Azure Monitor Alert for Microsoft Entra ID App Creation

0
Azure Azure Monitor Microsoft Entra ID

Introduction:

Azure Monitor is a centralized solution that collects and aggregates data from every layer and component of the systems or services across multiple Azure and non-Azure subscriptions and tenants. In this article, we will learn how to leverage the Azure Monitor to create alerts whenever the new Microsoft Entra ID Application has been made. This audit alert will play a crucial role in Enterprise security.

Configure Diagnostic settings for Entra ID

  • Login to the Azure portal
  • Navigate to Microsoft Entra ID Service
  • Select Audit Logs -> Export data settings -> Add Diagnostic settings -> Capture and record the audit logs to the log analytics workspace, as shown in the figure below.

Kusto Query

The below Kusto query will fetch all newly created Entra ID applications within a 7-day window.

AuditLogs
| where Category == "ApplicationManagement"
| where ActivityDisplayName == "Add application"
| where TimeGenerated >= ago(7d)
| extend userParse=parse_json(InitiatedBy) 
| extend TargetResources = parse_json(TargetResources)
| extend ApplicationName = tostring(TargetResources[0].displayName) 
| extend CreatedBy=tostring(userParse.user.userPrincipalName)
| extend servicePrincipalId=userParse.app.servicePrincipalId
| project
    TimeGenerated,
    InitiatedBy,
    ActivityDisplayName,
    CreatedBy,
    Category,
    servicePrincipalId,
    ApplicationName


The main parameters, CreatedBy and the Application Name, are transformed from the IntiatedBy and TargetResources fields, respectively.

Create an Alert with the Azure Monitor

  • Navigation to Azure monitor -> Alerts -> Create Alert
  • Select the Scope, apply the subscription, and select the right resource, as shown in the figure below. In my case, it is a log analytics workspace.
Scope
  • Condition
    • Custom log search , put our custom query in the search query field
    • Define the Measurement; I just went for 1-day Aggregation granularity
    • Dimensions -> Use the dimensions to include more metadata in your Alert, which will also be included in the email body context. I used Application Name and Created by fields
Action measurement
  • Alert Logic -> Here, I went with the threshold as one frequency of evaluation to 1 day, which means the logic will execute every day once whenever at least one Entra ID app is created
Alert logic

Actions: User action group , select an exsiting action group or create a new once.

The email alert received, as given below

Summary:

We have seen how to use the Kusto query to retrieve the newly created Entra ID application and connect with the Azure monitor to send an alert daily when the new application is created.

Azure Azure Monitor Microsoft Entra ID

Gowtham K

Gowtham K has been awarded as MVP(Most Valuable Professional) for 9 times by Microsoft for his exceptional contribution in Microsoft technologies under the category “Developer Technologies & Security” . He has more than 12 years of experience on Microsoft technologies such as C#, ASP.NET MVC, ASP.NET WEB API, ASP.NET Core, MS SQL Server, Azure, Microsoft Entra ID, Azure AD B2C and other technologies such as JavaScript, jQuery, HTML and CSS .He is also a blogger and author of articles on various technologies. He is also a speaker and delivered talk on various technologies like ASP.NET MVC, Azure and Azure DevOps in the public events.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

Azure application gateway – Path based URL routing
Read More
Configure a secure CI/CD pipeline in Azure DevOps with Azure Managed DevOps Pool
Read More
Azure AD B2C Conditional access policy to Bypass MFA per User
Read More