Azure Active Directory security operations guide

Microsoft has a successful and proven approach to Zero Trust security using Defense in Depth principles that leverage identity as a control plane. As organizations continue to embrace a hybrid workload world for scale, cost savings, and security, Azure Active Directory (Azure AD) plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.

Increasingly, organizations must embrace a mixture of on-premises and cloud applications, which users access with both on–premises and cloud-only accounts. Managing users, applications, and devices both on-premises and in the cloud poses challenging scenarios.

Azure Active Directory creates a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.

To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:

As you audit your current security operations or establish security operations for your Azure environment, we recommend you:

  • Read specific portions of the Microsoft security guidance to establish a baseline of knowledge about securing your cloud-based or hybrid Azure environment.

  • Audit your account and password strategy and authentication methods to help deter the most common attack vectors.

  • Create a strategy for continuous monitoring and alerting on activities that might indicate a security threat.

Audience

The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.

Scope

This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments as well as fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:

  • User accounts – Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.

  • Privileged accounts – Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks, including Azure AD role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.

  • Privileged Identity Management (PIM) – guidance specific to using PIM to manage, control, and monitor access to resources.

  • Applications – Guidance specific to accounts used to provide authentication for applications.

  • Devices – Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.

  • Infrastructure– Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.

Important reference content

Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend as part of your monitoring and alerting strategy you review the following guidance that is relevant to your operating environment:

Data sources

The log files you use for investigation and monitoring are:

From the Azure portal you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:

  • Azure Sentinel – enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

  • Azure Monitor – enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

  • Azure Event Hubs integrated with a SIEM- Azure AD logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hub integration.

  • Microsoft Cloud App Security (MCAS) – enables you to discover and manage apps, govern across apps and resources, and check your cloud apps’ compliance.

Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the Conditional Access insights and reporting workbook to examine the effects of one or more Conditional Access policies on your sign-ins, as well as the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.

The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.

  • Identity Protection -- generates three key reports that you can use to help with your investigation:

    • Risky users – contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.

    • Risky sign-ins – contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For additional information on investigating information from this report, visit How To: Investigate risk.

    • Risk detections - contains information on risk signals detected by Azure AD Identity Protection that informs sign-in and user risk. For more information, see the Azure AD security operations guide for user accounts.

Data sources for domain controller monitoring

For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This will enable you for the best detection and automation capabilities. Please follow the guidance from:

If you do not plan to use Microsoft Defender for identity, you can monitor your domain controllers either by event log messages or by running PowerShell cmdlets.

Components of hybrid authentication

As part of an Azure hybrid environment, the following should be baselined and included in your monitoring and alerting strategy.

Components of cloud-based authentication

As part of an Azure cloud-based environment, the following should be baselined and included in your monitoring and alerting strategy.

  • Azure AD Application Proxy – This cloud service provides secure remote access to on-premises web applications. For more information, see Remote access to on-premises applications through Azure AD Application Proxy.

  • Azure AD Connect – Services used for an Azure AD Connect solution. For more information, see What is Azure AD Connect.

  • Azure AD Connect Health – Service Health provides you with a customizable dashboard which tracks the health of your Azure services in the regions where you use them. For more information, see Azure AD Connect Health.

  • Azure MFA – Azure AD Multi-Factor Authentication requires a user to provide more than one form of proof for authentication. This can provide a proactive first step to securing your environment. For more information, see How it works: Azure AD Multi-Factor Authentication.

  • Dynamic Groups – Dynamic configuration of security group membership for Azure Active Directory (Azure AD) Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see Dynamic groups and Azure Active Directory B2B collaboration.

  • Conditional Access – Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see What is Conditional Access.

  • Identity Protection – A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see What is Identity Protection?

  • Group-based licensing– Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.

  • Provisioning Service – Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see How Application Provisioning works in Azure Active Directory.

  • Graph API – The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see Overview of Microsoft Graph.

  • Domain Service – Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see What is Azure Active Directory Domain Services?

  • Azure Resource Manager – Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see What is Azure Resource Manager?

  • Managed Identity – Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more information, see What are managed identities for Azure resources?

  • Privileged Identity Management – Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. For more information, see What is Azure AD Privileged Identity Management.

  • Access Reviews – Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access. For more information, see What are Azure AD access reviews?

  • Entitlement Management – Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see What is Azure AD entitlement management?

  • Activity Logs – The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. For more information, see Azure Activity log.

  • Self-service Password reset service – Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. For more information, see How it works: Azure AD self-service password reset.

  • Device Services – Device identity management is the foundation for device-based Conditional Access. With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see What is a device identity?

  • Self-Service Group Management – You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active Directory (Azure AD). The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features are not available for mail-enabled security groups or distribution lists. For more information, see Set up self-service group management in Azure Active Directory.

  • Risk detections – contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Cloud App Security (MCAS).

Next steps

See these security operations guide articles:

Azure AD security operations overview

Security operations for user accounts

Security operations for privileged accounts

Security operations for Privileged Identity Management

Security operations for applications

Security operations for devices

Security operations for infrastructure