How to audit and monitor security events in Microsoft Entra ID
It can get difficult monitoring the ever-increasing number of users and the activities they perform across the multiple applications they use. Microsoft Entra ID (formerly Azure Active Directory), a cloud-based IAM solution, offers multiple ways to manage users and track their activities in your Microsoft 365 environment. It also enables you to monitor security events, including sign-in anomalies, app permissions, and service health.
ManageEngine M365 Manager Plus—an extensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments—can also be used for the same purpose, in a more comprehensive, user-friendly way, all under a single console.
In this article, we will see how to audit and monitor security events in Microsoft Entra ID using multiple tools and comprehensively using M365 Manager Plus.
Auditing security events in Microsoft Entra ID
You can audit the activities of your users in Microsoft Entra ID using the Identity logs and Workbooks available under Monitoring & Health. The following table is a list of the reports available there, and what they help you get insights on:
Settings | Description | Use cases |
---|---|---|
Sign-in Logs | Records the details of all sign-in activities by users, applications, and service accounts. |
|
Audit Logs | Tracks all activities performed on users and resources in your tenant |
|
Provisioning logs | Tracks user provisioning activities like creation, modification, and deletion across Microsoft Entra ID and integrated applications |
|
Workbooks | Customizable dashboards that can represent complex logs graphically |
|
Usage & Insights | A collection of reports on the activity of applications in your tenant. |
|
Bulk Operations | Records activities performed in bulk, like creation, modification, and deletion. |
|
Monitoring security events in Microsoft Entra ID
You can monitor the security events in Microsoft Entra ID by utilizing the Security logs and Workbooks available under Monitoring & Health. The following table outlines the tools to monitor security events in Microsoft Entra ID and what use cases they serve
Diagnostic Settings | A setting that you can configure to export logs to tools like Azure Monitor or just store them |
|
Log Analytics | A data storage solution that can also analyze the logs generated from solutions like Microsoft Entra ID |
|
Microsoft Sentinel (requires a subscription) | A SIEM solution that can analyze logs, send out event alerts, and automate tasks |
|
All of these tools require you to set up a Log Analytics workspace to use them. Here are the steps to create one.
- Log in to the Azure portal, and search for Log Analytics workspaces in the search box.
- Select Create. You will be redirected to the Create Log Analytics workspace page.
- Select a Subscription from the dropdown.
- You can select an existing Resource Group or create a new one by clicking Create New.
- Fill in the Name and select the Region from the dropdown.
- Click on Next: Tags to assign tags to your workspace. These will help you organize your workspaces based on the data you need. For example, Activity: Add user can be a tag to identify the workspace that you use to analyze user creation.
- Select Review + Create to check your configuration. Then, click Create to create your Log Analytics workspace.
Tracking security events in Microsoft Entra ID using M365 Manager Plus
Although Microsoft Entra ID's native solutions provide a good way to audit and monitor events in your environment, the best part of it is locked behind separate subscriptions and complex configurations. Generating alerts for actions requires the use of Azure Monitor, which needs an additional license. Creating custom dashboards and audit profiles require you to use Kusto Query Language (KQL) in workbooks. Moreover, you will have to jump between multiple admin centers to get all of these working seamlessly.
M365 Manager Plus offers alerts for crucial security events like user creation, group membership changes, and more along with the capability to audit and monitor your Microsoft 365 environment. You can view the generalized steps to create a profile in M365 Manager Plus below.
- Log in to M365 Manager Plus, navigate to Settings > Audit Configuration and click Audit Profiles or Alert Profiles. Then, click Add Profile.
- Type in a Profile Name and Description for your profile.
- Select a Microsoft 365 Service to track, the Category of actions, and select the events you want under Actions:
Note:
- For alerts, assign a Severity level based on how crucial this alert is. In the example screenshot below, we've selected Attention.
- Configure a message using Macros to use specific variables in your alert message. For this example, we've used the following message: %OBJECT_ID% modified by %ACTOR%. Activity is %OPERATION%.
- Expand Advanced Configuration and check the email every alert corresponding to this profile box to receive email alerts
- In the Filter Settings tab that appears after expanding Advanced Configuration, use the Business Hours Filter to monitor for any events outside of working hours and the Filter By Column option to format the report data you will receive.
- Click Add to finalize your changes and create a custom profile to monitor your preferred security event in Microsoft Entra ID.
Limitations of using Microsoft 365 native tools to monitor and audit security events in Microsoft Entra ID
- Microsoft Entra ID Premium P2 license and subscriptions to Azure Monitor and Microsoft Sentinel is required to perform some of these actions.
- Administrators must be assigned the required role to access individual native admin centers and carry out tasks in them.
- Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.
- Audit logs will have to be filtered every time they are generated, and the filters cannot be saved, which can get exhausting if a filter is required to generate data that you require frequently.
- Assigning granular permissions to execute individual tasks in a broad category is not possible.
Benefits of using M365 Manager Plus to monitor and audit security events in Microsoft Entra ID
- Keep tabs on even the most granular user activities in your Microsoft 365 environment.
- Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
- Gain a thorough understanding of your environment in Exchange Online, Microsoft Entra ID, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.
- Filter your reports just once and save them as custom reports that you can access in just a few clicks.
- Export reports generated in M365 Manager Plus in not just CSV, but also in other presentable formats such as HTML, PDF, and XLSX.
- Delegate granular permissions to technicians without elevating their Microsoft 365 privileges and create custom roles with any combination of reporting, management, and auditing tasks.
- Easily manage users, groups, contacts, mailboxes, teams, and sites in bulk without PowerShell scripting.
- Monitor the health and performance of Microsoft 365 features and endpoints around the clock.
Effortlessly schedule and export reports on your Microsoft 365 environment.
Try now for freeStreamline your Microsoft 365 governance and administration with M365 Manager Plus
Get Your Free TrialRelated Resources
-
Entra ID administration
- How to delete a tenant in Microsoft Entra ID
- How to manage custom domain names in your Microsoft Entra ID
- How to change subdomain authentication type in Microsoft Entra ID
- What is a self-service sign-up in Microsoft Entra ID
- How to take over an unmanaged directory as administrator in Microsoft Entra ID
- How to set up self-service group management in Microsoft Entra ID
- How to configure external authentication methods in Microsoft Entra ID
- What are Microsoft Entra ID administrative units
- How to configure Conditional Access in Microsoft Entra ID
- What is Microsoft Entra ID?
- How to set up SSO in Microsoft Entra ID
- How to create custom roles in Microsoft Entra ID
-
Entra ID auditing and reporting
-
Entra ID bulk user management
-
Entra ID dynamic groups
- How to create a group membership in a dynamic group
- How to change static group membership to dynamic in Microsoft Entra ID
- How to create simpler, more efficient rules for dynamic groups in Microsoft Entra ID
- How to create dynamic groups in Azure Active Directory B2B collaboration?
- How to update an existing dynamic group rule in Microsoft Entra ID
-
Entra ID group management
- How to check import status in Entra ID groups
- How to edit group setting in Entra ID
- How to migrate users with individual licenses to groups for licensing in Microsoft Entra ID
- How to restore a deleted Microsoft 365 group in Microsoft Entra ID
- How to set expiration for Microsoft 365 groups in Microsoft Entra ID
- Microsoft Entra ID version 2 cmdlets for group management
- How to add a group to another group in Entra ID
- How to delete a group in Entra ID
- How to remove a group from another group in Entra ID
- How to clean up resources related to the All users group in Microsoft Entra ID
- How to create a basic group and add members in Microsoft Entra ID
- How to enforce a naming policy on Microsoft 365 groups in Microsoft Entra ID
-
Entra ID group membership
- How to add or remove a group from another group in Entra ID
- How to add group members in bulk in Entra ID
- How to remove group members in bulk from Entra ID groups
- How to remove members or owners of a group in Entra ID
- How to add group members in Microsoft Entra ID
- How to add group owners in Microsoft Entra ID
- How to add or remove group members automatically using Microsoft Entra ID
- How to create a group of guest users in Microsoft Entra ID
- How to manage groups and group memberships in Microsoft Entra ID
- How to remove guests from All users group in Microsoft Entra ID
- How to utilize groups and administrator roles for scalable organization growth in Microsoft Entra ID
-
Entra ID group reports
- How to download group members in bulk in Entra ID groups
- How to bulk download a list of groups in Microsoft Entra ID
- How to search groups and members in Microsoft Entra ID
- How to find empty groups in Microsoft Entra ID
- How to monitor group membership changes in Microsoft Entra ID
- How to assign licenses in Microsoft Entra ID
- How to assign licenses to users by group memberships in Microsoft Entra ID
-
Entra ID license management
- How to assign licenses to users by group memberships in Microsoft Entra ID
- How to remove licenses in Microsoft Entra ID
- How to view license plans and license details in Microsoft Entra ID
- How to identify and resolve license assignment problems for a group in Microsoft Entra ID
- How to assign licenses to groups in Microsoft Entra ID
- How do I leverage group-based licensing for optimizing license management in Microsoft Entra ID
- How to change license assignments for a user in Microsoft Entra ID
- How to automate inactive license management for Microsoft Entra ID users
-
Entra ID User management
- How to add guest users using Entra ID
- How to add users to Entra ID in Microsoft 365
- How to assign roles to a new user with Entra ID
- How to close a work or school account in an unmanaged Microsoft Entra organization using the Azure portal
- How to revoke user access in Microsoft Entra ID using PowerShell cmdlets
- How to delete users in Entra ID
- How to remove custom security attribute assignments from a user?
- How to clean up unmanaged Microsoft Entra accounts?
- How to assign custom security attributes to users using Entra ID
- How to clean up stale guest accounts using access reviews?
- How to share accounts with Microsoft Entra ID
- How to update custom security attributes of users using Entra ID
- How to restrict guest access permissions in Microsoft Entra ID
- How to manage permissions using access reviews in Microsoft Entra ID
-
Entra ID user reports
- How to filter users based on custom security attributes?
- How to download a list of all users in Microsoft 365
- How to verify deleted users in Entra ID
- How to create custom sign-in reports in Entra ID
- How to find deleted users in Entra ID
- How to monitor user role changes in Microsoft Entra ID
- How to track self-service password resets in Microsoft Entra ID
- How to monitor recently created users in Microsoft Entra ID
- How to track password changes by admins in Microsoft Entra ID
- How to report the MFA Status for users in Microsoft Entra ID
- How to get the last logon date of users in Microsoft Entra ID
- How to view Microsoft 365 login attempts using PowerShell and Microsoft Entra ID
- How to monitor risky sign-ins in Microsoft Entra ID
- License usage reports in Microsoft Entra ID
- What are Microsoft Entra ID workbooks
-
Entra ID workbooks
-
Exchange Online administration
- How to create and edit shared mailboxes in Exchange Online
- Add or remove email addresses for a mailbox in Exchange Online
- Configure email forwarding for a mailbox in Exchange Online
- Convert a mailbox in Exchange Online
- How to delete or restore user mailboxes in Exchange Online with Microsoft Entra ID
- Manage user mailboxes in Exchange Online
- How to change how long permanently deleted items are kept for Exchange Online mailboxes
- How to change the branding of clutter notifications in Exchange Online
- How to configure message delivery restrictions for Exchange Online mailboxes
- How to configure moderated recipients in Exchange Online
- How to create user mailboxes in Exchange Online
- How to enable or disable MAPI for a mailbox in Exchange Online
- How to enable or disable Outlook on the Web for a mailbox in Exchange Online
- Manage mail contacts in Exchange Online
- How to manage permissions for recipients in Exchange Online
- Manage resource mailbox in Exchange Online
- How to save sent items in a delegators mailbox in Exchange Online
-
Public Folders