is there a way to know using Advanced Hunting queries(KQL) whether a user logged in using certificate based authentication?
do we see these kind of data in AAdSignInEventsBeta?
Please follow the below steps to get the certificate-based authentication logs in Azure AD with KQL:
Create Log Analytics workspaces, like below.
Go to Azure Portal > Log Analytics workspaces > Create Log Analytics workspace.
Once create the Log Analytics workspaces, send all Azure AD Sign-in logs to Log Analytics workspaces, like below.
Go to **Azure Portal > Azure Active Directory > Diagnostic settings > Add diagnostic setting. **
Check the Azure AD sign-in logs, like below.
Open your Log Analytics workspaces > Logs.
Run the below KQL query to get the Azure AD sign-in logs.
SigninLogs
| where Category == "AuthenticationLogs"
| where Method == "Certificate"
Reference:
Analyze activity logs using Azure Monitor logs - Microsoft Entra | Microsoft Learn.
Related
We are authenticating SQL MI users with AAD - Universal with MFA and would like to see a log of all sign ins.
Would this be under the AAD/Users/Audit Logs/Sign ins?
We'd like to see a few months worth of data.
Thanks
In Azure Ad only 30 days of Sign in logs for user, Managed identities or even Service principals are available. After 30 days all the logs whether audit, Activity or Sign-In are flushed out on Azure’s end, unless you store the logs every month or every seven days in an Azure storage account or send it to Log analytics workspace.
For Azure AD Free Edition Sign in logs are retained only for 7 days. If you upgrade to Azure AD
Premium P1 or Azure AD Premium P2 then the sign in logs of past 30 days are available.
I created one SQL Server and enabled Azure AD User and tried Signing in with Azure AD Universal MFA via SSMS and managed Identity like below :-
Assigned VMs managed identity access to SQL server:-
SignInLogs of SQL server:-
For managed Identity logs, you can visit here :-
After clicking on try it out, New SignIn logs page will appear and you can select managed identity to verify if your managed identity is successfully logged into an Azure SQL server :-
As, Sign in logs are only available for 30 days in Azure AD, You can save the logs in the storage account every month by following the steps below :-
Click on Export Data settings above SignIn Logs page or Diagnostics Settings> Add diagnostics Settings > Select the required logs > Archive to Storage account > Select your storage account from Azure AD page like below :-
OR
Now, all your sign in and managed identity logs will be stored and populate in your storage account like below:-
Reference :-
How long does Azure AD store reporting data? - Microsoft Entra | Microsoft Learn
I have a php application that I want active directory users to be able to login to using azure sso. Getting this working with simplesamlphp was really easy.
Now I am trying to allow non organization users to be able to login as guests.
I updated azure AD to allow external entities, and then created a workflow allowing AD users, microsoft.com accounts and one time password. I have enabled "guest self-service signup" and I have associated this user flow with my azure application however the authentication flow hasn't changed at all. There isn't any option for guests to login. Am I missing something? I am using the azure ad federation metadata document xml in the simplesaml metadata converter and using the output of that for my metadata provider in simplesaml.
Here is the screen a user gets when trying to sign in to azure:
I'm getting ERROR: Insufficient privileges to complete the operation. when running az ad app permission add
What permission do I need to grant my service principal for this to work?
I gave it the AppRoleAssignment.ReadWrite.All permission which says:
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
Update: I also gave it Application.ReadWrite.All, but still getting the error.
I also gave it Application.ReadWrite.All, but still getting the error.
The Application.ReadWrite.All Application permission is enough. I suppose you gave the Application.ReadWrite.All permission in Microsoft Graph, it will not work. You need to use the Application.ReadWrite.All in Azure AD Graph, then it will work.
After giving the permission, wait for a while, run the command, it returns a warning, refresh the portal, you will find the API permission was added.
Since the Microsoft graph API is not working with the Azure CLI AD App permissions and the Azure AD graph API is deprecated from 2020 April, this can be achieved by giving Application administrator permissions to the AD app.
From Azure AD go to Roles and administrator > Application administrator.
Then Add assignment, find your client app and add it to the application administrator.
az cli is getting updated to use MS Graph API according to: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942
Presumably this update will occur before AAD Graph API is retired on 6/30/2022: https://github.com/azure-deprecation/dashboard/issues/178
Once az cli gets updated then Application.ReadWrite.All permission on MS Graph API should work.
There is a deprecation warning for the Azure AD Graph API as below.
This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources
Also it seems the Microsoft Graph API is not working even though the relevant permissions are not provided.
We have an Azure Web App published that includes pages with Excel Add In integration using the Office.JS library. We've secured the Web App using Azure AD authorization and it is working well as long as the user it logged into Office/Excel with the same domain credentials. How can we allow our customers who are logged into Office with their companies credentials get access to our Add In site using credentials within our domain? Federating the 2 domains would work but isn't an option in most cases.
You could use Azure B2B to invite your customers as guest users in your AAD.
You could invite the user by using the Azure portal as an Azure AD administrator.
Azure Active Directory > Users > All users > add New guest user
For the details, you could read here.
Or you could use the powershell:
New-AzureADMSInvitation -InvitedUserDisplayName "Sanda" -InvitedUserEmailAddress sanda#fabrikam.com -InviteRedirectURL https://myapps.azure.com -SendInvitationMessage $true
For the details, please refer to this docs.
If you want to bulk invite users, you could create a CSV file, and then use the powershell to import it. For the details, you could read bulk invite B2B.
We have synced our on prem active directory to our Azure instance active directory using Azure AD connect (Express install). We can see the users in Azure from our on prem AD. The sync shows as successful.
Now we would like to use the domain name that we have synced to azure for user authentication in to the azure portal. The documentation that we have read says this is possible, but we can get it to work.
When we try to use an existing AD user we get the message that “We don’t recognize this users ID or password” but if we create a new user in Azure and assign it to our synced AD we can use it to login to the azure portal.
We have searched for a detailed document on prem AD synced to Azure AD to use for portal login and found some documents that we followed but did not help.
Can we use our on prem AD user name and password to allow users to login to the Azure portal?
Thanks for your help
John
yes, you can use users in Azure AD with tag "Sourced from: Local Active Direcotry" to login to azure portal.
The custom domain should be verified.
Password Synchronization should be enabled.
Also, assign coadmin right for at least one subscription to login to Management Portal.