Most enterprises sync their on-prem AD up to Azure AD to facilitate a single identity experience for users accessing resources on-prem and in the cloud, and that’s good but it’s important not to view Azure AD as a read-only extension of on-prem AD. There’s a lot of important identity and access activity going on in Azure AD, independent from on-prem and it is a growing blind spot in security monitoring. Azure AD is just as vulnerable to privileged insider abuse as on-prem AD.
Likewise, data in the cloud is just as vulnerable to malicious insiders as that on your on-prem network. Here’s a few things that could happen which you’ll only know about if you are monitoring Azure AD and O365:
- Changes to privileged roles and designated admins
- Changes to groups that only live in Azure AD including security, distribution and O365/Teams groups
- Configuration of Azure AD B2B
- Configuration of SaaS applications that integrate with Azure AD for authentication
- Creation of non-synchronized users, roles and other resources
- Users sharing data in SharePoint, OneDrive and other O365 resources with external users
- Privileged and end-user access to mailboxes and leakage of mail through forwarding rules
These events are logged in the Office 365 Unified Log, and I will show examples of what these events look like and how to find them.
Office 365 only keeps these audit events for 90 days though. And the web interface and PowerShell commands for searching and exporting the unified audit log have their limitations, which I will explain.
Quest Software is our sponsor and Matthew Vinton will briefly show how their new On Demand Audit is an Azure-hosted SaaS that tracks everything that happens in the cloud and on-prem, and keeps it around for up to 10 years.
This will be a technical webinar, where we will dive down into the raw events of O365 / AAD audit.
Join us for this real-training-for-free session.