Integrate Azure Active Directory audit logs

Azure Active Directory (Azure AD) audit events help you identify privileged actions that occurred in Azure Active Directory. You can see the types of events that you can track by reviewing Azure Active Directory audit report events.

Important

The Azure Log integration feature will be deprecated by 06/15/2019. AzLog downloads were disabled on Jun 27, 2018. For guidance on what to do moving forward review the post Use Azure monitor to integrate with SIEM tools

Steps to integrate Azure Active Directory audit logs

Note

Before you attempt the steps in this article, you must review the Get started article and complete the relevant steps there.

1. Open the command prompt and run this command:

   cd c:\Program Files\Microsoft Azure Log Integration

2. Run this command:

   azlog createazureid

   This command prompts you for your Azure login. The command then creates an Azure Active Directory service principal in the Azure AD tenants that host the Azure subscriptions in which the logged-in user is an administrator, a co-administrator, or an owner. The command will fail if the logged-in user is only a guest user in the Azure AD tenant. Authentication to Azure is done through Azure AD. Creating a service principal for Azure Log Integration creates the Azure AD identity that is given access to read from Azure subscriptions.

3. Run the following command to provide your tenant ID. You need to be member of the tenant admin role to run the command.

   Azlog.exe authorizedirectoryreader tenantId

   Example:

   AZLOG.exe authorizedirectoryreader ba2c0000-d24b-4f4e-92b1-48c4469999

4. Check the following folders to confirm that the Azure Active Directory audit log JSON files are created in them:

   • C:\Users\azlog\AzureActiveDirectoryJson
   • C:\Users\azlog\AzureActiveDirectoryJsonLD

The following video demonstrates the steps covered in this article:

Note

For specific instructions on bringing the information in the JSON files into your security information and event management (SIEM) system, contact your SIEM vendor.

Community assistance is available through the Azure Log Integration MSDN Forum. This forum enables people in the Azure Log Integration community to support each other with questions, answers, tips, and tricks. In addition, the Azure Log Integration team monitors this forum and helps whenever it can.

You can also open a support request. Select Log Integration as the service for which you are requesting support.

Next steps

To learn more about Azure Log Integration, see:

• Microsoft Azure Log Integration for Azure logs: This Download Center page gives details, system requirements, and installation instructions for Azure Log Integration.
• Introduction to Azure Log Integration: This article introduces you to Azure Log Integration, its key capabilities, and how it works.
• Azure Log Integration FAQ: This article answers questions about Azure Log Integration.
• New features for Azure Diagnostics and Azure audit logs: This blog post introduces you to Azure audit logs and other features that help you gain insights into the operations of your Azure resources.