Enable security audits for Azure Active Directory Domain Services

Azure Active Directory Domain Services (Azure AD DS) security audits lets Azure stream security events to targeted resources. These resources include Azure Storage, Azure Log Analytics workspaces, or Azure Event Hub. After you enable security audit events, Azure AD DS sends all the audited events for the selected category to the targeted resource.

You can archive events into Azure storage and stream events into security information and event management (SIEM) software (or equivalent) using Azure Event Hubs, or do your own analysis and using Azure Log Analytics workspaces from the Azure portal.

Important

Azure AD DS security audits are only available for Azure Resource Manager-based managed domains. For information on how to migrate, see Migrate Azure AD DS from the Classic virtual network model to Resource Manager.

Security audit destinations

You can use Azure Storage, Azure Event Hubs, or Azure Log Analytics workspaces as a target resource for Azure AD DS security audits. These destinations can be combined. For example, you could use Azure Storage for archiving security audit events, but an Azure Log Analytics workspace to analyze and report on the information in the short term.

The following table outlines scenarios for each destination resource type.

Important

You need to create the target resource before you enable Azure AD DS security audits. You can create these resources using the Azure portal, Azure PowerShell, or the Azure CLI.

Target Resource Scenario
Azure Storage This target should be used when your primary need is to store security audit events for archival purposes. Other targets can be used for archival purposes, however those targets provide capabilities beyond the primary need of archiving.

Before you enable Azure AD DS security audit events, first Create an Azure Storage account.
Azure Event Hubs This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.

Before you enable Azure AD DS security audit events, Create an event hub using Azure portal
Azure Log Analytics Workspace This target should be used when your primary need is to analyze and review secure audits from the Azure portal directly.

Before you enable Azure AD DS security audit events, Create a Log Analytics workspace in the Azure portal.

Enable security audit events using the Azure portal

To enable Azure AD DS security audit events using the Azure portal, complete the following steps.

Important

Azure AD DS security audits aren't retroactive. You can't retrieve or replay events from the past. Azure AD DS can only send events that occur after security audits are enabled.

  1. Sign in to the Azure portal at https://portal.azure.com.

  2. At the top of the Azure portal, search for and select Azure AD Domain Services. Choose your managed domain, such as aaddscontoso.com.

  3. In the Azure AD DS window, select Diagnostic settings on the left-hand side.

  4. No diagnostics are configured by default. To get started, select Add diagnostic setting.

    Add a diagnostic setting for Azure AD Domain Services

  5. Enter a name for the diagnostic configuration, such as aadds-auditing.

    Check the box for the security audit destination you want. You can choose from an Azure Storage account, an Azure event hub, or a Log Analytics workspace. These destination resources must already exist in your Azure subscription. You can't create the destination resources in this wizard.

    Enable the required destination and type of audit events to capture

    • Azure storage
      • Select Archive to a storage account, then choose Configure.
      • Select the Subscription and the Storage account you want to use to archive security audit events.
      • When ready, choose OK.
    • Azure event hubs
      • Select Stream to an event hub, then choose Configure.
      • Select the Subscription and the Event hub namespace. If needed, also choose an Event hub name and then Event hub policy name.
      • When ready, choose OK.
    • Azure Log Analytic workspaces
      • Select Send to Log Analytics, then choose the Subscription and Log Analytics Workspace you want to use to store security audit events.
  6. Select the log categories you want included for the particular target resource. If you send the audit events to an Azure Storage account, you can also configure a retention policy that defines the number of days to retain data. A default setting of 0 retains all data and doesn't rotate events after a period of time.

    You can select different log categories for each targeted resource within a single configuration. This ability lets you choose which logs categories you want to keep for Log Analytics and which logs categories your want to archive, for example.

  7. When done, select Save to commit your changes. The target resources start to receive Azure AD DS security audit events soon after the configuration is saved.

Enable security audit events using Azure PowerShell

To enable Azure AD DS security audit events using Azure PowerShell, complete the following steps. If needed, first install the Azure PowerShell module and connect to your Azure subscription.

Important

Azure AD DS security audits aren't retroactive. You can't retrieve or replay events from the past. Azure AD DS can only send events that occur after security audits are enabled.

  1. Authenticate to your Azure subscription using the Connect-AzAccount cmdlet. When prompted, enter your account credentials.

    Connect-AzAccount
    
  2. Create the target resource for the security audit events.

  3. Get the resource ID for your Azure AD DS managed domain using the Get-AzResource cmdlet. Create a variable named $aadds.ResourceId to hold the value:

    $aadds = Get-AzResource -name aaddsDomainName
    
  4. Configure the Azure Diagnostic settings using the Set-AzDiagnosticSetting cmdlet to use the target resource for Azure AD Domain Services security audit events. In the following examples, the variable $aadds.ResourceId is used from the previous step.

    • Azure storage - Replace storageAccountId with your storage account name:

      Set-AzDiagnosticSetting `
          -ResourceId $aadds.ResourceId `
          -StorageAccountId storageAccountId `
          -Enabled $true
      
    • Azure event hubs - Replace eventHubName with the name of your event hub and eventHubRuleId with your authorization rule ID:

      Set-AzDiagnosticSetting -ResourceId $aadds.ResourceId `
          -EventHubName eventHubName `
          -EventHubAuthorizationRuleId eventHubRuleId `
          -Enabled $true
      
    • Azure Log Analytic workspaces - Replace workspaceId with the ID of the Log Analytics workspace:

      Set-AzureRmDiagnosticSetting -ResourceId $aadds.ResourceId `
          -WorkspaceID workspaceId `
          -Enabled $true
      

Query and view security audit events using Azure Monitor

Log Analytic workspaces let you view and analyze the security audit events using Azure Monitor and the Kusto query language. This query language is designed for read-only use that boasts power analytic capabilities with an easy-to-read syntax. For more information to get started with Kusto query languages, see the following articles:

The following sample queries can be used to start analyzing security audit events from Azure AD DS.

Sample query 1

View all the account lockout events for the last seven days:

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"

Sample query 2

View all the account lockout events (4740) between June 3, 2020 at 9 a.m. and June 10, 2020 midnight, sorted ascending by the date and time:

AADDomainServicesAccountManagement
| where TimeGenerated >= datetime(2020-06-03 09:00) and TimeGenerated <= datetime(2020-06-10)
| where OperationName has "4740"
| sort by TimeGenerated asc

Sample query 3

View account sign-in events seven days ago (from now) for the account named user:

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "user" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))

Sample query 4

View account sign-in events seven days ago from now for the account named user that attempted to sign in using a bad password (0xC0000006a):

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "user" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))
| where "0xc000006a" == tolower(extract("Error Code:\t(.+[0-9A-Fa-f])",1,tostring(ResultDescription)))

Sample query 5

View account sign-in events seven days ago from now for the account named user that attempted to sign in while the account was locked out (0xC0000234):

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "user" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))
| where "0xc0000234" == tolower(extract("Error Code:\t(.+[0-9A-Fa-f])",1,tostring(ResultDescription)))

Sample query 6

View the number of account sign-in events seven days ago from now for all sign-in attempts that occurred for all locked out users:

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where "0xc0000234" == tolower(extract("Error Code:\t(.+[0-9A-Fa-f])",1,tostring(ResultDescription)))
| summarize count()

Audit event categories

Azure AD DS security audits align with traditional auditing for traditional AD DS domain controllers. In hybrid environments, you can reuse existing audit patterns so the same logic may be used when analyzing the events. Depending on the scenario you need to troubleshoot or analyze, the different audit event categories need to be targeted.

The following audit event categories are available:

Audit Category Name Description
Account Logon Audits attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM).

Logon and Logoff policy settings and events track attempts to access a particular computer. Settings and events in this category focus on the account database that is used. This category includes the following subcategories:
Account Management Audits changes to user and computer accounts and groups. This category includes the following subcategories:
Detail Tracking Audits activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
Directory Services Access Audits attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
Logon-Logoff Audits attempts to log on to a computer interactively or over a network. These events are useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
Object Access Audits attempts to access specific objects or types of objects on a network or computer. This category includes the following subcategories:
Policy Change Audits changes to important security policies on a local system or network. Policies are typically established by administrators to help secure network resources. Monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
Privilege Use Audits the use of certain permissions on one or more systems. This category includes the following subcategories:
System Audits system-level changes to a computer not included in other categories and that have potential security implications. This category includes the following subcategories:

Event IDs per category

Azure AD DS security audits record the following event IDs when the specific action triggers an auditable event:

Event Category Name Event IDs
Account Logon security 4767, 4774, 4775, 4776, 4777
Account Management security 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4765, 4766, 4780, 4781, 4782, 4793, 4798, 4799, 5376, 5377
Detail Tracking security None
DS Access security 5136, 5137, 5138, 5139, 5141
Logon-Logoff security 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4964
Object Access security None
Policy Change security 4670, 4703, 4704, 4705, 4706, 4707, 4713, 4715, 4716, 4717, 4718, 4719, 4739, 4864, 4865, 4866, 4867, 4904, 4906, 4911, 4912
Privilege Use security 4985
System security 4612, 4621

Next steps

For specific information on Kusto, see the following articles: