1. Log Analytics Workspace
1.1 CREATE Log Analytics Workspace
It is not necessary to create an extra LAW for each function. If an LAW already exists you can simply 'reuse' it.
Use the steps below to create a Log Analytics Workspace, if one does not already exist. If an LAW already exists it can be used (if the naming is reasonably ok).
- Create a new Resource Group (prd-weu-law-rg) or choose the existing resource group which also contains the ASR resources.OPTIONAL: Register 'microsoft.insights' to be able to use Log Analytics Workspace. Normally this happens automatically when creating an LAW, but sometimes it goes wrong.
- Subscriptions > Select your subscription > (Settings) Resource Providers
- Select insights and click on register.
- Create a new Resource (within the correct resource group) and search for Log Analytics Workspace. Click on it and then choose Create.
- Select the right subscription, the right resource group and give your workspace a name (prd-weu-law-001) Then click on Pricing Tier to go to the next step.
- Select Pay-as-you-go (Per GB 2018) as pricing tier. It is possible that you cannot choose another tier.
- Provide the necessary Tags (important for governance!)
- Click on Review + Create & then on Create To create the Log Analytics Workspace
1.2 SEND Azure AD DIAGNOSTICS TO LAW
By Default no (log) data will be sent from Azure AD to the Log Analytics Workspace - this has to be done manually.
- Go to Azure Active Directory.
- Click on (Monitoring) Diagnostic Settings and then on +Add diagnostic setting.
- Check under log all the logs. Choose at Destination details then Send to Log Analytics workspace and select the correct (recently created) LAW. Don't forget to click on Save.
Note: These logs can now also be used to monitor access to the emergency account!
2. Basic Authentication Monitoring
After activating the diagnostics settings, you will see under (Monitoring) Workbooks see different workbooks. These are by default in Azure AD and do not need to be created.
The workbook we need to monitor basic authentication is Sign-ins using Legacy Authentication.
Click on the workbook to see all the login with basic authentication. Please note: if your LAW is recently created, there will obviously not be many logs available yet.
2.2 Sign-In Logs
A second, but not so straightforward method of monitoring legacy sign-ins is through the Azure AD Sign-in Logs.
- Go to Azure Active Directory
- Click on (Monitoring) Sign-ins
- Click on +Add Filters and select Client App.
Then select all Legacy protocols.