How to monitor the actions of all AD users across many subscriptions and resource groups

Question

Hello,

I'd like to be able to see the access log or usage of all AD users (or a single user as needed) whether it's azure-cli or actions taken from the console. We have 10 or so subscriptions and hundreds of resource groups altogether.

Essentially, I'm looking for the equivalent to AWS CloudTrail. The log that's produced typically looks something like this:

06/15/20 14:34 - user:bob - successfully logged in
06/15/20 14:35 - user:bob - terminated instance i-098fd8
06/15/20 14:38 - user:alice - started instance i-0jk7878

I've explored Azure Log Analytics but that seems limited to a resource group.

Thanks in advance!

-Taylor Turner

Answer 1

HI @TaylorTurner-0219,

Have you read the following article?

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor

For example, you can route activity logs to several endpoints.

• Archive Azure AD activity logs to an Azure storage account, to retain the data for a long time.
• Stream Azure AD activity logs to an Azure event hub for analytics, using popular Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.
• Integrate Azure AD activity logs with your own custom log solutions by streaming them to an event hub.
• Send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.