Currently we a spending most of our time doing Azure Gonvernance projects for customers.
This includes
- DevOps
- Pipelines
- Templates
- and more
- Management/Resource Group Structure
- Policies
- Monitoring
If you need anything in aboveareas, don’t hesistate to contact us!
We can help you get into azure from nothing to production, or help you get control of your azure spending and structure.
One of the things we setup is Diagnostics logging in Azure Log Analytics from various resources.
This is super easy to setup on all Azure Resources, but it is actually also possible to enable on Azure ADs.
Azure AD forwards these logs:
- AuditLogs
- SignInLogs
The challenge is that Azure AD is Not a normal Azure resource, so we cannot use the standard PowerShell commands to set it up.
Therefore I create my own script to use the REST API to setup the diagnostics logging.
To access the REST API we need to use a access token, but using Azure modules, we can get he token easily.
This great script on TechNet shows how: https://gallery.technet.microsoft.com/scriptcenter/Easily-obtain-AccessToken-3ba6e593
param(
$workspaceName = "runbookguru",
$ruleName = "Log Analytics ($workspaceName)"
)
Import-Module Az
Login-AzAccount
# Find the ResourceId for the Log Analytics workspace
$workspaceResource = Get-AzResource -ResourceType "Microsoft.OperationalInsights/workspaces" -Name $workspaceName
$workspaceId = $workspaceResource.ResourceId
function Get-AzCachedAccessToken()
{
$ErrorActionPreference = 'Stop'
$azureRmProfileModuleVersion = (Get-Module Az.Profile).Version
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Accounts.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
$currentAzureContext = Get-AzContext
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
$token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
$token.AccessToken
}
$token = Get-AzCachedAccessToken
#setup diag settings
$uri = "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{0}?api-version=2017-04-01-preview" -f $ruleName
$body = @"
{
"id": "providers/microsoft.aadiam/diagnosticSettings/$ruleName",
"type": null,
"name": "Log Analytics",
"location": null,
"kind": null,
"tags": null,
"properties": {
"storageAccountId": null,
"serviceBusRuleId": null,
"workspaceId": "$workspaceId",
"eventHubAuthorizationRuleId": null,
"eventHubName": null,
"metrics": [],
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": { "enabled": false, "days": 0 }
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": { "enabled": false, "days": 0 }
}
]
},
"identity": null
}
"@
$headers = @{
"Authorization" = "Bearer $token"
"Content-Type" = "application/json"
}
$response = Invoke-WebRequest -Method Put -Uri $uri -Body $body -Headers $headers
if ($response.StatusCode -ne 200) {
throw "an error occured: $($response | out-string)"
}
This has been a pain when setting up governance on Azure Subs/Tenants. Great article
[…] Configure AAD to deliver to Audit and Signing logs to sentinel […]
Thank you very much for the article.
I used it to delete a diagnostic settings that was undeleteable from portal because the related subscription was deleted!!!