Monitoring and protecting privileged accounts is paramount because failure to do so can lead to loss or theft of sensitive information, or enable malware to compromise your network. Privileged accounts can include global administrators, Azure subscription administrators, and users who have administrator access in VMs or SaaS apps.
In Azure Active Directory (AD), auditing is enabled by default. You can check all activity in any given Azure AD environment using the Azure Portal, PowerShell cmdlets, and a security information and event management (SIEM) solution.
In Azure AD, select Roles and Administrators to see the list of all available roles and their permissions. Any changes made to the accounts in Roles and Administrators can be viewed and monitored under Audit Logs as well, as seen here in Figure 1.
Figure 1. Audit Logs display all activity happening in an Azure AD environment.
Setting up alerts in Azure AD
Azure AD Privileged Identity Management (PIM) is a service that enables you to manage and monitor access to privileged accounts in your organization. It can generate alerts when there is suspicious or unsafe activity in your environment. When an alert is triggered, it shows up on the PIM dashboard. Select Alerts (Figure 2) to see the list of alerts generated, and select a report to see the user or roles that triggered the alert.
Figure 2. Alerts that are set up to monitor Azure AD roles.
To use PIM, you must have one of the following paid or trial licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
If you want to set up alerts with the basic Azure AD plan, you will have to use PowerShell scripts. This leaves you with only two options; one is time-consuming and the other is expensive. The best workaround is to use a comprehensive third-party tool that is both efficient and inexpensive.
Configuring alerts using ADAudit Plus
With more organizations implementing a hybrid AD environment, monitoring changes across both on-premises AD and Azure AD using native tools alone is complex and time-consuming. Be it on-premises AD or Azure AD, ADAudit Plus ensures complete change monitoring for privileged accounts. It gives you a single, correlated view of all activity happening across your hybrid AD environment.
ADAudit Plus allows you to monitor changes made to privileged accounts from anywhere with notifications delivered directly to your inbox, so you can always stay on top of all changes within your IT environment. Apart from the 200 preconfigured reports, you can also customize reports to meet your specific auditing needs and schedule them as needed.
To configure alerts in ADAudit Plus:
Step 1: Click the Configuration tab in ADAudit Plus.
Step 2: Select Create Alert Profile from the list on the left pane.
Step 3: Select the Domain and Report Profile for which you need the alert, as seen below in figure 3.
Step 4: Under Advanced Configuration, you can set up filters for the type of activity you need alerts for. For example, in figure 4 you see that alerts are set for adding or removing a member from the domain.
Step 5: Save the alert profile. Now you will be notified of unauthorized changes no matter where you are, so you can act fast.
Figure 3. Configuring a new alert profile in ADAudit Plus.
Figure 4. You can set up filters to monitor and create alerts for specific activities in Azure AD using ADAudit Plus.
Summary
Any changes made to the roles and administrators in Azure AD must be monitored to ensure optimum IT security. You can view these changes in the Audit Log page of Azure AD. To generate alerts, you need to use Azure AD’s PIM tool, which is expensive as it only comes with the Azure Premium P2 package; you can also use PowerShell scripts to generate alerts, but that’s time-consuming. ADAudit Plus offers you a single, correlated view of all activity in AD as well as the ability to create custom reports to meet your specific auditing needs. Alerts are displayed on the ADAudit Plus dashboard, and can be sent to your email as well. Schedule a personalized web demo today!
