Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. User objects with the Global administrator role are the highest privileged objects in Azure AD and should be monitored.

The challenge with Global Admins

Some organizations have opted for a Technical State Compliance Monitoring (TSCM) process to catch changes in Global Administrator role assignments. However, when an organization reviews members of the role at a regular interval, user objects may be temporarily assigned the Global administrator role between these monitoring moments and the organization would never know it…

Of course, the real answer to the question ‘Who are my Azure AD admins?’ is to use Azure AD Privileged Identity Management (PIM). It also addresses long-standing rights by automatically enforcing a maximum lifetime for privileges, but requires Azure AD Premium P2 subscription licenses. A notification is sent, when the Global Administrator role is assigned outside of PIM:

The weekly PIM notification provides information on who was temporarily and permanently added to admin roles. When required, no-one can elevate their privileges to their Global Admin role without approval.

For organizations without Azure AD Premium P2 subscription license, the next best thing is to get a notification when a new user object is assigned the Global administrator role.

How to get notified

To build the solution to have people notified when the Global Administrator role is assigned, we’ll use Azure Log Analytics and Azure Monitor alerts.

STEP 1: SET UP A LOG ANALYTICS WORKSPACE

As the first step, set up a Log Analytics Workspace. As Azure subscriptions, by default, do not get configured with a Log Analytics workspace, the first step is to create a Log Analytics Workspace. Perform these steps:

• Sign into the Azure Portal with an account that has Global administrator privileges and is assigned an Azure AD Premium license.
• In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
• Click + Add.
  The Log Analytics workspace blade appears.
• Fill in the required information to add a Log Analytics workspace.
• Click OK on the bottom of the blade to create the Log Analytics workspace.

The pricing model for Log Analytics is per ingested GB per month. However, the first 5 GB per month is free. Data ingestion beyond 5 GB is priced at $ 2.328 per GB per month. Ingesting Azure AD with Log Analytics will mostly result in free workspace usage, except for large busy Azure AD tenants.

Note:
If you do (expect to) hit the limits of free workspace usage, you can opt not to send sign-in logs to the Log Analytics workspace in the next step. It’s not necessary for this scenario.

STEP 2: INTEGRATE AZURE AD LOGS INTO LOG ANALYTICS

Perform the following steps to route audit activity logs and sign-in activity logs from Azure Active Directory to the Log Analytics Workspace:

• While still logged on in the Azure AD Portal, click on Azure Active Directory in the left navigation menu.
• Select Diagnostic settings in Azure AD’s navigation menu.
• In the main pane, click Add diagnostic setting.
  The Diagnostic settings blade appears.
• On the Diagnostic settings blade, provide a name for the diagnostic settings.
• Select the Send to Log Analytics workspace check box.
• Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
• Do either or both of the following:
  • To send audit logs to the Log Analytics workspace, select the AuditLogs check box.
  • To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.
• Select Save on top of the blade to save the diagnostic settings.

Allow for ample time for the diagnostic settings to apply and the data to be streamed to the Log Analytics workspace.

STEP 3: CREATE THE NOTIFICATION

The last step is to act on the logs that are streamed to the Log Analytics workspace:

• While still logged on in the Azure AD Portal, click on Monitor in the left navigation menu.
• click on Alerts in Azure Monitor’s navigation menu.

• Click on the + New alert rule link in the main pane.
• In the Scope area make the following changes:
  • Click the Select resource link.
    The Select a resource blade appears.
  • From the Filter by subscription drop-down list, select the Azure subscription containing the previously created Log Analytics workspace.
  • From the Filter by resource type drop-down list, select Log Analytics workspaces.
  • In the Resource list, select the previously created Log Analytics workspace.
  • Click Done at the bottom of the Select a resource blade to save the settings and close the blade.
• In the Condition area make the following changes:
  • Click the Select condition link.
    The Configure signal logic blade appears.
  • In the Signal name list, select Custom log search. This is the top signal in the list.
  • In the Search query field, type the following query:

AuditLogs
| where OperationName contains "Add member to role" and TargetResources contains "Company Administrator"

• • For the Alert logic specify the value 0 for Threshold value.
  • Click Done at the bottom of the Configure signal logic blade to save the settings and close the blade.
• In the Action group area make the following changes:
  • Click the Select action group link
    The Select an action group to attach to this alert rule blade appears.
  • In the list with action groups, select a previously created action group, or click the + Create action group, and specify a meaningful name, and short name, select a subscription and resource group, and click OK at the bottom of the Add action group blade.
• In the Alert rule details area, specify a meaningful name in the Aler rule name field.
• Click the Create alert rule button to create the alert rule and close the Create alert rule pane.

When you set up the alert with the above settings, including the 5-minute interval, the notification will cost your organization $ 1.50 per month. When speed is not of essence in your organization (you may have other problems when the emergency access is required), you can lower the cost to $ 0,50 per month by querying with a frequency of 15 minutes, or more.

STEP 4: TEST THE NOTIFICATION

To make sure the notification works as expected, assign the Global Administrator role to a user object. This should trigger the alert within 5 minutes. If it doesn’t, trace back your above steps.

Concluding

To remediate the blind spot your organization may have on accounts with Global Administrator privileges, create a notification to alert you.

If it’s not the Global Administrator role that you’re after, but a different role, specify the other role in the Search query field.