Configure a Log Analytics workspace in Microsoft Entra ID - Microsoft Entra ID (2024)

In this tutorial, you learn how to:

Prerequisites

To analyze activity logs with Log Analytics, you need the following roles and requirements:

• Microsoft Entra monitoring and health licensing

• A Log Analytics workspace and access to that workspace

• The appropriate role for Azure Monitor:

  • Monitoring Reader
  • Log Analytics Reader
  • Monitoring Contributor
  • Log Analytics Contributor

• The appropriate role for Microsoft Entra ID:

  • Reports Reader
  • Security Reader
  • Global Reader
  • Security Administrator

Familiarize yourself with these articles:

• Tutorial: Collect and analyze resource logs from an Azure resource

• How to integrate activity logs with Log Analytics

• Manage emergency access account in Microsoft Entra ID

• KQL quick reference

• Azure Monitor Workbooks

Configure Log Analytics

This procedure outlines how to configure a Log Analytics workspace for your audit and sign-in logs.To configure a Log Analytics workspace, you need to create the workspace and then configure diagnostic settings.

Create the workspace

1. Sign in to the Azure portal as at least a Security Administrator and Log Analytics Contributor.

2. Browse to Log Analytics workspaces.

3. Select Create.

   

4. On the Create Log Analytics workspace page, perform the following steps:

   1. Select your subscription.

      See Also

      Collect resource logs from an Azure resource - Azure MonitorSend logs to Microsoft SentinelTutorial: Send data to Azure Monitor Logs with Logs ingestion API (Azure portal) - Azure MonitorMonitor Azure Functions

   2. Select a resource group.

   3. Give your workspace a name.

   4. Select your region.

   

5. Select Review + Create.

   

6. Select Create and wait for the deployment. You might need to refresh the page to see the new workspace.

   

Configure diagnostic settings

To configure diagnostic settings, you need switch to the Microsoft Entra admin center to send your identity log information to your new workspace.

1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

2. Browse to Identity > Monitoring & health > Diagnostic settings.

3. Select Add diagnostic setting.

   

4. On the Diagnostic setting page, perform the following steps:

   1. Under Category details, select AuditLogs and SigninLogs.

   2. Under Destination details, select Send to Log Analytics, and then select your new log analytics workspace.

   3. Select Save.

   

Your logs can now be queried using the Kusto Query Language (KQL) in Log Analytics. You might need to wait around 15 minutes for the logs to populate.

Run queries in Log Analytics

This procedure shows how to run queries using the Kusto Query Language (KQL).

Run a query

1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.

2. Browse to Identity > Monitoring & health > Log Analytics.

3. In the Search textbox, type your query, and select Run.

KQL query examples

Take 10 random entries from the input data:

• SigninLogs | take 10

Look at the sign-ins where the Conditional Access was a success:

• SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus

Count number of successes:

• SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus | count

Aggregate count of successful sign-ins by user by day:

• SigninLogs | where ConditionalAccessStatus == "success" | summarize SuccessfulSign-ins = count() by UserDisplayName, bin(TimeGenerated, 1d)

View how many times a user does a certain operation in specific time period:

• AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | summarize count() by OperationName, Identity

Pivot the results on operation name:

• AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | project OperationName, Identity | evaluate pivot(OperationName)

Merge together Audit and Sign in Logs using an inner join:

• AuditLogs |where OperationName contains "Add User" |extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName) | |project TimeGenerated, UserPrincipalName |join kind = inner (SigninLogs) on UserPrincipalName |summarize arg_min(TimeGenerated, *) by UserPrincipalName |extend SigninDate = TimeGenerated

View number of signs ins by client app type:

• SigninLogs | summarize count() by ClientAppUsed

Count the sign ins by day:

• SigninLogs | summarize NumberOfEntries=count() by bin(TimeGenerated, 1d)

Take five random entries and project the columns you wish to see in the results:

• SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated

Take the top 5 in descending order and project the columns you wish to see:

• SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated

Create a new column by combining the values to two other columns:

• SigninLogs | limit 10 | extend RiskUser = strcat(RiskDetail, "-", Identity) | project RiskUser, ClientAppUsed

Create a custom workbook

This procedure shows how to create a new workbook using the quickstart template.

1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

2. Browse to Identity > Monitoring & health > Workbooks.

3. In the Quickstart section, select Empty.

   

4. From the Add menu, select Add text.

   

5. In the textbox, enter # Client apps used in the past week and select Done Editing.

   

6. Below the text window, open the Add menu and select Add query.

   

7. In the query textbox, enter: SigninLogs | where TimeGenerated > ago(7d) | project TimeGenerated, UserDisplayName, ClientAppUsed | summarize count() by ClientAppUsed

8. Select Run Query.

   

9. In the toolbar, from the Visualization menu select Pie chart.

   

10. Select Done Editing at the top of the page.

11. Select the Save icon to save your workbook.

12. In the dialog box that appears, enter a title, select a Resource group, and select Apply.

Add a query to a workbook template

This procedure shows how to add a query to an existing workbook template. The example is based on a query that shows the distribution of conditional access success to failures.

1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.

2. Browse to Identity > Monitoring & health > Workbooks.

3. In the Conditional Access section, select Conditional Access Insights and Reporting.

   

4. In the toolbar, select Edit.

   

5. In the toolbar, select the three dots next to the Edit button, then Add, and then Add query.

   

6. In the query textbox, enter: SigninLogs | where TimeGenerated > ago(20d) | where ConditionalAccessPolicies != "[]" | summarize dcount(UserDisplayName) by bin(TimeGenerated, 1d), ConditionalAccessStatus

7. Select Run Query.

   

8. From the Time Range menu, select Set in query.

9. From the Visualization menu, select Bar chart.

10. Open the Advanced Settings.

11. In the Chart title field, enter Conditional Access status over the last 20 days and select Done Editing.

    

Your Conditional Access success and failure chart displays a color-coded snapshot of your tenant.

Next step