Monitor Azure AD B2C with Azure Monitor

Use Azure Monitor to route Azure Active Directory B2C (Azure AD B2C) sign-in and auditing logs to different monitoring solutions. You can retain the logs for long-term use or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment.

You can route log events to:

Azure Monitor

In this article, you learn how to transfer the logs to an Azure Log Analytics workspace. Then you can create a dashboard or create alerts that are based on Azure AD B2C users' activities.

Important

When you plan to transfer Azure AD B2C logs to different monitoring solutions, or repository, consider the following. Azure AD B2C logs contain personal data. Such data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, using appropriate technical or organizational measures.

Watch this video to learn how to configure monitoring for Azure AD B2C using Azure Monitor.

Deployment overview

Azure AD B2C leverages Azure Active Directory monitoring. Because an Azure AD B2C tenant, unlike Azure AD tenants, can't have a subscription associated with it, we need to take some additional steps to enable the integration between Azure AD B2C and Log Analytics, which is where we'll send the logs. To enable Diagnostic settings in Azure Active Directory within your Azure AD B2C tenant, you use Azure Lighthouse to delegate a resource, which allows your Azure AD B2C (the Service Provider) to manage an Azure AD (the Customer) resource.

Tip

Azure Lighthouse is typically used to manage resources for multiple customers. However, it can also be used to manage resources within an enterprise that has multiple Azure AD tenants of its own, which is what we are doing here, except that we are only delegating the management of single resource group.

After you complete the steps in this article, you'll have created a new resource group (here called azure-ad-b2c-monitor) and have access to that same resource group that contains the Log Analytics workspace in your Azure AD B2C portal. You'll also be able to transfer the logs from Azure AD B2C to your Log Analytics workspace.

During this deployment, you'll authorize a user or group in your Azure AD B2C directory to configure the Log Analytics workspace instance within the tenant that contains your Azure subscription. To create the authorization, you deploy an Azure Resource Manager template to the subscription containing the Log Analytics workspace.

The following diagram depicts the components you'll configure in your Azure AD and Azure AD B2C tenants.

Resource group projection

During this deployment, you'll configure both your Azure AD B2C tenant and Azure AD tenant where the Log Analytics workspace will be hosted. The Azure AD B2C accounts used (such as your admin account) should be assigned the Global Administrator role on the Azure AD B2C tenant. The Azure AD account used to run the deployment must be assigned the Owner role in the Azure AD subscription. It's also important to make sure you're signed in to the correct directory as you complete each step as described.

In summary, you will use Azure Lighthouse to allow a user or group in your Azure AD B2C tenant to manage a resource group in a subscription associated with a different tenant (the Azure AD tenant). After this authorization is completed, the subscription and log analytics workspace can be selected as a target in the Diagnostic settings in Azure AD B2C.

1. Create or choose resource group

First, create, or choose a resource group that contains the destination Log Analytics workspace that will receive data from Azure AD B2C. You'll specify the resource group name when you deploy the Azure Resource Manager template.

  1. Sign in to the Azure portal.
  2. Make sure you're using the directory that contains your Azure AD tenant. Select the Directories + subscriptions icon in the portal toolbar.
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD directory in the Directory name list, and then select Switch.
  4. Create a resource group or choose an existing one. This example uses a resource group named azure-ad-b2c-monitor.

2. Create a Log Analytics workspace

A Log Analytics workspace is a unique environment for Azure Monitor log data. You'll use this Log Analytics workspace to collect data from Azure AD B2C audit logs, and then visualize it with queries and workbooks, or create alerts.

  1. Sign in to the Azure portal.
  2. Make sure you're using the directory that contains your Azure AD tenant. Select the Directories + subscriptions icon in the portal toolbar.
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD directory in the Directory name list, and then select Switch.
  4. Create a Log Analytics workspace. This example uses a Log Analytics workspace named AzureAdB2C, in a resource group named azure-ad-b2c-monitor.

3. Delegate resource management

In this step, you choose your Azure AD B2C tenant as a service provider. You also define the authorizations you need to assign the appropriate Azure built-in roles to groups in your Azure AD tenant.

3.1 Get your Azure AD B2C tenant ID

First, get the Tenant ID of your Azure AD B2C directory (also known as the directory ID).

  1. Sign in to the Azure portal.
  2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
  4. Select Azure Active Directory, select Overview.
  5. Record the Tenant ID.

3.2 Select a security group

Now select an Azure AD B2C group or user to which you want to give permission to the resource group you created earlier in the directory containing your subscription.

To make management easier, we recommend using Azure AD user groups for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. In this walkthrough, we'll add a security group.

Important

In order to add permissions for an Azure AD group, the Group type must be set to Security. This option is selected when the group is created. For more information, see Create a basic group and add members using Azure Active Directory.

  1. With Azure Active Directory still selected in your Azure AD B2C directory, select Groups, and then select a group. If you don't have an existing group, create a Security group, then add members. For more information, follow the procedure Create a basic group and add members using Azure Active Directory.
  2. Select Overview, and record the group's Object ID.

3.3 Create an Azure Resource Manager template

To create the custom authorization and delegation in Azure Lighthouse, we use an Azure Resource Manager template that grants Azure AD B2C access to the Azure AD resource group you created earlier (for example, azure-ad-b2c-monitor). Deploy the template from the GitHub sample by using the Deploy to Azure button, which opens the Azure portal and lets you configure and deploy the template directly in the portal. For these steps, make sure you're signed in to your Azure AD tenant (not the Azure AD B2C tenant).

  1. Sign in to the Azure portal.

  2. Make sure you're using the directory that contains your Azure AD tenant. Select the Directories + subscriptions icon in the portal toolbar.

  3. On the Portal settings | Directories + subscriptions page, find your Azure AD directory in the Directory name list, and then select Switch.

  4. Use the Deploy to Azure button to open the Azure portal and deploy the template directly in the portal. For more information, see create an Azure Resource Manager template.

    Deploy to Azure

  5. On the Custom deployment page, enter the following information:

    Field Definition
    Subscription Select the directory that contains the Azure subscription where the azure-ad-b2c-monitor resource group was created.
    Region Select the region where the resource will be deployed.
    Msp Offer Name A name describing this definition. For example, Azure AD B2C Monitoring. This is the name that will be displayed in Azure Lighthouse.
    Msp Offer Description A brief description of your offer. For example, Enables Azure Monitor in Azure AD B2C.
    Managed By Tenant Id The Tenant ID of your Azure AD B2C tenant (also known as the directory ID).
    Authorizations Specify a JSON array of objects that include the Azure AD principalId, principalIdDisplayName, and Azure roleDefinitionId. The principalId is the Object ID of the B2C group or user that will have access to resources in this Azure subscription. For this walkthrough, specify the group's Object ID that you recorded earlier. For the roleDefinitionId, use the built-in role value for the Contributor role, b24988ac-6180-42a0-ab88-20f7382dd24c.
    Rg Name The name of the resource group you create earlier in your Azure AD tenant. For example, azure-ad-b2c-monitor.

    The following example demonstrates an Authorizations array with one security group.

    [
      {
        "principalId": "<Replace with group's OBJECT ID>",
        "principalIdDisplayName": "Azure AD B2C tenant administrators",
        "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
      }
    ]
    

After you deploy the template, it can take a few minutes (typically no more than five) for the resource projection to complete. You can verify the deployment in your Azure AD tenant and get the details of the resource projection. For more information, see View and manage service providers.

4. Select your subscription

After you've deployed the template and waited a few minutes for the resource projection to complete, follow these steps to associate your subscription with your Azure AD B2C directory.

  1. Sign out of the Azure portal if you're currently signed in (this allows your session credentials to be refreshed in the next step).
  2. Sign in to the Azure portal with your Azure AD B2C administrative account. This account must be a member of the security group you specified in the Delegate resource management step.
  3. Select the Directories + subscriptions icon in the portal toolbar.
  4. On the Portal settings | Directories + subscriptions page, in the Directory name list, find your Azure AD directory that contains the Azure subscription and the azure-ad-b2c-monitor resource group you created, and then select Switch.
  5. Verify that you've selected the correct directory and subscription.

5. Configure diagnostic settings

Diagnostic settings define where logs and metrics for a resource should be sent. Possible destinations are:

In this example, we use the Log Analytics workspace to create a dashboard.

5.1 Create diagnostic settings

You're ready to create diagnostic settings in the Azure portal.

To configure monitoring settings for Azure AD B2C activity logs:

  1. Sign in to the Azure portal with your Azure AD B2C administrative account. This account must be a member of the security group you specified in the Select a security group step.

  2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.

  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.

  4. Select Azure Active Directory

  5. Under Monitoring, select Diagnostic settings.

  6. If there are existing settings for the resource, you'll see a list of settings already configured. Either select Add diagnostic setting to add a new setting, or select Edit to edit an existing setting. Each setting can have no more than one of each of the destination types.

    Diagnostics settings pane in Azure portal

  7. Give your setting a name if it doesn't already have one.

  8. Check the box for each destination to send the logs. Select Configure to specify their settings as described in the following table.

  9. Select Send to Log Analytics, and then select the Name of workspace you created earlier (AzureAdB2C).

  10. Select AuditLogs and SignInLogs.

  11. Select Save.

Note

It can take up to 15 minutes after an event is emitted for it to appear in a Log Analytics workspace. Also, learn more about Active Directory reporting latencies, which can impact the staleness of data and play an important role in reporting.

If you see the error message "To set up Diagnostic settings to use Azure Monitor for your Azure AD B2C directory, you need to set up delegated resource management," make sure you sign in with a user who is a member of the security group and select your subscription.

6. Visualize your data

Now you can configure your Log Analytics workspace to visualize your data and configure alerts. These configurations can be made in both your Azure AD tenant and your Azure AD B2C tenant.

6.1 Create a Query

Log queries help you to fully leverage the value of the data collected in Azure Monitor Logs. A powerful query language allows you to join data from multiple tables, aggregate large sets of data, and perform complex operations with minimal code. Virtually any question can be answered and analysis performed as long as the supporting data has been collected, and you understand how to construct the right query. For more information, see Get started with log queries in Azure Monitor.

  1. From Log Analytics workspace, select Logs

  2. In the query editor, paste the following Kusto Query Language query. This query shows policy usage by operation over the past x days. The default duration is set to 90 days (90d). Notice that the query is focused only on the operation where a token/code is issued by policy.

    AuditLogs
    | where TimeGenerated  > ago(90d)
    | where OperationName contains "issue"
    | extend  UserId=extractjson("$.[0].id",tostring(TargetResources))
    | extend Policy=extractjson("$.[1].value",tostring(AdditionalDetails))
    | summarize SignInCount = count() by Policy, OperationName
    | order by SignInCount desc  nulls last
    
  3. Select Run. The query results are displayed at the bottom of the screen.

  4. To save your query for later use, select Save.

    Log Analytics log editor

  5. Fill in the following details:

    • Name - Enter the name of your query.
    • Save as - Select query.
    • Category - Select Log.
  6. Select Save.

You can also change your query to visualize the data by using the render operator.

AuditLogs
| where TimeGenerated  > ago(90d)
| where OperationName contains "issue"
| extend  UserId=extractjson("$.[0].id",tostring(TargetResources))
| extend Policy=extractjson("$.[1].value",tostring(AdditionalDetails))
| summarize SignInCount = count() by Policy
| order by SignInCount desc  nulls last
| render  piechart

Log Analytics log editor pie

For more samples, see the Azure AD B2C SIEM GitHub repo.

6.2 Create a Workbook

Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences. For more information, see Azure Monitor Workbooks.

Follow the instructions below to create a new workbook using a JSON Gallery Template. This workbook provides a User Insights and Authentication dashboard for Azure AD B2C tenant.

  1. From the Log Analytics workspace, select Workbooks.

  2. From the toolbar, select + New option to create a new workbook.

  3. On the New workbook page, select the Advanced Editor using the </> option on the toolbar.

    Gallery Template

  4. Select Gallery Template.

  5. Replace the JSON in the Gallery Template with the content from Azure AD B2C basic workbook:

  6. Apply the template by using the Apply button.

  7. Select Done Editing button from the toolbar to finish editing the workbook.

  8. Finally, save the workbook by using the Save button from the toolbar.

  9. Provide a Title, such as Azure AD B2C Dashboard.

  10. Select Save.

    Save the workbook

The workbook will display reports in the form of a dashboard.

Workbook first dashboard

Workbook second dashboard

Workbook third dashboard

Create alerts

Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see Create alerts.

Use the following instructions to create a new Azure Alert, which will send an email notification whenever there is a 25% drop in the Total Requests compare to previous period. Alert will run every 5 minutes and look for the drop in the last hour compared to the hour before that. The alerts are created using Kusto query language.

  1. From Log Analytics workspace, select Logs.

  2. Create a new Kusto query by using the query below.

    let start = ago(2h);
    let end = now();
    let threshold = -25; //25% decrease in total requests.
    AuditLogs
    | serialize TimeGenerated, CorrelationId, Result
    | make-series TotalRequests=dcount(CorrelationId) on TimeGenerated from start to end step 1h
    | mvexpand TimeGenerated, TotalRequests
    | serialize TotalRequests, TimeGenerated, TimeGeneratedFormatted=format_datetime(todatetime(TimeGenerated), 'yyyy-MM-dd [HH:mm:ss]')
    | project   TimeGeneratedFormatted, TotalRequests, PercentageChange= ((toreal(TotalRequests) - toreal(prev(TotalRequests,1)))/toreal(prev(TotalRequests,1)))*100
    | order by TimeGeneratedFormatted desc
    | where PercentageChange <= threshold   //Trigger's alert rule if matched.
    
  3. Select Run, to test the query. You should see the results if there is a drop of 25% or more in the total requests within the past hour.

  4. To create an alert rule based on the query above, use the + New alert rule option available in the toolbar.

  5. On the Create an alert rule page, select Condition name

  6. On the Configure signal logic page, set following values and then use Done button to save the changes.

    • Alert logic: Set Number of results Greater than 0.
    • Evaluation based on: Select 120 for Period (in minutes) and 5 for Frequency (in minutes)

    Create a alert rule condition

After the alert is created, go to Log Analytics workspace and select Alerts. This page displays all the alerts that have been triggered in the duration set by Time range option.

Configure action groups

Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. You can include sending a voice call, SMS, email; or triggering various types of automated actions. Follow the guidance Create and manage action groups in the Azure portal

Here is an example of an alert notification email.

Email notification

Multiple tenants

To onboard multiple Azure AD B2C tenant logs to the same Log Analytics Workspace (or Azure storage account, or event hub), you'll need separate deployments with different Msp Offer Name values. Make sure your Log Analytics workspace is in the same resource group as the one you configured in Create or choose resource group.

When working with multiple Log Analytics workspaces, use Cross Workspace Query to create queries that work across multiple workspaces. For example, the following query performs a join of two Audit logs from different tenants based on the same Category (for example, Authentication):

workspace("AD-B2C-TENANT1").AuditLogs
| join  workspace("AD-B2C-TENANT2").AuditLogs
  on $left.Category== $right.Category

Change the data retention period

Azure Monitor Logs are designed to scale and support collecting, indexing, and storing massive amounts of data per day from any source in your enterprise or deployed in Azure. By default, logs are retained for 30 days, but retention duration can be increased to up to two years. Learn how to manage usage and costs with Azure Monitor Logs. After you select the pricing tier, you can Change the data retention period.

Next steps