Collect Microsoft Azure AD logs

This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.

Azure Active Directory (AZURE_AD) is now called Microsoft Entra ID. Azure AD audit logs (AZURE_AD_AUDIT) are now Microsoft Entra ID audit logs.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the following ingestion labels: AZURE_AD_AUDIT, AZURE_AD_CONTEXT, and AZURE_AD.

Before you begin

To complete the tasks on this page, ensure that you have the following:

• An Azure subscription that you can sign in to.
• A global administrator or Azure AD administrator role.
• An Azure AD (tenant) in Azure.

Configure Azure AD

1. Sign in to the Azure portal.
2. Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
3. To register an application, in the App registration section, click New registration.
4. In the Name field, provide the display name for your application.
5. In the Supported account types section, select the required option to specify who can use the application or access the API.
6. Click Registration.
7. Go to the Overview page and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.

8. To configure the user impersonation scope for the registered Azure app, do the following:

   1. Go to Settings > Manage.
   2. Click Expose an API.
   3. Click Add a scope.
   4. Specify the required details.

9. Click API permissions.

10. Click Add a permission, and then select Microsoft Graph in the new pane.

11. Click Application permissions.

12. Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.All permissions. Ensure that the permissions are Application permissions and not Delegated permissions.

13. Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.

14. Go to Settings > Manage.

15. Click Certificates and secrets.

16. Click New client secret. In the Value field, the client secret appears.

17. Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.

Configure a feed in Google Security Operations to ingest Azure AD logs

1. From the Google Security Operations menu, select Settings.
2. Click Feeds.
3. Click Add new.
4. Select Third party API as the Source type.
5. To create a feed for Azure AD, select AZURE_AD as the Log type.
6. Click Next.
7. Configure the following input parameters:
   • OAUTH client ID: specify the client ID that you obtained previously.
   • OAUTH client secret: specify the client secret that you obtained previously.
   • Tenant ID: specify the tenant ID that you obtained previously.
8. Click Next and then click Submit.
9. After you complete the steps to create a feed for Azure AD, repeat the steps to create a separate feed for each of the following log types: AZURE_AD_AUDIT and AZURE_AD_CONTEXT.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

What's next

• Data ingestion to Google Security Operations