Many individuals depend on Azure AD Sign-in logs, yet there are valuable additional features to consider for implementation within your tenant. One such feature is the Insights and reporting feature for Conditional Access. This feature allows administrators to analyze and visualize sign-in activities, helping to identify trends and patterns that can inform security policies. By leveraging these insights, organizations can effectively tailor their conditional access strategies to better safeguard their resources.

Prerequisites

• Entra ID P1 or P2
• Azure Subscription

Create a resource group and log analytics workspace

Go to the Azure Portal and create a new resource group: Resource groups – Microsoft Azure

In the created resource group, click + Create and search for log analytics. Select the log analytics workspace and click create.

Fill in the details and click review + create at the bottom of the page

Within the Azure Portal, go to Azure Active Directory -> Diagnostic settings or click here. Click Add diagnostic setting.

Select the following categories:

• AuditLogs
• SignInLogs
• NonInteractiveUserSignInLogs
• ServicePrincipalSignInLogs
• ManagedIdentitySignInLogs
• ProvisioningLogs
• ADFSSignInLogs Active Directory Federation Services (ADFS)
• RiskyUsers
• UserRiskEvents
• ServicePrincipalRiskEvents

At the Destination details select Sent to Log Analytics Workspace and select the newly created one.

Conclusion: Embracing Conditional Access for Enhanced Security

Additionally, as remote work becomes more prevalent, organizations will need to rethink their conditional access strategies. This includes ensuring that policies are adaptable to a hybrid workforce, where employees may access resources from various locations and devices. By leveraging cloud-based solutions, companies can create dynamic policies that respond to changing conditions, ensuring robust security without sacrificing user experience.

Future Trends in Conditional Access

Another challenge is managing the complexity of policies, especially in larger organizations with diverse user bases and varying access requirements. This complexity can lead to misconfigurations that inadvertently grant excessive access or create gaps in security. To combat this, organizations should regularly review and update their policies, ensuring they align with current business needs and security best practices.

Common Challenges in Implementing Conditional Access

Continuous monitoring of conditional access logs can also reveal abnormal patterns that may indicate potential security threats, such as repeated failed login attempts or access from unusual geographic locations. By analyzing these logs, organizations can quickly respond to potential incidents, enhancing their overall security posture.

Furthermore, organizations can utilize conditional access to enforce multi-factor authentication (MFA) for specific user groups or scenarios. For example, a healthcare provider could require MFA for all personnel accessing patient records from outside the organization’s network. By implementing these types of safeguards, organizations can significantly reduce the risk of data breaches while ensuring compliance with industry regulations such as HIPAA.

The Importance of Effective Conditional Access Policies

Understanding Conditional Access for Enhanced Security

Experience

The gathering of the data will take some time. After 24hrs I saw the insights and reporting showing up. Go to Azure Active Directory -> Security -> Conditional Access -> Insights and reporting or click here

• The first chart (left) shows the total amount of Azure AD Joined, Azure AD registered and Unmanaged devices.
• The second chart (middle) shows the device platforms used (Windows 10, Windows 11, iOS, etc)
• The third chart (right) shows the application categories (Mobile Apps and Desktops, Browser, Authenticated SMTP, etc)
• The fourth chart show the total of sign in risks.

This action is performed on a demo tenant with not so much users so the data is minimal.

Below, the is some additional GEO and Risk information.

This dashboard serves as a valuable tool, offering a comprehensive overview of the sign-ins taking place within your tenant. While it provides a solid foundation, there’s an expansive array of data waiting to be harnessed when crafting your own customized queries. The richness of information available through Azure AD Sign-in logs is undeniable, yet it often lacks the clarity and depth of insights that this dashboard effortlessly provides.

By delving into custom queries, you can unlock a trove of nuanced details and specific metrics tailored to your organization’s needs. These personalized queries empower you to extract more granular insights, enabling a deeper understanding of user activities, potential security threats, and overall system usage. While Azure AD Sign-in logs offer valuable information, they might not offer the comprehensive, bird’s-eye view that this dashboard effortlessly delivers, making it an invaluable asset in gauging and understanding the landscape of your tenant’s sign-in activities.