View Azure portal AAD sign-in logs and activity audit logs in 1 single view for multiple subscriptions - azure-active-directory

When having multiple Azure subscriptions, can we view Azure portal AAD sign-in logs and activity audit logs in 1 single view, instead of per Azure subscription? If yes, how? Thanks a lot!

Both the sign-ins and audit-logs require the limited user roles to access them, and the sign-ins requires the Azure AD License that must have an Azure AD Premium license. But all of them have no requirements to display their activities with the Azure Subscriptions. For this, you could directly see from the columns in the audit-logs and sign-ins.

Related

How to configuring Azure AD sso to allow guest logins

I have a php application that I want active directory users to be able to login to using azure sso. Getting this working with simplesamlphp was really easy.
Now I am trying to allow non organization users to be able to login as guests.
I updated azure AD to allow external entities, and then created a workflow allowing AD users, microsoft.com accounts and one time password. I have enabled "guest self-service signup" and I have associated this user flow with my azure application however the authentication flow hasn't changed at all. There isn't any option for guests to login. Am I missing something? I am using the azure ad federation metadata document xml in the simplesaml metadata converter and using the output of that for my metadata provider in simplesaml.
Here is the screen a user gets when trying to sign in to azure:

Custom Azure AD role for full access to Microsoft Cloud App Security

As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal.
https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security
However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?
Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.
Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.
The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.
You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.
Recently Microsoft has came up with a new role named "Cloud App Security Administrator". This role provides full admin access to MCAS without providing any privileged access other Azure AD configurations. Didn't find any documentation, but it is visible in Azure AD portal.

Terraform provider Azure - how to manage Identity and Access Management (Azure AD)?

Is it possible to manage users and groups using Terraform?
Operations such as MFA, user-types, Authentication methods, Registration, notification, User settings, group settings, and Device settings.
Is it possible to manage users and groups using Terraform?
Yes, you can use Terraform to integrate with Azure AD and manage users and groups in Azure AD. At the same time, Terraform supports a number of different methods for authenticating to Azure AD.
Please see:here.

Users from on-prem AD aren't synced to Azure AD as Guest

I have a setup where I have installed the Azure AD on-prem cloud provisioning agent on a Domain joined server. The setup was successful. I followed the documentation here:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/how-to-prerequisites
After configuring the agent in Azure AD, Users can only be synced as Member.
Is there a way to sync users as Guest using the provisioning agent?
Also, is there a Microsoft Graph API to validate the agent and do the configuration?
On-prem AD isn't synced to Azure AD as Guest and those synced users cannot be a Guest user and it's as per design.
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. Any user sync via AD connect will not be a guest user.

Azure AD Premium to Basic

We currently signed up for Azure AD Premium subscription specifically for allowing self service password management for our O365 users. Upon evaluation it appears AD Basic subscription may be better suited for our needs. Does anyone have information about converting the subscription from Premium to Basic?
Thanks,
-Tony V
You should be able to simply add the subscription to AAD Basic, re-license your users (e.g. using AAD PowerShell), and then cancel the AAD Premium subscription.

Resources