Cloud security controls series: Azure Active Directory‘s Access and Usage Reports

Over the past several months I have had many, many conversations with business customers and governments about the security benefits of Microsoft’s Cloud service offerings. This video from the RSA Conference earlier this year will give you an idea of the types of topics we have been discussing with customers. These conversations have increasingly become less about whether the Cloud can be trusted, and more about the innovative security and privacy features and functionality that are being constantly introduced into Microsoft’s Cloud services. Many of the CISOs and CIOs I have talked to recently have come to the conclusion that their own datacenters will not keep pace with the level of innovation that they see happening in Microsoft’s Cloud services.

Subsequently I thought it was a great time to write a series of articles focused on some of the security features and functionality built into Microsoft’s Cloud services. Since most of the conversations I have been having with customers have been about controls in Office 365 and Microsoft Azure, specifically Infrastructure as a Service (IAAS), these articles will focus on security controls in these areas.

To get an idea of the type of innovation I’m talking about, in a security context, simply peruse Azure Active Directory‘s access and usage reports. Figure 1 below is a screenshot of Active Directory‘s access and usage reports in the Azure portal. To get to this place in the Azure portal simply click on “Active Directory” in the left-hand navigation bar, then click on the active directory in the list you want to get reports on, and then click on “REPORTS” tab.

Figure 1: Azure Active Directory‘s access and usage reports
0713_Figure1-300x201

Typically when CISOs see this list for the first time, they get very interested in learning more about these reports. In order for you to get access to all the same reports that you see in Figure 1, you need the Premium edition of Azure Active Directory. You can get information on the different editions of Azure Active Directory here. Some of these reports are available in the free edition of Azure Active Directory, and thus available as part of every Azure subscription. Some examples of reports that are available in the free edition of Azure Active Directory include “Sign ins from unknown sources”, “Sign ins after multiple failures”, and “Sign ins from multiple geographies”. As I mentioned, some of the other reports seen in Figure 1 require the Premium edition of Azure Active Directory including “Sign ins from IP addresses with suspicious activity”, “Anomalous sign in activity”, “Sign ins from possibly infected devices”, and others. You can see the current list of reports and which edition of Azure Active Directory they are available in, here.

I have written a couple of articles that will give you more details on some of these reports and why they are potentially so valuable:

Sign ins from possibly infected devices
From the Cloud Security Alliance Congress EMEA: How IP addresses associated with malware infected devices help protect Microsoft cloud customers

Users with leaked credentials
The Risk of Leaked Credentials and How Microsoft’s Cloud Helps Protect Your Organization

The Azure Active Directory team has provided an article that documents each report including example screenshots:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-view-access-usage-reports/

Each report in Figure 1 can be downloaded in comma separated value (CSV) format for archiving or further analysis. An example of a file that has been downloaded from the Azure portal is provided in Figure 2.

Figure 2: Example audit report downloaded from the Azure Portal
0713_Figure2

There are also activity reports for users and groups available. This makes it possible for your organization’s Azure administrators to review sign in activity for users; this report includes information like the application the user signed into, the type of device the user used, the device’s IP address, and the location the sign in was from. Figure 3 is an example of a user activity report. To get to this report in the Azure portal simply click on “Active Directory” in the left-hand navigation bar, then click on the active directory in the list you where the user account resides that you want to get an activity report on, then click on the “USERS” tab, then click on the user in the list you’d like to review activity for, then click the “ACTIVITY” tab.

Figure 3: Example of an Azure Active Directory user activity report from the Azure Portal
0713_Figure3

Most of the CISOs I talk to tell me that they really don’t want yet another console or “pane of glass” to search for useful information in. Many of them already have numerous consoles for anti-malware software, IDS/IPS solutions, patch management, and in some cases one or more Security Information and Event Managers (SIEMs). There are a couple of additional features that will help security professionals that are in this category. Email notifications are automatically sent to all of the global admins associated with your Active Directory when it encounters 10 or more anomalous sign in events within a span of 30 days or less. This email will be sent from aad-alerts-noreply@mail.windowsazure.com. This feature is enabled by default – you can see this setting by clicking “Active Directory” in the left-hand navigation bar, then click on the active directory in the list you want to check the setting on, and then click on “CONFIGURE” tab. The setting is called “Email Notification of Anomalous Sign Ins” as seen in Figure 4.

Figure 4: Azure Active Directory notification settings in the Azure portal
0713_Figure4

Another useful bit of functionality that will help reduce the number of consoles security staff need to monitor is the Azure AD Reporting API. This API gives you the ability to programmatically export the data in these reports so that they can be consumed by your SIEMs and other data collection and analytics software. The Azure Active Directory team has provided a sample PowerShell script that illustrates how to access data from any of the available reports in JavaScript Object Notation (JSON), Extensible Markup Language (XML) and text formats. You can get more information on the REST APIs that provide read-only access to the Azure AD access and usage reporting data from this page on MSDN. There is also a whitepaper available called Microsoft Azure Security and Audit Log Management that contains more details on generating and collecting security logs from services that are deployed in Azure.

Figure 5: Output from a PowerShell script that I used to access events in the Audit Events report in my Microsoft Azure subscription’s Azure Active Directory
0713_Figure5

One of the reasons many CISOs get excited about these reports is that they don’t have similar capabilities in their on-premise environments or have to pay for a third party service to provide something similar. These reporting capabilities are built into the Microsoft Azure platform; so whether you are running applications based on the Azure platform (PaaS) or running your own virtual machines in Azure (IaaS) you’ll have the option of using these reports to help spot potential security issues.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more