Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.3 - Office 365 and Azure Active Directory User Guide

Office 365 and Azure Active Directory Auditing Overview Configuring Office 365 and Azure Active Directory auditing Reports and Searches

Delete a template

* 
NOTE: When you delete a template, the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal.
To delete a template
1
On the Azure Active Directory Auditing page, select the template to delete and choose Delete | Delete Template.
2
Click Yes to confirm.

Considerations
If you have a synchronized environment, you may be auditing high volume synchronization events which have low value. To improve performance and reduce the number of events stored in the database, consider excluding some events with an excluded account template that targets the synchronization account and high volume Azure Active Directory events. Alternatively, you can select to purge the events after a specified number of days. If you set up a purge job for these events, ensure to configure the purge settings to delete the events before they are subject to any archival settings.
Ensure that the appropriate Change Auditor licenses have been applied on all coordinators. See License requirements for license requirements.
Ensure that the appropriate Azure Active Directory license has been applied:
To audit sign-in events, an Azure Premium P1 license is required.
To audit risk events, an Azure Premium P2 license is required.
Ensure that the following permissions have been applied on the Azure web application that is associated with your template.
Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information
Office 365 Management APIs application permissions:
ActivityFeed.Read – Application - Read activity data for your organization
Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.
Because Change Auditor collects Microsoft's audit logs, the events and details reported are limited to what these logs provide. If an event appears to be missing in Change Auditor, log onto the respective portal and review the audit logs to see if the event is listed.
For Azure Active Directory activity check the Audit Logs under Monitoring | Audit logs or go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Audit.
For Azure Active Directory Sign-ins check the Sign-ins under Monitoring | Sign-ins or go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns
For Azure Active Directory Risky sign-ins check the Risky sign-ins under Manage | Security | Risky sign-ins or go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskySignIns.
For Office 365 activity check the Audit Log under Search | Audit log search or go to https://protection.office.com/unifiedauditlog.
See if the following internal events, which are in place to monitor the status of Azure Active Directory and Office 365 auditing, have been generated. Persistent suspension of the auditing where auditing does not resume may lead to delayed event processing that requires administrator attention.
Azure Active Directory auditing has suspended
Event generated when auditing is active, and then client or server HTTP error codes (4xx or 5xx *) are returned by the Azure Active Directory auditing service.
Azure Active Directory auditing has resumed
Event generated when auditing was in a suspended state, and then a successful HTTP code is returned by the Azure Active Directory auditing service.
Office 365 auditing has suspended
Event generated when auditing is active, and then client or server HTTP error codes (4xx or 5xx *) are returned by the Office 365 auditing service.
Office 365 auditing has resumed
Event generated when Office 365 auditing was in a suspended state, and then a successful HTTP code is returned by the Office 365 auditing service.

Azure Active Directory Auditing Wizard

To audit Azure Active Directory you must create an auditing template and select an agent.

The following table provides details on how to create a template and the required web application so you can beginto audit the Azure Active Directory activity and how to edit the audited activities in an existing template.

* 
NOTE: You can only create one Azure Active Directory template per tenant.
Table 5. Azure Auditing Template Wizard
Page
Description

Credentials, audit activity, and agent selection page

During template creation, use this page to provide the credentials for the accounts that register Change Auditor in the tenant, the activities to audit, and specify the agent.

 

NOTE: A Change Auditor for Active Directory license is required to monitor the audit logs. A Change Auditor for Logon Activity User license is required to monitor sign-in and sign-in risk event activity.
NOTE: To select a new agent, you must create a new template or use the Set-CAAzureADTemplate command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)
To create a template:
1
Enter the name of the Azure Active Directory.
2
Under Authentication Configuration, select to Create a new web application or Use existing web application.
If you select to create a new Azure web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.
The Azure Active Directory sign-in page opens automatically once you have selected all your template settings and clicked Finish.
To grant permission for all administrators to create a web application:
a
Select an account with the Global Administrator role.
b
Enter the required password, and select Sign in.
c
Review the required permissions for the Change Auditor Configuration Assistant on the Azure consent page. (Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.)
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.
To apply the consent for just the current signed-in user simply click Accept.
If you select to use an existing Azure web application, enter the Azure directory, application ID, and application key. See the Microsoft documentation for details on integrating applications with Azure Active Directory and creating a web application.
Note: In the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant for each of them.
Ensure the following permissions are assigned to the Azure web application:
Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information
Office 365 Management APIs application Permissions:
ActivityFeed.Read – Application - Read activity data for your organization
3
Select the activity to audit:
Audit Logs: Audits Azure Active Directory user, group, application, and directory activity.
Sign-ins: Audits Azure Active Directory user sign-in and sign-in risk event activity.

 
4
Click Select agent to view available agents and whether they are assigned to an Azure Active Directory auditing template.
You cannot use an agent that is already assigned for auditing.
The Azure Active Directory cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. See the Change Auditor Release Notes for ports that need to be opened on the agent server.
5
Click Finish to create the template. After the template is created, Change Auditor starts collecting events that are available on your tenant.
To edit a template:
1
Under Authentication Configuration, select to Create a new web application or Use existing web application.
If you select to create a new Azure web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.
The Azure Active Directory sign-in page opens automatically once you have selected all your template settings and clicked Finish.
To grant permission for all administrators to create a web application:
a
Select an account with the Global Administrator role.
b
Enter the required password, and select Sign in.
c
Review the required permissions for the Change Auditor Configuration Assistant on the Azure consent page. (Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.)
To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.
To apply the consent for just the current signed-in user simply click Accept.
If you select to use an existing Azure web application, enter the Azure directory, application ID, and application key. See the Microsoft documentation for details on integrating applications with Azure Active Directory and creating a web application.
Note: In the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant for each of them.
Ensure the following permissions are assigned to the Azure web application:
Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information

 
Office 365 Management APIs application Permissions:
ActivityFeed.Read – Application - Read activity data for your organization
Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.
2
Add and remove the activity to audit as required.
Audit Logs audits Azure Active Directory user, group, application, and directory activity.
Sign-ins: Audits Azure Active Directory user sign-in and sign-in risk event activity.
4
Click Finish to apply the updates.

Reports and Searches
Introduction to Office 365 and Azure Active Directory reporting
Office 365 built-in reports
Custom searches
Additional information for synchronized environments
Working with generic Office 365 and Azure Active Directory events
Additional Office 365 and Azure Active Directory event details
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación