0.3 Supporting Blog B: Mastering Workload Identity Security in Microsoft Entra ID - An Exploratory Guide
Supporting Blog B: Configuring Extended Log Retention with Log Analytics
Microsoft Entra ID provides several important logs crucial for monitoring the security and activity of your workload identities. These include:
Service Principal Sign-in Logs (ServicePrincipalSignInLogs): Details sign-ins by service principals.
Audit Logs (AuditLogs): Records administrative actions performed in your tenant, including changes to service principals and applications.
Risky Service Principals (RiskyServicePrincipals): Identity Protection (Premium feature) flags service principals with risk detections.
Service Principal Risk Events (ServicePrincipalRiskEvents): Provides details about the specific risk events associated with service principals (Premium feature).
Provisioning Logs (AADProvisioningLogs): Tracks provisioning activities, which can involve service principals.
By default, Microsoft Entra ID retains these logs for a limited period (typically 7 to 30 days, depending on the log type and your license). You'll often need to retain these logs for much longer for effective security monitoring, incident response, and compliance. Azure Monitor Log Analytics provides a scalable solution for ingesting, storing, and analysing this data over extended periods.
Rationale:
Extended log retention is vital for:
Security Investigations: Analysing historical data to understand the scope and timeline of a security incident.
Threat Hunting: Proactively searching for indicators of compromise over longer periods.
Compliance: Meeting regulatory requirements that mandate longer data retention.
Auditing: Providing evidence of activities and changes within your Entra ID environment.
Prerequisites:
An Azure subscription.
Appropriate permissions to create a Log Analytics workspace (e.g., Log Analytics Contributor) and configure diagnostic settings in Microsoft Entra ID (e.g., Security Administrator).
Step-by-Step Guide:
Part 1: Create a Log Analytics Workspace
Sign in to the Azure Portal:
Open your browser and go to https://portal.azure.com
Sign in with your Azure credentials.
Search for Log Analytics Workspaces:
In the top search bar, type "Log Analytics workspaces" and select it from the results.
Create a New Workspace:
On the Log Analytics workspaces page, click + Create.
Subscription: Choose your Azure subscription.
Resource group: Select an existing resource group or create a new one.
Name: Provide a unique and descriptive name for your workspace (e.g., EntraID-AuditLogs-Workspace).
Region: Select the Azure region where you want to store your logs. Consider data residency requirements.
Click Review + Create, then Create. Wait for the workspace to be deployed.
Part 2: Configure Diagnostic Settings in Microsoft Entra ID
Navigate to the Microsoft Entra admin centre:
Open your web browser and go to https://entra.microsoft.com
Sign in with your administrative credentials.
Access Diagnostic Settings:
In the left-hand navigation pane, expand Identity.
Under Monitoring & health, select Diagnostic settings.
Add a Diagnostic Setting:
Click + Add diagnostic setting.
Configure the Setting:
Diagnostic setting name: Provide a descriptive name (e.g., EntraToLogAnalytics).
Logs to send: Under Categories, select all relevant logs. For workload identity monitoring, ensure you select:
AuditLogs
ServicePrincipalSignInLogs
RiskyServicePrincipals (if you have Workload Identities Premium)
ServicePrincipalRiskEvents (if you have Workload Identities Premium)
AADProvisioningLogs
You might also consider SignInLogs (for user interactive and non-interactive sign-ins), NonInteractiveUserSignInLogs, and others depending on your comprehensive monitoring needs.
(Screenshot Indicator: Diagnostic setting configuration page, Logs categories section with relevant logs checked)
Destination details:
Select Send to Log Analytics workspace.
Choose the Subscription and the Log Analytics workspace you created in Part 1.
Click Save.
Data Retention in Log Analytics:
Once logs are flowing into Log Analytics, you can configure the data retention period for each table.
Navigate to your Log Analytics workspace in the Azure portal.
Under Settings, select Usage and estimated costs.
Click on Data Retention.
You can adjust the retention period (from 30 days to 730 days, or even longer with specific commitments).
Important Considerations:
Cost: Log Analytics ingests and stores data, which incurs costs. Monitor your usage and configure retention according to your budget and requirements.
Permissions: Ensure the service principal used by Azure Diagnostics (if applicable, or the managed identity for the diagnostic setting) has write permissions for the Log Analytics workspace. The roles assigned during setup usually handle this.
Data Ingestion Time: After configuring diagnostic settings, it can take 15-20 minutes for logs to start appearing in Log Analytics.
With logs flowing into Log Analytics, you'll be equipped to perform advanced queries, create custom alerts, and build visualisations to monitor your workload identities effectively, as we'll explore in later blogs.
The next blog in the series is: