Azure Active Directory (AD) provides an identity and access management service. It serves as a comprehensive identity and access management solution for managing user identities, enabling secure authentication and authorization, and facilitating access to various resources and applications in the Azure ecosystem. Azure AD allows organizations to centralize and manage user accounts, their access privileges, and authentication mechanisms.

Installed Datasets

The AD app installs the following datasets:

• Tenant - a resource dataset
• Sign-In Logs - an event dataset
• Audit Logs - an event dataset
• Provisioning Logs - interval datasets

View Azure AD in Observe

The Observe AD integration includes monitoring logs for audit, provisioning, and sign-in logs which you can find on Azure/Tenant resource. This dashboard provides you with a tenants and resource ID in your Azure app.

From here, you can GraphLink to Sign-In Logs, Audit Logs, and Provisioning Logs to view detailed logs.

With those logs, you can get answers to the following questions:

• Who's signing into the app?
• How are users using your resources?
• What changes were applied to your tenant such as users and group management or who and what updates were applied to your tenant’s resources?
• What groups were created or updated or deleted from a specific app?

Sign-In Logs consist of interactive, non-interactive, and service principal sign-ins, as well as managed identities for Azure resource sign-ins.

Setup

To install AD, see the installation instructions on the Microsoft Azure page.

By default, the Observe Azure App enables the Active Directory service when installed.

If you don't see the listed datasets, perform the following steps:

• Select Applications from the left menu.
• Click Manage on the Azure app card.
• Click the Configuration tab.
• Be sure you enabled the Enable Active Directory.

Active Directory logs

To learn more about Azure Active Directory logging, see Azure Active Directory Reporting in the Microsoft documentation.