Microsoft Entra ID (Azure AD)
About The Device
Microsoft Entra ID:
Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications. Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.
Microsoft Entra ID B2C: (C2C - Storage)
Entra ID B2C provides business-to-customer identity as a service. Your customers can use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. Entra ID B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.
Device Information
Entity | Particulars |
---|---|
Vendor Name | Microsoft |
Product Name | Entra ID (Azure AD) |
Type of Device | Cloud |
Collection Method
Log Type | Â Ingestion label | Preferred Logging Protocol - Format | Log Collection Method | Data Source |
---|---|---|---|---|
Azure AD Â Azure AD Directory Audit Azure AD Organizational Context | Â AZURE_AD Â AZURE_AD_AUDIT AZURE_AD_CONTEXT | API - JSON | C2C | https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad-audit https://cloud.google.com/chronicle/docs/reference/feed-management-api#azure-ad-context |
Device Configuration
For Microsoft Entra ID via 3RD Party API (Preferred):
Prerequisites:
Get an Microsoft Entra ID P1 or P2 license.
To get access to the reporting data through the API, you need to have one of the following roles:
Security Reader
Security Administrator
Global Administrator
Register a Microsoft Entra application:
Sign in to the Microsoft Entra admin center as at least a Security Reader.
Browse to Identity > Applications > App registrations.
Select New registration.
Â
On the Registration an Application page:
Give the application a Name.
For Supported accounts type, select Accounts in this organizational directory only.
In the Redirect URI section, select Web from the list and type
https://localhost
.Select Register.
Once Application is created, you will see Application (client) ID & Directory (tenant) ID on Overview tab of the application. Copy these IDs for integrations with Chronicle.
Grant permissions:
To access the Microsoft Entra reporting API, you must grant your app Read directory data and Read all audit log data permissions for the Microsoft Graph API.
Select API Permissions > Add a permission
Select Microsoft Graph > Application permissions.
Select the Application permissions option.
Add
AuditLog.Read.All
,Directory.Read.All
andSecurityEvents.Read.All
then select the Add permissions button.
On the Request API Permissions page, select Grant admin consent for Default Directory.
Add a client secret:
In the Certificates & Secrets tab, and click New client secret.
Select description and expiry period for the created secret and create it.
Important: Make sure you save the value for the created secret. It is only displayed once.
Configuration of the Entra ID application is completed. Use the saved Application (client) ID, Client Secret, and Directory (tenant) ID to feed logs in Chronicle.
Â
Via Azure Storage (Alternative):
Pre-requisite:
An Azure subscription that you can sign in to.
An Entra ID(Azure Active Directory) (tenant) in Azure.
A user who's a Global Administrator or Entra ID(Azure Active Directory) Administrator.
Azure Storage Account to store the logs.
Reference URLs
How to create storage account?
Create a storage account - Azure Storage
Configuration Steps for Azure Active Directory:
Log In to Azure Portal i.e https://portal.azure.com/
Click Entra ID (Azure Active Directory) from Azure services
Click Audit Logs in the left pane
Click Export Data Settings
In the next window, click + Add Diagnostic setting. The Diagnostics settings page provides the settings for the diagnostic logs.
Select AuditLogs, SignInLogs and RiskyUsers from log categories.
Â
You can store logs in Storage Account.
Archive to a storage account
To store logs in Storage Account, select Archive to a storage account as shown in below screenshot and Choose an existing Subscription and Storage account.
Note: AMxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies
Â
Click on Save.
Â
Entra ID (Azure Active Directory) B2C Via Azure Storage (Alternative):
Pre-requisite:
An Azure subscription that you can sign in to.
An Entra ID(Azure Active Directory) (tenant) in Azure.
For Entra ID(Azure Active Directory) B2C -Â Entra ID(Azure AD) B2C administrative account.
Azure Storage Account to store the logs.
Sign in to the Azure portal with your Entra ID B2C administrative account.
Make sure you're using the directory that contains your Entra ID B2C tenant:
In the Azure portal toolbar, select the Directories + subscriptions ( )icon.
On the Portal settings | Directories + subscriptions page, find your Entra ID B2C directory in the Directory name list, and then select Switch.
 Select Microsoft Entra ID.
Under Monitoring, select Diagnostic settings. select Add diagnostic setting.
Â
 Select AuditLogs, SignInLogs and RiskyUsers from log categories.
Â
Â
You can store logs in Storage Account.
Archive to a storage account
To store logs in Storage Account, select Archive to a storage account as shown in below screenshot and Choose an existing Subscription and Storage account.
Note: AMxDR recommends a minimum of 1 day of log retention, the number can be defined based on the organization's policies.
Click Save.
Use below link to see, how you can get credentials of Azure Storage.
Get Credentials of Azure Storage
Integration Parameters
Parameters required from customer for Integration.
For Microsoft Entra ID Via 3RD Party API (Preferred):
Property | Default Value | Description |
---|---|---|
OAUTH CLIENT ID | N/A | Specify the client ID of the Entra ID application to use for the integration. |
OAUTH CLIENT SECRET | N/A | Specify the client secret value (not the secret ID!) of the Entra ID app |
TENANT ID | N/A | Specify the Entra ID (tenant ID). |
API FULL PATH | In case of AZURE_AD graph.microsoft.com/v1.0/auditLogs/signIns In case of AZURE_AD_AUDIT | API full path |
API AUTHENTICATION ENDPOINT | Â |
For Microsoft Entra ID & Entra ID B2C Via Azure Storage (Alternative):
Property | Default Value | Description |
---|---|---|
AZURE URI | N/A | The URI pointing to a Azure Blob Storage blob or container. Container names are |
URI IS A | Directory which includes subdirectories | The type of object indicated by the URI. Valid values are:
|
SOURCE DELETION OPTION | Never delete files | The API endpoint to connect to retrieve logs, which include |
Shared Key OR SAS Token | A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token. | Â |
For Microsoft Azure AD Context:
Property | Default Value | Description |
---|---|---|
OAUTH CLIENT ID | N/A | Specify the client ID of the Entra ID application to use for the integration. |
OAUTH CLIENT SECRET | N/A | Specify the client secret value (not the secret ID!) of the Entra ID app |
TENANT ID | N/A | Specify the Entra ID (tenant ID). |
About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.
About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.