Diagnostic Settings and Log Analytics Configuration

Diagnostic Settings & Log Analytics Configuration for Identity Governance (SC-300)

Understanding Diagnostic Settings and Log Analytics Configuration

Why Is This Important?
In any modern identity governance strategy, visibility into what is happening within your Azure Active Directory (now Microsoft Entra ID) environment is absolutely critical. Diagnostic Settings and Log Analytics provide the foundation for monitoring, auditing, and automating identity governance decisions. Without proper logging and analytics:

- You cannot detect suspicious sign-in activities or risky user behaviors
- You lose the ability to audit access reviews, entitlement management changes, and privileged identity management (PIM) operations
- Compliance requirements (such as GDPR, HIPAA, SOX) cannot be met because you lack an audit trail
- Automation of governance workflows becomes impossible without data to trigger actions
- Incident response is severely hampered without historical log data

For the SC-300 exam, Microsoft expects you to understand how to configure and leverage these tools as part of a comprehensive identity governance and monitoring strategy.

What Are Diagnostic Settings?

Diagnostic Settings in Azure AD (Microsoft Entra ID) allow you to route identity-related logs to one or more destinations for storage, analysis, and alerting. The key log categories available include:

- Sign-in Logs: Records of all user sign-in activities, including interactive, non-interactive, service principal, and managed identity sign-ins
- Audit Logs: Changes made within Azure AD, such as user creation, group modifications, application registrations, role assignments, and policy changes
- Provisioning Logs: Records of user provisioning activities to and from applications
- Risky Users Logs: Information about users flagged by Identity Protection as risky
- Risk Detections Logs: Specific risk events detected by Identity Protection
- Non-Interactive User Sign-in Logs: Sign-ins performed on behalf of a user by a client app or OS component
- Service Principal Sign-in Logs: Sign-ins by apps and service principals
- Managed Identity Sign-in Logs: Sign-ins by Azure managed identities
- AD FS Sign-in Logs: Federated sign-in activities (if applicable)
- Enriched Office 365 Audit Logs: Detailed Office 365 activity data
- Microsoft Graph Activity Logs: API call activity through Microsoft Graph

Destination Options for Diagnostic Settings:

1. Log Analytics Workspace (Azure Monitor): The most powerful option for querying, alerting, and building dashboards using Kusto Query Language (KQL)
2. Azure Storage Account: Best for long-term archival and compliance retention requirements
3. Azure Event Hub: Best for streaming logs to third-party SIEM solutions (such as Splunk, QRadar, or other external systems)
4. Partner Solutions: Direct integration with certain partner monitoring solutions

What Is Log Analytics?

Log Analytics is a tool within Azure Monitor that allows you to collect, analyze, and act on telemetry data from your Azure AD and other Azure resources. A Log Analytics workspace serves as the central repository where your diagnostic data is stored and queried.

Key capabilities include:
- Writing KQL (Kusto Query Language) queries to search and analyze log data
- Creating custom alerts based on specific conditions (e.g., alert when a Global Admin role is assigned)
- Building Azure Monitor Workbooks for visual dashboards
- Integrating with Microsoft Sentinel for advanced SIEM and SOAR capabilities
- Setting data retention policies (default 30 days, configurable up to 730 days)

How It Works – Step by Step

Step 1: Prerequisites
- You need an Azure subscription
- You need a Log Analytics workspace created in Azure Monitor
- You must have the Security Administrator or Global Administrator role in Azure AD
- Azure AD Premium P1 or P2 license is required for sign-in logs (P2 for risk-related logs)

Step 2: Configure Diagnostic Settings
1. Navigate to Microsoft Entra admin center → Identity → Monitoring & health → Diagnostic settings
2. Click + Add diagnostic setting
3. Provide a name for the diagnostic setting
4. Select the log categories you want to route (e.g., AuditLogs, SignInLogs, RiskyUsers, etc.)
5. Select your destination(s): Log Analytics workspace, Storage account, Event Hub, or Partner solution
6. If selecting Log Analytics, choose the appropriate subscription and workspace
7. Click Save

Step 3: Verify Data Ingestion
- Navigate to your Log Analytics workspace
- Go to Logs and run a simple KQL query such as:
SigninLogs | take 10
or
AuditLogs | take 10
- Note: It can take 15-30 minutes for logs to start appearing after initial configuration

Step 4: Query and Analyze
Common KQL queries for identity governance:

// Find all failed sign-ins in the last 24 hours
SigninLogs | where TimeGenerated > ago(24h) | where ResultType != 0 | summarize count() by UserDisplayName, ResultDescription

// Find all role assignment changes
AuditLogs | where Category == "RoleManagement" | where ActivityDisplayName has "Add member to role"

// Find risky sign-ins
SigninLogs | where RiskLevelDuringSignIn != "none" | project TimeGenerated, UserDisplayName, RiskLevelDuringSignIn, Location

Step 5: Create Alerts and Automation
- Use Azure Monitor Alert Rules based on KQL queries to trigger notifications
- Integrate with Logic Apps or Azure Automation for automated responses
- Use Microsoft Sentinel playbooks for advanced SOAR scenarios

How This Relates to Identity Governance

Diagnostic Settings and Log Analytics are foundational to several identity governance pillars:

- Access Reviews: Monitor and audit access review completion rates and outcomes
- Entitlement Management: Track access package assignments, approvals, and expirations
- Privileged Identity Management (PIM): Monitor role activations, assignments, and alert on suspicious privilege escalation
- Conditional Access: Analyze policy hits, failures, and gaps in coverage
- Identity Protection: Correlate risk detections with sign-in patterns and automate remediation
- Lifecycle Workflows: Monitor automated joiner, mover, and leaver processes

Key Tables in Log Analytics for Azure AD:
- SigninLogs – Interactive user sign-ins
- AADNonInteractiveUserSignInLogs – Non-interactive sign-ins
- AADServicePrincipalSignInLogs – Service principal sign-ins
- AADManagedIdentitySignInLogs – Managed identity sign-ins
- AuditLogs – All Azure AD audit events
- AADProvisioningLogs – Provisioning activities
- AADRiskyUsers – Risky user data
- AADUserRiskEvents – Risk detection events

---

Exam Tips: Answering Questions on Diagnostic Settings and Log Analytics Configuration

Tip 1: Know the License Requirements
The exam frequently tests whether you know what license is needed. Remember:
- Azure AD Premium P1 is required to access sign-in logs via diagnostic settings
- Azure AD Premium P2 is required for risky users and risk detection logs (Identity Protection)
- Audit logs are available with all Azure AD editions but require P1/P2 for diagnostic settings routing
- A question asking about monitoring risky sign-ins always implies P2 licensing

Tip 2: Know the Role Requirements
- Configuring diagnostic settings requires Global Administrator or Security Administrator at minimum
- Some questions may try to trick you with roles like Security Reader (read-only, cannot configure)
- For Log Analytics workspace access, you also need appropriate Azure RBAC permissions (e.g., Log Analytics Contributor)

Tip 3: Match the Destination to the Scenario
This is one of the most commonly tested concepts:
- "Need to query and analyze logs" → Log Analytics workspace
- "Long-term retention for compliance" or "archive for 1 year" → Azure Storage Account
- "Stream to a third-party SIEM" → Azure Event Hub
- "Advanced threat detection and automated response" → Microsoft Sentinel (which uses a Log Analytics workspace)
- If the question mentions both querying AND long-term storage, you may need to configure multiple destinations in a single diagnostic setting

Tip 4: Understand the Data Flow
- Azure AD generates logs → Diagnostic Settings routes them → Destination stores/processes them
- There is a latency of approximately 15-30 minutes for logs to appear in Log Analytics
- You can have multiple diagnostic settings, each routing different log categories to different destinations

Tip 5: Know KQL Basics
While the SC-300 exam won't ask you to write complex KQL, you should understand basic query structure:
- TableName | where Condition | project Columns | summarize count() by Column
- Know which table corresponds to which type of data (e.g., SigninLogs for sign-ins, AuditLogs for changes)
- If a question asks about finding failed sign-ins, think SigninLogs with ResultType != 0

Tip 6: Retention Periods
- Azure AD portal retains sign-in logs for 30 days (P1/P2)
- Azure AD portal retains audit logs for 30 days (all editions)
- Log Analytics workspace default retention is 30 days, configurable up to 730 days (2 years)
- Azure Storage Account can retain logs indefinitely
- If a question mentions needing logs beyond 30 days, you MUST configure diagnostic settings to an external destination

Tip 7: Integration with Microsoft Sentinel
- Microsoft Sentinel uses a Log Analytics workspace as its data store
- The Azure AD data connector in Sentinel enables ingestion of Azure AD logs
- If a question mentions SIEM, SOAR, or automated incident response within the Microsoft ecosystem, Sentinel is the answer
- Sentinel requires its own connector configuration in addition to (or instead of) diagnostic settings

Tip 8: Watch for Trick Scenarios
- If a question says "minimize administrative effort," look for the solution that configures everything in one diagnostic setting rather than multiple
- If a question says "minimize cost," remember that Log Analytics charges per GB ingested — be selective about which log categories you enable
- A question asking about monitoring provisioning to SaaS applications specifically needs Provisioning Logs enabled
- Questions about monitoring Conditional Access policy effectiveness require Sign-in Logs (not Audit Logs)

Tip 9: Azure Monitor Workbooks vs. Power BI
- Azure Monitor Workbooks are the built-in visualization tool that works directly with Log Analytics data
- Microsoft provides pre-built workbooks for Azure AD (sign-in analysis, Conditional Access insights, etc.)
- If the question mentions built-in dashboards or Azure-native visualization, Workbooks is the answer
- Power BI can also connect to Log Analytics but is typically not the first choice for identity monitoring scenarios in the exam

Tip 10: Common Exam Question Patterns
- "You need to ensure sign-in logs are available for 90 days..." → Configure diagnostic settings to send to Log Analytics with 90-day retention OR to a Storage Account
- "You need to alert when a user is assigned the Global Administrator role..." → Send AuditLogs to Log Analytics → Create an alert rule with a KQL query
- "You need to export logs to Splunk..." → Configure diagnostic settings with Event Hub as the destination
- "You need to investigate risky sign-ins over the past 60 days..." → You need P2 license + diagnostic settings to Log Analytics (since portal only retains 30 days)
- "You need to automate a response when a risky user is detected..." → Microsoft Sentinel with a playbook, or Azure Monitor alert with Logic App action

Summary Checklist for Exam Readiness:
✓ Understand all log categories available in Azure AD diagnostic settings
✓ Know the four destination types and when to use each
✓ Remember license and role requirements
✓ Understand retention periods across different storage options
✓ Know the key Log Analytics table names for Azure AD
✓ Understand how diagnostic settings support identity governance automation
✓ Be familiar with the relationship between Log Analytics, Azure Monitor, and Microsoft Sentinel
✓ Practice identifying the correct solution based on scenario keywords (query, archive, stream, alert, automate)