Integrate Azure Active Directory audit logs
Azure Active Directory (Azure AD) audit events help you identify privileged actions that occurred in Azure Active Directory. You can see the types of events that you can track by reviewing Azure Active Directory audit report events.
The Azure Log integration feature will be deprecated by 06/15/2019. AzLog downloads were disabled on Jun 27, 2018. For guidance on what to do moving forward review the post Use Azure monitor to integrate with SIEM tools
Steps to integrate Azure Active Directory audit logs
Before you attempt the steps in this article, you must review the Get started article and complete the relevant steps there.
Open the command prompt and run this command:
cd c:\Program Files\Microsoft Azure Log Integration
Run this command:
This command prompts you for your Azure login. The command then creates an Azure Active Directory service principal in the Azure AD tenants that host the Azure subscriptions in which the logged-in user is an administrator, a co-administrator, or an owner. The command will fail if the logged-in user is only a guest user in the Azure AD tenant. Authentication to Azure is done through Azure AD. Creating a service principal for Azure Log Integration creates the Azure AD identity that is given access to read from Azure subscriptions.
Run the following command to provide your tenant ID. You need to be member of the tenant admin role to run the command.
Azlog.exe authorizedirectoryreader tenantId
AZLOG.exe authorizedirectoryreader ba2c0000-d24b-4f4e-92b1-48c4469999
Check the following folders to confirm that the Azure Active Directory audit log JSON files are created in them:
The following video demonstrates the steps covered in this article:
For specific instructions on bringing the information in the JSON files into your security information and event management (SIEM) system, contact your SIEM vendor.
Community assistance is available through the Azure Log Integration MSDN Forum. This forum enables people in the Azure Log Integration community to support each other with questions, answers, tips, and tricks. In addition, the Azure Log Integration team monitors this forum and helps whenever it can.
You can also open a support request. Select Log Integration as the service for which you are requesting support.
To learn more about Azure Log Integration, see:
- Microsoft Azure Log Integration for Azure logs: This Download Center page gives details, system requirements, and installation instructions for Azure Log Integration.
- Introduction to Azure Log Integration: This article introduces you to Azure Log Integration, its key capabilities, and how it works.
- Azure Log Integration FAQ: This article answers questions about Azure Log Integration.
- New features for Azure Diagnostics and Azure audit logs: This blog post introduces you to Azure audit logs and other features that help you gain insights into the operations of your Azure resources.