How to audit and monitor security events in Microsoft Entra ID

It can get difficult monitoring the ever-increasing number of users and the activities they perform across the multiple applications they use. Microsoft Entra ID (formerly Azure Active Directory), a cloud-based IAM solution, offers multiple ways to manage users and track their activities in your Microsoft 365 environment. It also enables you to monitor security events, including sign-in anomalies, app permissions, and service health.

ManageEngine M365 Manager Plus—an extensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments—can also be used for the same purpose, in a more comprehensive, user-friendly way, all under a single console.

In this article, we will see how to audit and monitor security events in Microsoft Entra ID using multiple tools and comprehensively using M365 Manager Plus.

Auditing security events in Microsoft Entra ID

You can audit the activities of your users in Microsoft Entra ID using the Identity logs and Workbooks available under Monitoring & Health. The following table is a list of the reports available there, and what they help you get insights on:

Settings Description Use cases
Sign-in Logs Records the details of all sign-in activities by users, applications, and service accounts.
  1. Analyze sign-in patterns
  2. Detect unusual and untimely login attempts
Audit Logs Tracks all activities performed on users and resources in your tenant
  1. Track back activity to users who executed them
  2. Monitor unusual changes like privilege escalations.
Provisioning logs Tracks user provisioning activities like creation, modification, and deletion across Microsoft Entra ID and integrated applications
  1. Track users' life cycle progress across multiple applications
  2. Identify unauthorized or untimely provisioning activities
Workbooks Customizable dashboards that can represent complex logs graphically
  1. Summarize crucial metrics without reading through all entries
  2. Analyze trends and patterns of activities in your tenant
Usage & Insights A collection of reports on the activity of applications in your tenant.
  1. Track all application details like sign-ins and usage from a single point.
  2. Track which applications are used frequently.
  3. Track MFA methods used in your organization
Bulk Operations Records activities performed in bulk, like creation, modification, and deletion.
  1. Identify unsanctioned bulk modification of users

Monitoring security events in Microsoft Entra ID

You can monitor the security events in Microsoft Entra ID by utilizing the Security logs and Workbooks available under Monitoring & Health. The following table outlines the tools to monitor security events in Microsoft Entra ID and what use cases they serve

Diagnostic Settings A setting that you can configure to export logs to tools like Azure Monitor or just store them
  1. Set up event-specific alerts in Azure Monitor (requires a subscription)
  2. Store logs for further analysis or to prove compliance
Log Analytics A data storage solution that can also analyze the logs generated from solutions like Microsoft Entra ID
  1. Analyze logs for anomalies like unusual login patterns, multiple failed sign-in attempts, or logins from unexpected locations
  2. Monitor performance and other crucial metrics
Microsoft Sentinel (requires a subscription) A SIEM solution that can analyze logs, send out event alerts, and automate tasks
  1. Create automated incident responses like blocking users after multiple failed sign-ins to prevent threats at their early stages
  2. Monitor continuously and set up alerts for specific or untimely events in your environment.

All of these tools require you to set up a Log Analytics workspace to use them. Here are the steps to create one.

  1. Log in to the Azure portal, and search for Log Analytics workspaces in the search box.
  2. Select Create. You will be redirected to the Create Log Analytics workspace page.
    Microsoft Log Analytics workspaces page with the Create option in the top-left of the ribbon marked.
  3. Select a Subscription from the dropdown.
  4. You can select an existing Resource Group or create a new one by clicking Create New.
  5. Fill in the Name and select the Region from the dropdown.
  6. Click on Next: Tags to assign tags to your workspace. These will help you organize your workspaces based on the data you need. For example, Activity: Add user can be a tag to identify the workspace that you use to analyze user creation.
  7. Select Review + Create to check your configuration. Then, click Create to create your Log Analytics workspace.
    The Create Log Analytics workspace in the Azure portal

Tracking security events in Microsoft Entra ID using M365 Manager Plus

Although Microsoft Entra ID's native solutions provide a good way to audit and monitor events in your environment, the best part of it is locked behind separate subscriptions and complex configurations. Generating alerts for actions requires the use of Azure Monitor, which needs an additional license. Creating custom dashboards and audit profiles require you to use Kusto Query Language (KQL) in workbooks. Moreover, you will have to jump between multiple admin centers to get all of these working seamlessly.

M365 Manager Plus offers alerts for crucial security events like user creation, group membership changes, and more along with the capability to audit and monitor your Microsoft 365 environment. You can view the generalized steps to create a profile in M365 Manager Plus below.

  1. Log in to M365 Manager Plus, navigate to Settings > Audit Configuration and click Audit Profiles or Alert Profiles. Then, click Add Profile.
    The navigation to the Add Profile option in Alert Profiles under the Settings tab.
  2. Type in a Profile Name and Description for your profile.
  3. Select a Microsoft 365 Service to track, the Category of actions, and select the events you want under Actions:
    Some of the security events that can be audited under the Actions field

    Note:

    1. For alerts, assign a Severity level based on how crucial this alert is. In the example screenshot below, we've selected Attention.
    2. Configure a message using Macros to use specific variables in your alert message. For this example, we've used the following message: %OBJECT_ID% modified by %ACTOR%. Activity is %OPERATION%.
    3. Expand Advanced Configuration and check the email every alert corresponding to this profile box to receive email alerts
  4. In the Filter Settings tab that appears after expanding Advanced Configuration, use the Business Hours Filter to monitor for any events outside of working hours and the Filter By Column option to format the report data you will receive.
  5. Click Add to finalize your changes and create a custom profile to monitor your preferred security event in Microsoft Entra ID.
    The Audit Profile and Alert Profile configuration pages of M365 Manager Plus.

Limitations of using Microsoft 365 native tools to monitor and audit security events in Microsoft Entra ID

  • Microsoft Entra ID Premium P2 license and subscriptions to Azure Monitor and Microsoft Sentinel is required to perform some of these actions.
  • Administrators must be assigned the required role to access individual native admin centers and carry out tasks in them.
  • Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.
  • Audit logs will have to be filtered every time they are generated, and the filters cannot be saved, which can get exhausting if a filter is required to generate data that you require frequently.
  • Assigning granular permissions to execute individual tasks in a broad category is not possible.

Benefits of using M365 Manager Plus to monitor and audit security events in Microsoft Entra ID

  • Keep tabs on even the most granular user activities in your Microsoft 365 environment.
  • Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
  • Gain a thorough understanding of your environment in Exchange Online, Microsoft Entra ID, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.
  • Filter your reports just once and save them as custom reports that you can access in just a few clicks.
  • Export reports generated in M365 Manager Plus in not just CSV, but also in other presentable formats such as HTML, PDF, and XLSX.
  • Delegate granular permissions to technicians without elevating their Microsoft 365 privileges and create custom roles with any combination of reporting, management, and auditing tasks.
  • Easily manage users, groups, contacts, mailboxes, teams, and sites in bulk without PowerShell scripting.
  • Monitor the health and performance of Microsoft 365 features and endpoints around the clock.

Effortlessly schedule and export reports on your Microsoft 365 environment.

Try now for free
 

Streamline your Microsoft 365 governance and administration with M365 Manager Plus

Get Your Free Trial

Related Resources

 
x
A holistic Microsoft 365 administration and security solution
 
x
 
Back to TopBack to Top