Posted by Mike Racine
Monitoring emergency account usage in Azure AD
Do you have an emergency Azure Admin account setup? Wouldn’t it be wonderful if you had a way for Azure to notify you when that account has been used? Good news! In this episode of #KnowOps, Dana shares with us how to harness the power of Azure Log Analytics, Monitoring and Event Hubs to do just that.
If you want to learn how to set up the emergency account Dana mentions, check out that episode here:
So I saw this comment on YouTube the other day.
"Can someone explain how to setup to monitor that emergency account? Other user/admins should be notified when the account is used? I only know that you can notify when you're using PIM that someone has activated or assigned a role. Please help."
I've got your back Sebastian. Let's get to it.
Dana Epp here, welcome to the channel that helps aspiring Azure administrators like you and me to KnowOps and well, master the Microsoft Cloud. I'm glad you're here. If you haven't yet, smash the subscribe button so that you can be notified when I release new videos each week.
So one of the very first episodes I did for KnowOps was how not to lock yourself out of Azure when using MFA. One of my recommendations is to enforce Multi-Factor Authentication on all admin accounts, except for one break glass account, that should only be used in emergencies. This lets you get into your tenant and bypass MFA, if the need ever arises. This account should almost never be used. It is vital that you monitor, if it ever is, since you don't get the benefits and security from the stronger authentication that MFA offers. I saw a comment on YouTube from Sebastian asking how to monitor emergency accounts. So let's jump right in and I'll show you how.
So the first thing you'll need is an Azure AD Premium account. The free Azure AD SKU does not offer sign-in logs which is what you're gonna need here. But with that enabled, you now have access to the sign-in blade in the Azure AD module. If you cannot see the sign-in events there, then you have to get that going before you can continue on. I know, I know, it seems stupid that something as simple as your sign-in logs aren't available to you, for free. I've made my opinion known to the Azure AD team at Microsoft, for years, on this. They are coming around, but just haven't given that to us yet. But don't worry, I'll keep on them. If you have Microsoft 365, this is probably already bundled in for you. If not, sign up for a free trial for 30 days and see if it works for you.
Once you've got Azure AD Premium enabled in your tenant, enable audit logging to the diagnostic settings. Send events to a log analytics instance. Make sure you select both AuditLogs and SigninLogs. When you first do this, it can take eight or up to 24 hours before logs will even show up in log analytics, for you, so be patient the first time you set this up. Once you've enabled Azure AD to send events to log analytics, there will be a new sign-in log that you'll be able to take advantage of. Let's do a little bit of KQL magic and build a custom search that'll allow us to look for that emergency break glass account. SigninLogs, type, where OperationName equals Sign-in activity and where the UserPrincipleName equals that emergency account. Once you have that, save that off. Account name is Emergency Accounts used and we'll put that under a new Category called Account Monitoring.
Once you have the custom search built, now you can just go over into your monitoring alerts and create a new alert rule. Under the condition, for the signal type, look for that new Emergency Account used search that you have. And you're gonna have the option to determine what the alert logic should be, check to say, was there anything greater than zero or would've something come back. In other words, was there any sign-in activity for this emergency account? Once that's done, send that off to an action group. You can create your own or build a new one. If you have any existing ones, you can use those.
What I like to do, is use existing ones that I have like, Notify all Cloud Admins. What this does, is it'll send an email as well as push a notification to the Azure application that's on your mobile phone, to let you know what's going on. In this case here, email subject line. For the alert details. I'll link to a SEV-1 and create an alert rule. You'll now get alerted whenever an emergency account is used. So using Azure Monitoring with log analytics makes it easy to fire alerts when things get found in your logs, things like your sign-in, so Azure AD. But there is a limitation. Azure AD can't get those events ingested into log analytics, immediately. In fact, it can usually take anywhere between 15 to 30 minutes to show up in log analytics, for you.
What if you wanna take action sooner?
This is where Azure Event Hubs come in. Events Hubs is designed for high-throughput event messaging. In fact, it drives a core behind the entire Azure platform. And it so happens that you can configure Azure AD to send events to the Event Hub, for you. The benefit here, is that Azure batch processes this every two to five minutes, which means you can get alerted to any emergency account being used, much faster. If that's important to you, let me show you how to set it up. Go back to the diagnostic settings for Azure AD. Edit your settings and select stream to an event hub and then, configure your event hub. Hit save and voila, you now have your sign-in events firing to an event hub.
Now you can do pretty cool things with these events, like hooking into a custom logic app and firing tickets into your IT ASEM tool, triggering a custom Azure function to execute special PowerShell, or even firing it to an external web hook for any sort of external processing you like. From here, you're only limited by your imagination. Turn your Philips Hue bulbs red or have Star Trek red alert sound ring through the office, post your resume on a favorite job board because an account's been breached; who knows. Have fun with it, or not.
A message into a team's channel or an email to Outlook, just as good. I really hope you never need to rely on an emergency account like this, but with the sensitive nature of it, and the fact that you aren't using MFA with it, it is vitally important that you put this sort of monitoring in place to make sure everyone knows when it's used.
Sebastian, I hope this helps you get it set up. How 'bout the rest of you? Was this helpful? Let me know by hitting the like button, it really does help. And if you haven't yet, smash the subscribe button so that you can be notified when I publish new content each week. Until then, thanks for watching. We'll see you in the next episode.
Do you have an emergency Azure Admin account setup? Wouldn’t it be wonderful if you had a way for Azure to tell you that account has been used? Good news! #knowops @auditwolf