Ga naar hoofdinhoud

Entra ID Logon Security

notitie

Overview

The Entra ID Logon Security Event Monitor monitors and alerts about users' successful and/or failed login attempts.

info

Overview

This event monitor can be configured to alert about both successful and failed login attempts. It can also be set to include or exclude certain users, applications, and resources from all checks performed by the monitor.

Note: It can take between five and ten minutes after configuring this event monitor to run it for the first time. This is because Azure has a lag time of about that amount before it generates the log.

Use Cases

  • Receiving alerts about failed login attempts
  • Keeping a record of all logins

Monitoring Options

This event monitor provides the following options:

  • Alert with [Warning/Error/Critical] if Azure cannot be contacted: This option will alert you at the level of your choosing if Azure can't be contacted.

  • Alert with [Warning/Error/Critical] if more than one failed login attempt is found: Enable this option to receive an alert if a login fails twice or more.

  • Alert with [Warning/Error/Critical] for successful logins: This option will notify you of every successful login with an alert of your choice.

  • Only check the selected users: This option lets you specify a list of users that the event monitor will check exclusively.

  • Exclude these users from all checks: Enter a comma-separated list of users that will be excluded from all checks.

  • Include these applications in all checks: The applications you list here will be included in all checks.

  • Exclude these applications from all checks: The applications you list here will be excluded from all checks.

  • Include these resources in all checks: The resources you list here will be included in all checks.

  • Exclude these resources from all checks: The resources you list here will be excluded from all checks.

Authentication and Security

First, you'll need to create an app registration to add to your event monitor's authentication profile. Information on how to do this can be found in our "Creating an Azure Authentication Profile" article.

The app registration must be granted the MSGraph AuditLog.Read.All permission. Your Azure subscription must be for a Premium P1 or P2 account. Microsoft does not support login monitoring with non-premium accounts.

Protocols

Data Points

This event monitor generates the following data points:

  • Same as configured in the monitoring options.
Data PointDescription
Failed LoginsThe number of failed logins.
Successful LoginsThe number of successful logins.

Sample Output

Sample Output