Configure Azure Active Directory (AAD) Logga
To enable the AAD Logga, you must have completed the preparation for Office 365 integration in the Azure Portal.
The AAD Logga uses Azure audit log search functionalities. In some cases the Azure audit log search has to be enabled. Please also keep in mind that Microsoft states that it may take up to 24 hours until events are available to the audit log search.
How to enable the audit log search and more information regarding the Azure audit log can be found in the article Search the audit log in the Security & Compliance Center (© 2020 Microsoft, https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide, obtained an April 1, 2020).
Start the ARM configuration application and click "Scans".
Select "Logga - Active Directory" (same as for AD on-premise).
No entry required - can be ignored.
Select the placeholder "Microsoft Azure AD".
- Select a collector server. Note, that the collector server needs internet access to pull AAD events.
- Click Apply.
- Newly added resources are always at the bottom.
- You have created a AAD Logga configuration.
- The warning indicates that not all required settings are made.
- Click one of the links.
- Enter the tenant, for example "mycompany.com".
- Enter the application ID.
- Enter the client secret.
The application ID and the client secret were created during the preparation for Microsoft 365 integration.
- Determine the interval for pulling events from AAD to the collector server. Default value: 60 Seconds.
- You must enter a comment.
- Click "Apply".
- Optional: Give the AAD Logga configuration a new name.
- Specify the interval at which the Logga data is written from the collector to the ARM database. Default value: 10 minutes.
- You can reduce the amount of data being collected by setting filters. Please see also: Filter AD Logga events.
- Turn on the Logga.