AD FS auditing tool

AD FS auditing with ADAudit Plus

What is AD FS auditing?

AD FS extends your on-premises identity infrastructure to external applications, partners, and cloud services through claims-based authentication. Every federated sign-in and token request passes through your AD FS servers, making them a critical audit point for both security and compliance. When AD FS authentication events go unmonitored, a compromised account can give an attacker persistent, authenticated access across multiple systems without triggering a single AD lockout.

ADAudit Plus provides pre-configured reports for every AD FS event category: successful authentications, failed sign-in attempts, and extranet lockouts. Audit data is collected centrally from all AD FS servers in your environment, and correlated with on-premises AD events, so you have a complete picture of your federated identity activity from a single console. No log forwarding scripts, no manual Event Viewer sessions on individual servers.

Key details ADAudit Plus captures across AD FS

Monitor AD FS authentication activity

ADAudit Plus captures AD FS authentication events and surfaces them in pre-configured reports, so you can trace logon success and failure activity without pulling logs from individual AD FS servers.

• The Logon Success report records every successful AD FS authentication event.
• The Logon Failure report captures failed authentication attempts, giving you visibility into accounts that cannot complete logon.

 

 

Know the who, what, when, and where behind every federation server logon.

Monitor AD FS extranet lockout events

The Extranet Lockout report surfaces accounts locked out by the AD FS extranet lockout policy, a distinct event type from standard AD account lockouts recorded in the Active Directory tab.

• Each extranet lockout event identifies the affected account and the lockout time.
• Because extranet lockouts are triggered by repeated failed authentication attempts from outside the network, each event warrants review as a potential external attack signal.

Extend logon and logoff auditing to hybrid and cloud environments

Many environments run a mix of on-premises AD and Microsoft Entra ID (previously known as Azure AD). Which directory authenticates a user depends on which resource they are accessing, and a complete logon audit must cover both. ADAudit Plus provides a correlated view of on-premises AD and Entra ID activity from a single console, covering hybrid logon activity in one report.

• Entra ID sign-in events include geo-location, device information, MFA status, and Conditional Access result for every authentication attempt.
• Legacy authentication sign-ins are captured in a dedicated report, giving visibility into the authentication methods that carry the highest cloud identity risk.
• Risk detections from Entra ID Identity Protection are surfaced in ADAudit Plus reports: impossible travel, sign-ins from anonymized IP addresses, and sign-ins using leaked credentials.
• Conditional Access policy changes are tracked alongside sign-in data, so a policy modification and the first sign-in affected by it are both visible in context.

 

 

Gain a comprehensive view of logon activity across your AD and Entra ID environments.

Get real-time alerts on critical AD FS events

Reviewing AD FS logs after the fact is rarely enough. By the time a manual review surfaces an extranet lockout spike, the window for an effective response has often closed. ADAudit Plus fires alerts the moment a defined condition is met, so your team can act on AD FS events as they happen.

• A sudden increase in AD FS logon failures from a single account or IP surfaces as a real-time alert, letting you distinguish a misconfigured application from an active credential attack.
• When extranet lockouts exceed the threshold you define, an alert fires immediately so your team can investigate the source IP before more accounts are affected.
• When an alert fires, ADAudit Plus automatically creates a ticket in ServiceNow, Zendesk, Jira, Freshservice, or ManageEngine Service Desk Plus and notifies the responsible team by email or SMS, so no critical event sits in a log queue waiting to be found.

 

 

Receive alerts about critical activities such as logons occurring via federation servers during non-business hours.

Meet compliance requirements

AD FS authentication events fall within the scope of all seven compliance frameworks ADAudit Plus covers. The pre-configured report sets for each standard are available under the Compliance section of the Active Directory tab, and AD FS authentication data is captured within them automatically.

• Custom report profiles let you combine specific users, audit actions, and date ranges into saved views for recurring compliance reviews or one-off audit requests.
• Reports can be scheduled for automatic email delivery to auditors and compliance officers without requiring console access.

Why native tools fall short for AD FS auditing

AD FS audit events are written to the Windows Security event log and the AD FS operational log on each AD FS server. Reviewing them requires direct access to each server, and correlating events across multiple AD FS nodes to investigate a single incident is a manual process with no built-in tooling.

• There's no centralized view of authentication activity. Security event logs are stored locally on each AD FS server, so getting a complete picture means manually collecting and correlating logs from every node.
• Event Viewer has no threshold-based alerting. Detecting an extranet lockout spike requires someone to check the logs after the fact, or to write and maintain a custom PowerShell script.
• Native AD FS logs produce raw event data, not compliance-ready output. Mapping AD FS authentication events to SOX, HIPAA, or PCI-DSS controls requires manual interpretation for every audit request.

ADAudit Plus resolves all gaps from a single console, with no scripts to maintain and no manual log collection from individual servers.