I got a question from a community friend asking about enabling an alert on his tenant whenever a global administrator ‘s sign-in occurs, or at least someone being granted global administrator role performs sign-in.
You may end up thinking about writing Azure AD Sign-in log into Log Analytics workspace and create an alert. That would be acceptable if the role is not Global Administrator. Global Administrator is the highest-privileged role and is given the power to read and modify every administrative role in Azure AD.
For Azure AD (AAD) specifically, the latency falls into 5-15 minutes for a report to be shown up in Azure Portal. And it may take longer to ingest data to the Log Analytics workspace where you are based on to construct your alert. And I believe this latency never satisfy Info Sec guys. Nevertheless below is the simple query you could query to get the sign-in activity of global admin signed from non-managed locations:
SigninLogs
| extend location = LocationDetails.countryOrRegion
| where location !in ("US","IN","PL","CA") //Whitelist your trusted location
| where UserPrincipalName == "az_sec_ga@az-sec.com"
| project UserPrincipalName, location, TimeGenerated
This is not a silver-bullet though as smart one may create a virtual machine in the managed location to bypass location unfamiliarity detection. This is also so-called identity fidelity bypass.
From the alert perspective, if you’d like to achieve better alert and response you should look into log telemetry streaming. Azure AD Sign-in log can be exported to an Event Hub namespace and is readable in near/real-time. This approach requires an advanced message-queue pattern such as reading Event Hub’s message and constructing alert. Otherwise there are some enterprise SIEMs like ArcSight, Qradar and Spunk which provide you out-of-the-box features to integrate with Event Hub to correlate your activity and sign-in log.
From the sign-in risk detection perspective, it’s worth looking into Identity Protection feature with Sign-in risk policy in which you have the ability to specify risk level to protect your global admin identity. To learn more on how Risk level is classified, read here https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#risk-level
In a nutshell, there are a couple of approaches to protecting global admin/high-privileged account:
- Detection:
- Log Analytics workspace with Kusto query based alert. Latency is a big cons while out-of-the-box and easy-to-setup is a pros.
- Event Hub: near/real-time is a huge advantage for security detection but time and effort would beat your mind. (or if your value at risk is greater than the breach?)
- Protection & Prevention:
- Conditional Access: to handle access (actually the issuance of access token) to target group/user.
- Identity Protection: come with bundle of sign-in risk policy.
Worth investing or not? The only you have the answer.