Enable reporting on User Activity and Last Logins

Raise a ticket if you need help.

Overview

CloudMonitor has the ability to monitor Azure AD User Activity which allows it to do useful security/governance recommendations and reporting.

In the screenshot below we can see who has created Azure resources and when they last logged in to Active Directory. The Last Login date allows us to do things like:

  • Show me Users that had Owner/Admin RBAC roles that have not been active for X months
  • Ensure Users who have left the company are off-boarded correctly and their Ownership is assigned elsewhere
  • etc.

If your CloudMonitor reports are showing “Unknown” then this article will show you how to fix it.

Note: This step is optional if you do not wish to use the Last Login and User Activity Recommendations and Security Reports.

Monitoring User Last Login Time

Accessing the User’s details requires an additional setting on the monitoring Service Principal that CloudMonitor uses as it is querying the Azure Active Directory API.

The first step is to go to your Azure Active Directory and find the CloudMonitor Service Principal that you created when you installed the CloudMonitor Analytics Engine. In the example screenshot below our Service Principal is called “CloudMonitor-SP”. Click on “API permissions” in the left hand menu.

Active Directory User API Permissions

You will see that your Service Principal has a single permission by default: “User.Read”:

AD API Permissions Default

We need to add the following additional permissions to allow CloudMonitor to read the details of Users who are creating and owning resources in Azure:

  • AuditLog.Read.All
  • Directory.Read.All
  • User.Read.All

Click on “+ Add a permission” and then click on “Microsoft Graph” under Microsoft APIs.

CloudMonitor runs as a background service, so click on “Application permissions”. Then type “user” into the search box and expand the User Permissions. Check the checkbox for “User.Read.All”.  Now do the same for “auditlog” and “directory” so that you end up with the 3 permissions above checked.

Azure AD Application Permissions

Click “Add permissions” to save and your screen should now look like this. Click on “Grant admin consent for ….” and confirm to give the API access to read the AD Activity Log and User Last Login dates.

Grant Admin Consent for AD Users

Your screen should now look like this. The next time the User Logins are synchronised (it does not happen frequently) the User’s Last Login activity will be updated. 

AD Grant API Permissions
Share on linkedin
Share on twitter
Share on email
Share on print

Subscribed! We'll let you know when we have new blogs and events...