Three considerations for monitoring changes to Azure Active Directory

by in Security

Azure Active Directory (AD), Microsoft’s cloud-based identity and access management service, is quickly becoming an essential system for any organization running Microsoft cloud solutions such as Office 365. The adoption of Azure AD is being driven out of both necessity and by choice. That being said, there are many advantages to running Active Directory in the cloud versus on-premises.  Some of those advantages are:

  • Reports for management and administrators
  • Self-service capabilities
  • High availability
  • Easier access to both cloud and on-premises applications

Change monitoring can be a real challenge

Three considerations for monitoring changes to Azure Active Directory.pngMaking the transition to either a cloud-only or hybrid AD model isn’t without some challenges. Some IT administrators find it difficult to extend the same security and compliance controls that they have in place in their on-premises Active Directory to Azure AD. One of the best examples of this is change monitoring, which has been established as vital to security and compliance for enterprises worldwide. However, some IT administrators feel that, since they have implemented Azure AD, they don’t need to worry about the Azure component being monitored. They may view Azure AD as simply a mirror copy (normally read-only) of the on-premises AD environment.  That can be true, but that is just one way that Azure AD can be configured. 

 Azure AD can, and is becoming more common all the time, be used as the only AD environment for an enterprise; for both on-premises and cloud.  Or, there may be a hybrid implementation, whereas some objects are maintained on-premises and others in the cloud.

Here are the most three important considerations when setting up your change monitoring strategy and selecting a tool:

Consideration #1 – Be sure to address the five Ws

Regardless of how Azure AD is being used, it is imperative that all changes to your AD objects be accounted for. And, just from a pure maintenance and hygiene standpoint, making sure that duplicate objects between on-premises and cloud are properly cared for is important.

Collect and report on the following:

  • Who made the change (user ID, IP address)?
  • When was it made?
  • What object was changed?
  • What type of change was it (add, delete, change, etc)?
  • What were the before and after values of the change?


You should also have the ability to link the user ID that made the change to your identity vault; whatever that may be.  In other words, view a user ID details. It is even more interesting and helpful to be able to see the details of that user, such as their department, their manager, and additional user IDs.

Consideration #2 – Ensure you are monitoring to meet your needs

Make sure that the monitoring capabilities themselves meet the needs of your business. The tool should be able to collect changes on the most common Azure AD objects that are used. There are many of them; but some of the common ones are: Roles, Users, and Groups. There are many others that are not as commonly used. 

Also, be sure that your monitoring is timely.  We’ll talk a little more about real-time monitoring in a second.  But, even if you only want change events for compliance reasons (and thus, possibly not for security alerting), it is important that the system be collected and stored as close to the time of the change as possible. It doesn’t help much to have a change event timestamped at 10:38 am, when the actual change took place at 5:52am. For auditing and compliance purposes, this causes confusion and raises suspicions. And, for security alerting, it does little or no good by the time the security team is alerted concerning the change.

Consideration #3 – Implement a comprehensive alert strategy

Lastly, if you need real-time monitoring there are other aspects to consider. The monitoring tool should be able to alert in ways that you need.  Perhaps you don’t really need real-time alerting, and that’s fine.  Maybe you only need the information for periodic audits. However, many users need to know when something changed in their AD environment as soon as possible. You likely do not want to get alerted on every change.  So, the ability to configure the product to only signal when something that you deem as being “out-of-bounds” or even just unusual is important. 

Then, when you decide it should alert you, make sure it can alert you in a way that works in your environment.  This may be by opening a trouble ticket, signaling a SIEM environment, sending an email, or some other method. Remember that the tool should conform to the way you and your enterprise works, not the other way around.

Effective change monitoring can make your life easier

Azure AD can be somewhat overwhelming.  If you are a traditional Active Directory administrator or just getting familiar with the world of Azure, one thing that you will come to find out is that there are settings and configurations in Azure AD that do not exist in Active Directory. Normally, when I attempt to enter a new environment that I’m not totally familiar with and, especially, one that deals with user rights and how they are administered, I make sure that I have a monitoring and auditing solution in place to help keep me from going off the road.

Micro Focus does have a tool to help you monitor changes to key parts of your infrastructure. I invite you to learn more about how our change monitoring product can provide the security intelligence you need to rapidly identify and respond to unplanned or unauthorized changes to Azure AD. Learn more on the Change Guardian web page or download a free trial.


Identity & Access Mgmt