Azure AD Domain Services Security Audit Events?

Hrishikesh Tak 26 Reputation points
2019-11-14T06:13:11.157+00:00

How can I get the security audit events like Account Logon (Audit Kerberos Authentication Service) in Azure AD Domain Services?

I am new to Azure and my requirement is to get Network Information and Account Information from the computers connected to Azure AD Domain Controller (event-4768).

I enable the security audits for Azure Active Directory Domain Services (security-audit-events) which stream security events to targeted resources. I configured the target resource as Azure Log Analytics Workspace but still unable to get the Kerberos Authentication Audit events from the connected computers in the Log Analytics workspace.

I configured the Azure AD domain services and Join a couple of Windows Server virtual machine to a managed domain and then configured security audit policy settings in windows server VM to generate audit events. (advanced-security-audit-policy-settings)

As Azure AD DS is a domain managed by Microsoft so we do not have full control of the domain controller. Please let me know how can I get security audit events from Azure AD DS

Thanks and Regards,

Hrishikesh

Microsoft Entra
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,046 Reputation points Microsoft Employee
    2019-11-16T00:34:45.617+00:00

    I am not sure if event-4768 is supported as it's not listed as one of the audit events in the documentation for ADDS.

    1 person found this answer helpful.

  2. Manoj Reddy 406 Reputation points Microsoft Employee
    2019-11-20T12:25:17.153+00:00

    Hi, I can confirm that event 4768 is not supported as of now. Our Product group is planning to add more events related to Kerberos and NTLM in the near future.

    I would recommend others looking for similar events to vote for the feature request created by @Hrishikesh Tak here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39076378-support-for-kerberos-authentication-security-event

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.