I am looking for a mechanism to identify the users who are added in a specific group and trigger an action based on user addition event. Looks like people are still waiting for it to be available from Azure. The details could be found here
The solution that i am thinking at the moment is have an Azure task/Function that goes through the audit logs and detect the "user added" event and then trigger an action.
Is there any other better method?
You could Integrate Azure AD logs with Azure Monitor logs, send the Azure AD AuditLogs to the Log Analytics workspace, then Alert on Azure AD activity log data, the query could be something like(just a sample, I have not test it, because there is some delay, the log will not send to the workspace immediately when it happened)
AuditLogs
| where TimeGenerated >= ago(1h)
| where OperationName == "Add member to group"
Sample:
You could set the Alert logic depending on your own requirement, e.g. Whenever count of results in Custom log search log query for last 1 hour is greater than 0. Evaluated every 10 minutes. and configure the action group, select the action type you want like Email, webhook.
a better way would be to trigger an automation runbook based on an alert based on a condition specific to that audit event. But I'm not sure adding a user is an audit event on azure level, it is probably an Azure AD event. I dont think Azure AD offers events based on that.
So you'd have to basically parse the events and figure out where you stopped last time based on time or something like that.
Related
We are connecting our Keycloak server to AD and it’s configured so changes in AD get stored in Keycloak’s Database. The final goal is to have our Application’s DB synchronised and we are succeeding so far, except for the User Group Memberships.
Here is what we have tried so far:
A Group Mapper has been created, connecting it to AD. We have tried with the 3 available modes: LDAP_ONLY, READ_ONLY and IMPORT with no success in any case.
When we add or remove a Group from a user in AD (with no other change) and in User Federation we sync for “changed users”, Group changes are not detected at all (Sync of users finished successfully.0 users added, 0 users updated, 0 users removed, 0 users failed.).
We have created a custom Event Listener. When synching, no normal Event is dispatched. An Admin Event is dispatched but no info about the User neither about the Group comes with the Event (only Info about the Realm).
A custom implementation of LDAPStorageMapper has been done. None of the methods are executed when synching and only Group changes were done in AD (I would expect at least syncDataFromFederationProviderToKeycloak to be executed).
Keycloak Tables USER_GROUP_MEMBERSHIP and FED_USER_GROUP_MEMBERSHIP are empty. Even after trying with the aforementioned Modes LDAP_ONLY, READ_ONLY and IMPORT.
When going to User Details in Keycloak, tab Groups:
With mode LDAP_ONLY no need for sync. The Groups show up there updated before synching.
With mode IMPORT. No Group is shown, neither before nor after synching.
With mode READ_ONLY. Groups are shown, but for them to be updated Users changed sync need to be don.
When getting the user from Keycloak's REST API attribute modifyTimestamp stays unchanged, even after trying all previous steps.
All we need is to find out which users were changed since last sync so we can update their Groups. Any tip on that? Am I missing any table, event, configuration… for that?
Any help is greatly appreciated.
I have a simple azure logic app as follows.
Now I add a new action after the first one.
Select an email action.
Look for send email action
Now no mater what I do, I get this error
Please check your account info and/or permissions and try again. Details: REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server. clientRequestId: 9295041e-4d27-4d7f-8ac7-9f90f1cc65ff serviceRequestId: 17c7df3b-7f07-6d27-4f7b-68a4475e9b55 More diagnostic information: x-ms-client-request-id is '51B43F16-6D7C-4BE7-9AE2-7B4A6B73BA49'.
I click Change Connection above and I see these increasing number of connection, and I find no way to delete them. See the last image at the bottom.
And when I click Save, I get this message.
Save logic app failed. Failed to save logic app vivek-logic-app. Some of the connections are not authorized yet. If you just created a workflow from a template, please add the authorized connections to your workflow before saving.
And finally when I click Api Connections, I find no connections to delete.
So two questions.
How to authorize hotmail account te be used by Azure Logic App
How to delete the un-necessary connections
Ok, here it is after a good 3 hour PIA.
For the connections to manage(or delete), look at the resource group and not the Logic app.
And next for the send email action, choose Outlook.Com connection and not Office 365 Outlook. Found the answer here. Mine is personal account and not for work or for school.
Once you setup this action successfully, you can take a look at this page for managing the connection access.
I've set up Zoom and DocuSign with SSO and Automatic provisioning in Azure AD Enterprise Applications. Just in Time provisioning works as expected after ensuring roles are correctly mapped. Automatic provisioning however only appears to add users the first time it runs. If I add an application user, change a user's Application Role, or Remove the user from the application nothing happens on the next provisioning run. I would expect the user to be added, the user's permissions to be updated at Zoom or DocuSign, or for the user to be disabled.
Documentation seems to show that updates and deletes should be handled through provisioning. What am I missing?
Second question is whether the timing of how often provisioning job runs can be changed. It is time consuming to test when I have to wait 40 minutes between tests.
updates and deletes are handled if they are configured to. https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal#configuring-automatic-user-account-provisioning
in the screenshot, you'll see there is actions that it can target, create, update, delete. if those are all selected, As a test, you should make sure the target actions are selected and try to change a different attribute, say add some characters to a name or something. it should trigger and update to the provider.
I believe changes of the User itself will trigger the provisioning changes,
The issue here is likely because app roles are specific to applications, they are not user or group attributes, nothing has actually changed on that user object. so it wouldn't detect any changes.
as per: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#incremental-cycles
it will "Query the source system for any users and groups that were updated since the last watermark was stored."
if I take that literally, then changing the app role isn't a change to a user or a group, so it won't trigger a delta sync change
Deletes however should occur, if you unassign the user from the application. as per here: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#de-provisioning
as for your second question, the interval I don't believe you can change that for the incremental schedules.
We have several external systems that work of the Display Name value in Active Directory. When a new account in AD is created, corresponding accounts in other applications are automatically created. When someone changes the display name of an existing user, the login for that user is no longer valid in other systems.
Is there a way to get an email notification or similar whenever the display name for an existing record is changed in AD?
If you have access to your domain controllers
Active Directory has certain "audit policies" that describes what it generates events for (in the Windows Event Viewer on each domain controller). Each can be turned on or off. The "Account Management" audit policy would generate events for changes to accounts. I believe the event contains the attributes changed. You can read more about those policies here.
If that policy is enabled in your environment, and you have access to the domain controllers, you could setup scheduled tasks on each domain controller with event-based triggers that fires when event ID 4738 happens (event IDs are listed here).
The scheduled task can then run a script that can do whatever you want it to. There are instructions here on how to run a PowerShell script on an event and to get the event that triggered it in the script.
If you don't have access to your DCs
Otherwise, you would need to keep a separate database mapping a unique identifier of each account (like the objectGuid) to the display name, and have a scheduled job that updates that and notices changes. You can read here about how to search AD for accounts changed after a certain date, which you can use to only find accounts that have been changed since the last time the job ran.
On a Windows Active Directory server, we can perform several actions on the accounts like add account, enable, disable, reset account, reset password etc.
Is there anyway that I can get an event log of any such actions that were performed on the accounts?
eg: If one of my computer/system say comp1 has an account listed on my AD server. If I log into my AD server and I do a "Reset Account" for my computer/system comp1 which is listed on there. Is this event logged anywhere so that if I search in the event log, I see that a "Reset Account" action was performed for comp1 ? How and where can I get those event logs ?
Thank you in advance for any help.
You can enable logging via group policy, below link will give you step by step details on activating this, at least I think it will be a good place to start. https://blogs.msdn.microsoft.com/servergeeks/2014/07/16/auditing-active-directory/