Monitoring users in Windows Azure AD
Published: July 8, 2013
Updated: November 21, 2013
Applies To: Windows Azure
|To comment on this content or ask questions about the information presented here, please use our Feedback guidance.|
The goal of monitoring users is to provide admins with on-demand status about the integrity and security of their organization’s Windows Azure AD tenant. With this information, a tenant admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks.
The following reports are available for free in Windows Azure for monitoring tenant-wide user sign ins to Windows Azure AD:
Sign ins from unknown sources – Use this report when you want to determine if any users have successfully signed in to your tenant while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies.
Results from this report will show the number of times a user successfully signed in to your tenant from that address and the proxy’s IP address.
Recommendation: You may want to investigate these sign in attempts.
Sign ins after multiple failures – Use this report when you want to determine if any users have successfully signed in after multiple failed sign in attempts. This may indicate that a hacker has been trying to guess the password of a user and finally succeeded in doing so.
Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in.
Recommendation: You may want to contact the user to investigate the sign in attempts, or block the account by changing the password.
Sign ins from multiple geographies – Use this report when you want to view all successful sign in activities from a user where two sign ins appeared to originate from different countries and the time between the sign ins makes it impossible for the user to have travelled between those countries. This may indicate that a hacker has signed in to the account of a user from a different country.
Results from this report will show you the successful sign in events, together with the time between the sign ins, the countries where the sign ins appeared to originate from and the estimated travel time between those countries.Recommendation: You may want to contact the user to investigate the sign ins from multiple geographies event.
Note The travel time shown is only an estimate and may be different from the actual travel time between the locations. Also, no events are generated for sign ins between neighboring countries.
The following report is also free for monitoring user provisioning to SaaS applications:
Account provisioning errors – Use this report to monitor errors that occur during the synchronization of accounts.
|Additional security reports are a preview feature that is only available when you enable Windows Azure Active Directory Premium. For more information, see Windows Azure Active Directory Premium|
Additional security reports are described below:
Sign ins from IP addresses with suspicious activity – Use this report when you want to see sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address.
Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in.
Recommendation: You may want to contact the user to investigate the sign in attempts, or secure the account by changing the password.
Irregular sign in activity – Use this report when you want to see sign in attempts that have been marked as “irregular”. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account.
Results from this report will show you sign in attempts that were marked as irregular, together with the location and a timestamp associated with the sign in.
Recommendation: You may want to contact the user to investigate the sign in attempts, or secure the account by changing the password
Use the following procedure to view and/or download the most applicable report for your specific needs.
In the Windows Azure Management Portal, click Active Directory, click on the name of your organization’s directory, and then click Reports.
On the Reports page, click on the report you want to view and/or download.
Note If this is the first time you have used the reporting feature of Windows Azure AD, you will see a message to Opt In. If you agree, click the check mark icon to continue.
Click the drop-down menu next to Show, and then select one of the reports in the list that you want to view:
Click the drop-down menu next to Interval, and then select one of the following time ranges that should be used when generating this report:
Last 24 hours
Last 7 days
Last 30 days
- Last 24 hours
Click the check mark icon to run the report.
If applicable, click Download to download the report to a compressed file in Comma Separated Values (CSV) format for offline viewing or archiving purposes.
If you suspect that a user account may be compromised or any kind of suspicious user activity that may lead to a security breach of your directory data in the cloud, you may want to consider one or more of the following actions: