Getting Started with Azure Monitor Workbooks for Azure Active Directory

Reading Time: 4 minutes

Azure Active Directory

It’s time to take a look at the Azure Workbooks and get started with monitoring Azure Active Directory the new way.

In the overview of What’s New in Azure Active Directory for August 2019, Microsoft announced the deprecation of the Azure AD Power BI content packs in favor of Azure Monitor Workbooks. Microsoft also made announcements for Azure Active Directory at Microsoft Ignite 2019, indicating new and enhanced Azure Monitor Workbooks for Azure AD.

 

About the Azure AD Power BI content packs

For years, Azure AD admins could gain insights in Power BI, based on the Azure Active Directory Activity Logs content pack in Power BI on the Web:

Azure Power BI Contents Packs

Especially when combined with the Azure Audit Logs, Azure Backup, Azure Security Center Security Insights and Azure Security Center Policy Management, Power BI provides a great overview of the health of the organization’s cloud services.

 

About Azure Monitor workbooks

Azure Monitor Workbooks replace Power BI content packs.

For Azure Monitor workbooks, log data is stored in a Log Analytics workspace and is collected and analyzed by the Log Analytics service. Azure Monitor is then used to view the data in comprehensive reports. Compared to the Power BI content packs, this method improves speed and allows for alerts, all without the need for Power BI licenses throughout the organization.

 

Requirements

To use Azure Monitor workbooks, you need:

  • An Active Directory tenant with at least one Azure AD Premium (P1 or P2) subscription license.
  • A Log Analytics workspace
  • Access to the log analytics workspace
  • Sign in with one of the following roles in Azure Active Directory, if you are accessing Log Analytics through Azure Active Directory portal:
    • Security administrator
    • Security reader
    • Report reader
    • Global administrator
    • Global reader
  • Sign in with one of the following roles to gain access to underlying Log Analytics workspace to manage the Azure Monitor Workbooks:
    • Global administrator
    • Global reader
    • Security administrator
    • Security reader
    • Report reader
    • Application administrator

 

How to get it working

Here’s how to get Azure Monitor Workbooks for your Azure AD tenant working:

 

Step 1: Set up a Log Analytics workspace

Azure Monitor Workbooks require a Log Analytics Workspace. As Azure subscriptions, by default, do not get configured with a Log Analytics workspace, the first step is to create a Log Analytics Workspace. Perform these steps:

  • Sign into the Azure Portal with an account that has one or more of the roles mentioned in the above requirements paragraph.
  • In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
  • Click + Add.
    The Log Analytics workspace blade appears.
  • Fill in the required information to add a Log Analytics workspace.
  • Click OK on the bottom of the blade to create the Log Analytics workspace.

The pricing model for Log Analytics is per ingested GB per month. However, the first 5 GB per month is free. Data ingestion beyond 5 GB is priced at € 2,52 per GB per month. Ingesting Azure AD with Log Analytics will mostly result in free workspace usage, except for large busy Azure AD tenants.

 

Step 2: Integrate Azure AD logs into Log Analytics

Perform the following steps to route audit activity logs and sign-in activity logs from Azure Active Directory to the Log Analytics Workspace:

  • While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
  • Select Diagnostic settings in Azure AD’s navigation menu.
  • In the main pane, click Add diagnostic setting.
    The Diagnostic settings blade appears.
  • On the Diagnostic settings blade, provide a name for the diagnostic settings.
  • Select the Send to Log Analytics workspace check box.
  • Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
  • Do either or both of the following:
    • To send audit logs to the Log Analytics workspace, select the AuditLogs check box.
    • To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.
  • Select Save on top of the blade to save the diagnostic settings.

Allow for ample time for the diagnostic settings to apply and the data to be streamed to the Log Analytics workspace.

 

Step 3: Enjoy the Azure Monitor Workbooks

Perform the following steps to view the information in the Azure AD Workbooks:

  • While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
  • Select Workbooks in Azure AD’s navigation menu.
    The Workbooks main page appears:

Azure AD Workbooks (click for larger screenshot)

  • Make your own workbook, starting from an empty report, or choose your favorite workbook from the readily available workbooks in the categories Usage, Conditional access and Troubleshoot:
    • Sign-ins
    • Sign-ins using Legacy Authentication
    • App Consent Audit
    • Conditional Access Insights (Preview)
    • Sign-ins by Conditional Access policies
    • Sign-ins by Grant Controls
    • Sign-ins Failure Analysis

Since I was missing the default sign-ins maps, that I used the Power BI content packs for a lot, I decided to create a new report, based on the Kusto Query Language (KQL).

 

Concluding

While Azure AD’s workbooks don’t provide the functionality of the Power BI content pack, yet, it is a very powerful solution to get acquainted with what’s going on in the organization’s Azure AD tenant.

I believe what we’re seeing today in Azure AD’s workbooks is the start of something that answers the big questions organizations have today, and will grow into a solution that organizations with Azure AD Premium licenses love to use to keep tabs on their Azure AD tenant(s).

Further reading

Azure Monitor overview
How to use Azure Monitor workbooks for Azure Active Directory reports
Create a Log Analytics workspace in the Azure portal

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.