Azure AD DS configuration

Microsoft allows you to stream your Azure AD DS event logs to external auditing and monitoring tools using Azure Event Hubs. Before you configure streaming, you need to create an Event Hubs namespace and an event hub.

Create an Event Hubs namespace

To create an Event Hubs namespace:

1. Login to the Azure portal using your Microsoft account.
2. Search for Event Hubs using the search bar on the top menu.
3. Select Event Hubs and click + Create on the toolbar to go to the Create Namespace page.
4. Select the Subscription in which you want to create the namespace.
5. Select an existing Resource group from the drop-down or click Create new and enter the name of the new resource group.
6. Specify the Namespace name and select a Location for the namespace.
   Note: The resource group and the location of the Event Hubs namespace should be the same as that of the Azure AD DS domain.
7. Choose a Pricing tier based on your requirements.
8. Leave the Throughput units (for standard tier) or Processing units (for premium tier) setting as it is.
9. Click Review + Create.

   

10. Review the settings, select Create, and wait for the deployment to complete.
11. Select Go to resource on the deployment page to navigate to the Event Hubs Namespace you just created.

Create an event hub

To create an event hub within the namespace:

1. Select Event Hubs from the left menu on the Event Hubs Namespace page.
2. Select + Event Hub from the tool bar to go to the Create Event Hub page.

   

3. Enter a Name for your event hub and set the values for Partition Count and Message Retention based on your tier and requirements.
4. Enable Capture Details from the Capture tab if required.
5. Click Review + create.

   

6. Review the settings, select Create and wait for the deployment to complete. On completion, you will find your Event Hub instance listed in your Event Hubs namespace.
7. Click the event hub you created, select Shared access policies on the left menu and click +Add from the toolbar.
8. In the Add SAS Policy panel, enter a suitable Policy name, check Listen and click Create.
9. Select the policy you just created and copy the Connection string–primary key to your clipboard. This key will be required when adding the Azure AD DS domain in ADAudit Plus.

   

Configure Azure AD DS to stream events to EventHub

1. In the Azure portal, go to Azure AD Domain Services and select your domain.
2. Click Diagnostic settings under Monitoring from the left menu.
3. Click + Add diagnostic setting to go to the Diagnostic setting page and specify a suitable name for the setting.

   

4. Check audit to select all the Categories under Logs.
5. Check Stream to an event hub under Destination details and verify the information about your Subscription, Event hub namespace, and Event hub name.
6. Ensure that RootManageSharedAccessKey is selected from the Event hub policy name drop-down.
7. Click Save on the toolbar.