Script configuration of audit logs for AAD to an event hub

Ben Peters 6 Reputation points
2020-06-01T19:03:13.497+00:00

I am trying to write a script we can use company wide, across all our Azure accounts, to properly configure all the audit logging for centralized monitoring. I am struggling, however, to figure out how to script configuring Active Directory audit logs to go into an event hub.

I have been able to script this for logs related to a subscription and all associated resources, and I know how to do the AD portion via the portal, but I cannot find any way using Azure CLI or powershell to do this for AD logs.

Specifically, I want to be able to script configuration so that things like user and group creation, are also forwarded to an event hub.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,671 Reputation points Microsoft Employee
    2020-06-03T23:14:25.287+00:00

    You can directly stream Azure AD logs to an Azure event hub. You do not require to write any automation for moving the data to Azure event hub.
    You can configure streaming of audit logs (which includes changes made to any Azure AD resources like Users, groups, apps, roles or policies) using Azure portal. You need to follow the below steps -

    1. Sign in to Azure and go to "Audit Logs" blade (Azure Active Directory > Monitoring > Audit logs)
    2. Select Export Data Settings .
      9045-audit-logs-export-data-settings.png
    3. Select Add diagnostics setting from Diagnostics settings pane
      9112-audit-logs-diagnostic-settings.png
    4. Select "Stream to an event hub" and provide required details of Event Hub
      8999-diagnostics-settings-stream-to-event-hub.png

    You can then use this event hub data using supported SIEM tools if require. Please refer to Tutorial: Stream Azure Active Directory logs to an Azure event hub to get detailed information.

    (Please don't forget to accept helpful replies as answer)

    0 comments
  2. Ben Peters 6 Reputation points
    2020-06-04T17:18:43.677+00:00

    Thank you very much for taking the time to answer, however, it doesn't really help. As I mentioned, I actually already knew how to do it via the portal, with the method you describe. I specifically need to script this if possible, as the intention is to give a single, simple script to many Azure account owners so they can easily configure logging.