A pre-requisites for monitoring sensitive accounts in Azure AD is to have setup a Log Analytics Workspace and your Azure AD logs sent to Log Analytics. If you want to know how that`s done then have a look at this blog post to se how easy it is to enable in your tenant “Monitor Azure AD”
So to be able to monitor sensitive accounts we first need to locate/determine what accounts that you want to monitor. I always recommend to monitor the Break-the-glass administrator account so that you or your team is alerted whenever the account is used.
So in the Log Analytics query below here you see that we are searching the “SigninLogs” for a specific UserPrincipalName and we are only looking at ResultType 0. (ResultType 0 is equal for Success).
| where UserPrincipalName == "email@example.com"
| where ResultType == "0"
So with that in mind let`s create a Alert Rule from this query so that we are notified every time “firstname.lastname@example.org” doing a successful signin.
So when clicking the “New Alert Rule” button we are headed into a new page with several settings. here I have changed only two tings;
Operator: Greater than or equal to
Threshold value: 1
Click Next to go to “Actions”
An action group is how and who is getting notified when the alert is fired.
So we create a new action group for this scenario and setup a email warning to an administrator.
You can choose to also send a payload to a Azure Function, Webhook and more within the Action pane of the Action group – in this scenario we are only using the notification part so let`s skip to the “review and create” part and create the Action Group
We then give the alert a “Alert rule name” and a description. This is what`s in the email notification sent to the user or users in the Action group
Jump over to “Review + create” and create the Alert rule.
Conclusion and result
- We have gained monitoring and notification by doing a Query in Log Analytics.
- From the Logs pane we can easily create a new Alert rule
- We created a Action Group where we spesified who and how to get notified
And the result looks like this when there is a sign-in from that account and the Alert rule is fired!