Monitor sign-in and audit logs guidance

[AlexFilipin]

Whats the Microsoft recommendation to achieve the alerts for the emergency access accounts? Would this be sending of SignInLogs to Log Analytics and configure a alert there? Or rather stream to event hub? Not sure about the time it takes for the events but this would be time critical.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: fff5de5d-9a97-73ff-4694-79027720b5c3
• Version Independent ID: 566a8387-bbdd-8e35-13cc-f2d891bd5608
• Content: Manage emergency access accounts in Azure AD
• Content Source: articles/active-directory/users-groups-roles/directory-emergency-access.md
• Service: active-directory
• GitHub Login: @markwahl-msft
• Microsoft Alias: billmath

[shashishailaj]

@AlexFilipin Thank you for your feedback . We will investigate and get back to you on this.

[AlexFilipin]

I just need to know what should be considered best practice. I will test, write a blog and send a push request to the documentation.

[SaurabhSharma-MSFT]

@AlexFilipin can you elaborate on your scenario what kind of alert you are looking for emergency access accounts ?

[AlexFilipin]

@shashishailaj The documentation recommends two emergency access accounts, at least one of them should have a permanent global admin role and should be excluded from conditional access policies. Most companies will not have a third party MFA provider just for their emergency account. It's reasonable to consider that the emergency account has MFA disabled. Just remember the recent MFA outage in nov/december, would have been super useful.

However, this makes the emergency account more vulnerable, every sign in should be monitored. I am looking for an alert as soon as the emergency account has successful authenticated.

I believe this was the intention behind the "Monitor sign-in and audit logs" section? If I review my sign in logs with a week delay this might be too late.

[SaurabhSharma-MSFT]

@AlexFilipin Thanks for the feedback ! I have assigned this issue to content author to investigate and update the document as appropriate.

[AlexFilipin]

Of course for the most big orgs the solution will be, "just speak with your security team, they should pull the sign in logs into their SIEM", I am looking for quick and effective way to monitor to emergency accounts for orgs that might not have a SIEM or security team.

[AlexFilipin]

Just saw this blog which might be another nice option but haven't looked into it yet: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-new-code-free-options-to-connect-with-Microsoft/ba-p/328730

[AlexFilipin]

Now we also have this: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Azure-Sentinel-Performing-Additional-Security-Monitoring-of-High/ba-p/430740

[MicrosoftGuyJFlo]

@AlexFilipin You have some good points. Right now the info that we have from the Product Group focuses on the article below. Having been an IT Pro before this is something I do get and will keep looking into.

https://docs.microsoft.com/azure/active-directory/reports-monitoring/plan-monitoring-and-reporting

[MicrosoftGuyJFlo]

please-close