11a1-111
1-1111aa1a1111","identity":"fname,
lname","Level":4,"location":"NL","properties":
{"id":"ia1111111-1aaa-11a1-1111-1111aa1a1111","c
reatedDateTime":"2018-08-08T12:41:15.3163732+00:
00","userDisplayName":"fname,
lname","userPrincipalName":"user@example.com","u
serId":"j1111111-1aaa-11a1-1111-1111aa1a1111","a
ppId":"k1111111-1aaa-11a1-1111-1111aa1a1111","ap
pDisplayName":"Microsoft App Access
Panel","ipAddress":"192.0.2.0","status":
{"errorCode":50074,"failureReason":"User did
not pass the MFA
challenge.","additionalDetails":"MFA required
in Azure
AD"},"clientAppUsed":"Browser","deviceDetail":".
..","location":"...","mfaDetail":
{"authMethod":"Text
message"},"correlationId":"l1111111-1aaa-11a1-11
11-1111aa1a1111","conditionalAccessStatus":2,"co
nditionalAccessPolicies":"...","isRisky":false}}
}

ON THIS PAGE

Microsoft Azure Active Directory

Microsoft Azure Active Directory DSM Specifications

Microsoft Azure Active Directory Log Source Parameters

Microsoft Azure Active Directory Sample Event Messages