Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
71 lines (46 sloc) 3.78 KB
title description services documentationcenter author manager editor ms.assetid ms.service ms.devlang ms.topic ms.tgt_pltfrm ms.workload ms.subservice ms.date ms.author ms.reviewer ms.collection
What is Azure Active Directory monitoring? | Microsoft Docs
Provides a general overview of Azure Active Directory monitoring.
active-directory
MarkusVi
daveba
e2b3d8ce-708a-46e4-b474-123792f35526
active-directory
na
overview
na
identity
report-monitor
04/18/2019
markvi
dhanyahk
M365-identity-device-management

What is Azure Active Directory monitoring?

With Azure Active Directory (Azure AD) monitoring, you can now route your Azure AD activity logs to different endpoints. You can then either retain it for long-term use or integrate it with third-party Security Information and Event Management (SIEM) tools to gain insights into your environment.

Currently, you can route the logs to:

  • An Azure storage account.
  • An Azure event hub, so you can integrate with your Splunk and Sumologic instances.
  • Azure Log Analytics workspace, wherein you can analyze the data, create dashboard and alert on specific events

[!VIDEO https://www.youtube.com/embed/syT-9KNfug8]

[!INCLUDE azure-monitor-log-analytics-rebrand]

Diagnostic settings configuration

To configure monitoring settings for Azure AD activity logs, first sign-in to the Azure portal, then select Azure Active Directory. From here, you can access the diagnostic settings configuration page in two ways:

  • Select Diagnostic settings from the Monitoring section.

    Diagnostics settings

  • Select Audit Logs or Sign-ins, then select Export settings.

    Export settings

Route logs to storage account

By routing logs to an Azure storage account, you can retain it for longer than the default retention period outlined in our retention policies. Learn how to route data to your storage account.

Stream logs to event hub

Routing logs to an Azure event hub allows you to integrate with third-party SIEM tools like Sumologic and Splunk. This integration allows you to combine Azure AD activity log data with other data managed by your SIEM, to provide richer insights into your environment. Learn how to stream logs to an event hub.

Send logs to Azure Monitor logs

Azure Monitor logs is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. Learn how to send data to Azure Monitor logs.

You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. Learn how to install and use log analytics views for Azure AD activity logs.

Next steps

You can’t perform that action at this time.