CloudMonitor has the ability to monitor Azure AD User Activity which allows it to do useful security/governance recommendations and reporting.
In the screenshot below we can see who has created Azure resources and when they last logged in to Active Directory. The Last Login date allows us to do things like:
- Show me Users that had Owner/Admin RBAC roles that have not been active for X months
- Ensure Users who have left the company are off-boarded correctly and their Ownership is assigned elsewhere
If your CloudMonitor reports are showing “Unknown” then this article will show you how to fix it.
Note: This step is optional if you do not wish to use the Last Login and User Activity Recommendations and Security Reports.
Accessing the User’s details requires an additional setting on the monitoring Service Principal that CloudMonitor uses as it is querying the Azure Active Directory API.
The first step is to go to your Azure Active Directory and find the CloudMonitor Service Principal that you created when you installed the CloudMonitor Analytics Engine. In the example screenshot below our Service Principal is called “CloudMonitor-SP”. Click on “API permissions” in the left hand menu.
You will see that your Service Principal has a single permission by default: “User.Read”:
We need to add the following additional permissions to allow CloudMonitor to read the details of Users who are creating and owning resources in Azure:
Click on “+ Add a permission” and then click on “Microsoft Graph” under Microsoft APIs.
CloudMonitor runs as a background service, so click on “Application permissions”. Then type “user” into the search box and expand the User Permissions. Check the checkbox for “User.Read.All”. Now do the same for “auditlog” and “directory” so that you end up with the 3 permissions above checked.
Click “Add permissions” to save and your screen should now look like this. Click on “Grant admin consent for ….” and confirm to give the API access to read the AD Activity Log and User Last Login dates.
Your screen should now look like this. The next time the User Logins are synchronised (it does not happen frequently) the User’s Last Login activity will be updated.