Microsoft Entra ID (Azure AD)

Owned by Dinesh Murugaiyan
Last updated: May 21, 2024 by Aparna Rr
6 min read

About The Device

Microsoft Entra ID:
Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications. Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.

Microsoft Entra ID B2C: (C2C - Storage)
Entra ID B2C provides business-to-customer identity as a service. Your customers can use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. Entra ID B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.

Device Information

Entity

Particulars

Entity

Particulars

Vendor Name

Microsoft

Product Name

Entra ID (Azure AD)

Type of Device

Cloud

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Azure AD

 

Azure AD Directory Audit

Azure AD Organizational Context

 AZURE_AD

 

AZURE_AD_AUDIT

AZURE_AD_CONTEXT

API - JSON

C2C

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad-audit

https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad-context

Device Configuration

For Microsoft Entra ID via 3RD Party API (Preferred):

Prerequisites:

  1. Get an Microsoft Entra ID P1 or P2 license.

  2. To get access to the reporting data through the API, you need to have one of the following roles:

    1. Security Reader

    2. Security Administrator

    3. Global Administrator

Register a Microsoft Entra application:

  1. Sign in to the Microsoft Entra admin center as at least a Security Reader.

  2. Browse to Identity > Applications > App registrations.

  3. Select New registration.

image-20240326-094847.png

 

  1. On the Registration an Application page:

    1. Give the application a Name.

    2. For Supported accounts type, select Accounts in this organizational directory only.

    3. In the Redirect URI section, select Web from the list and type https://localhost.

    4. Select Register.

image-20240202-123352.png

  1. Once Application is created, you will see Application (client) ID & Directory (tenant) ID on Overview tab of the application. Copy these IDs for integrations with Chronicle.

Grant permissions:

To access the Microsoft Entra reporting API, you must grant your app Read directory data and Read all audit log data permissions for the Microsoft Graph API.

  1. Select API Permissions > Add a permission

  1. Select Microsoft Graph > Application permissions.

  2. Select the Application permissions option.

  3. Add AuditLog.Read.All ,Directory.Read.All and SecurityEvents.Read.All then select the Add permissions button.

  1. On the Request API Permissions page, select Grant admin consent for Default Directory.

Add a client secret:

  1. In the Certificates & Secrets tab, and click New client secret.

  2. Select description and expiry period for the created secret and create it.

Important: Make sure you save the value for the created secret. It is only displayed once.

Configuration of the Entra ID application is completed. Use the saved Application (client) ID, Client Secret, and Directory (tenant) ID to feed logs in Chronicle.

 

Via Azure Storage (Alternative):

Pre-requisite:

An Azure subscription that you can sign in to.

An Entra ID(Azure Active Directory) (tenant) in Azure.

A user who's a Global Administrator or Entra ID(Azure Active Directory) Administrator.

Azure Storage Account to store the logs.

Reference URLs

How to create storage account?
Create a storage account - Azure Storage

Configuration Steps for Azure Active Directory:

  1. Log In to Azure Portal i.e https://portal.azure.com/

  2. Click Entra ID (Azure Active Directory) from Azure services

  1. Click Audit Logs in the left pane

  1. Click Export Data Settings

  1. In the next window, click + Add Diagnostic setting. The Diagnostics settings page provides the settings for the diagnostic logs.

  1. Select AuditLogs, SignInLogs and RiskyUsers from log categories.

 

  1. You can store logs in Storage Account.

    1. Archive to a storage account

      1. To store logs in Storage Account, select Archive to a storage account as shown in below screenshot and Choose an existing Subscription and Storage account.
        Note: AMxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies

 

  1. Click on Save.

 

Entra ID (Azure Active Directory) B2C Via Azure Storage (Alternative):

Pre-requisite:

An Azure subscription that you can sign in to.
An Entra ID(Azure Active Directory) (tenant) in Azure.
For Entra ID(Azure Active Directory) B2C - Entra ID(Azure AD) B2C administrative account.
Azure Storage Account to store the logs.

  1. Sign in to the Azure portal with your Entra ID B2C administrative account.

  2. Make sure you're using the directory that contains your Entra ID B2C tenant:

    1. In the Azure portal toolbar, select the Directories + subscriptions ( )icon.

    2. On the Portal settings | Directories + subscriptions page, find your Entra ID B2C directory in the Directory name list, and then select Switch.

  3.  Select Microsoft Entra ID.

  4. Under Monitoring, select Diagnostic settings. select Add diagnostic setting.

 

  1.  Select AuditLogs, SignInLogs and RiskyUsers from log categories.

 

 

  1. You can store logs in Storage Account.

    1. Archive to a storage account

      1. To store logs in Storage Account, select Archive to a storage account as shown in below screenshot and Choose an existing Subscription and Storage account.
        Note: AMxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies.

  1. Click Save.

  2. Use below link to see, how you can get credentials of Azure Storage.
    Get Credentials of Azure Storage

Integration Parameters

Parameters required from customer for Integration.

For Microsoft Entra ID Via 3RD Party API (Preferred):

Property

Default Value

Description

Property

Default Value

Description

OAUTH CLIENT ID

N/A

Specify the client ID of the Entra ID application to use for the integration.

OAUTH CLIENT SECRET

N/A

Specify the client secret value (not the secret ID!) of the Entra ID app
to use for the integration.

TENANT ID

N/A

Specify the Entra ID (tenant ID).
To find it, go to the Entra ID page > App Registration >
Application you configured for your integration >
Directory (tenant) ID.

API FULL PATH

In case of AZURE_AD

graph.microsoft.com/v1.0/auditLogs/signIns

In case of AZURE_AD_AUDIT

graph.microsoft.com/v1.0/auditLogs/directoryAudits

API full path

API AUTHENTICATION ENDPOINT

login.microsoftonline.com

 

For Microsoft Entra ID & Entra ID B2C Via Azure Storage (Alternative):

Property

Default Value

Description

Property

Default Value

Description

AZURE URI

N/A

The URI pointing to a Azure Blob Storage blob or container. Container names are insights-logs-signinlogs , insights-logs-auditlogs & RiskyUsers

URI IS A

Directory which includes subdirectories

The type of object indicated by the URI. Valid values are:

  • FILES: The URI points to a single blob that will be ingested with each execution of the feed.

  • FOLDERS_RECURSIVE: The URI points to a Blob Storage container.

SOURCE DELETION OPTION

Never delete files

The API endpoint to connect to retrieve logs, which include incidents or alerts.

Shared Key OR SAS Token

A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token.
OR
A Shared Access Signature authorized to access the Azure Blob Storage container.

 

For Microsoft Azure AD Context:

Property

Default Value

Description

Property

Default Value

Description

OAUTH CLIENT ID

N/A

Specify the client ID of the Entra ID application to use for the integration.

OAUTH CLIENT SECRET

N/A

Specify the client secret value (not the secret ID!) of the Entra ID app
to use for the integration.

TENANT ID

N/A

Specify the Entra ID (tenant ID).
To find it, go to the Entra ID page > App Registration >
Application you configured for your integration >
Directory (tenant) ID.

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.