What is the command for Enabling diagnostic logs on Azure AD with PowerShell?

3
votes

I am preparing an script that enables Diagnostics logs sending them to an Storage Account. 

Get-AzureRmResource | foreach {  
    #For now adding all registered resources to Diagnostics Logs. Should narrow to specific resource types?
    #Categories "Execution", "Request" only, the "AllMetrics" category intended to log all categories fail. Can add specific categories to each resource type.
    Write-Output "Adding resource $_.ResourceId to the storage"
    Set-AzureRmDiagnosticSetting -ResourceId $_.ResourceId -StorageAccountId $storageid -Enabled $true -RetentionEnabled $true -RetentionInDays 90 -Categories “Execution”,“Request”
}

This PowerShell command matches to enable the Diagnostics Logs to the resources created within the Subscription.

What about to enable the Diagnostigs Logs in Azure Active Directory? They include Audit and Sign-In logs?

Can someone please adivice?

Many thanks!

Sergio

Update:
I am required to automate the following with PowerShell:
1. Go to Azure Portal
2. On the left blade, select Azure Active Directory
3. Select Audit Logs or Sign-In logs 4. On the top Menu, select Export Data Settings
5.Click Add diagnostic setting
6. Check Archive to Storage Account and Set Retention days.
Process described in video:
Video discussing Azure AD reports shows how to enable the Logs, I am required to automate enabling the logs, not getting the report

2
azurepowershellazure-active-directoryazure-diagnostics

2 Answers

1
votes

MSOL offers these log / audit resources.

Collect and consume log data from your Azure resources

Azure Monitor diagnostic logs are logs emitted by an Azure service that provide rich, frequent data about the operation of that service. Azure Monitor makes available two types of diagnostic logs:

• Tenant logs - these logs come from tenant-level services that exist outside of an Azure subscription, such as Azure Active Directory logs.

• Resource logs - these logs come from Azure services that deploy resources within an Azure subscription, such as Network Security Groups or Storage Accounts.

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs

Azure Active Directory Audit logs

Audit events currently provided from the management portal are also downloadable per documentation at Azure Active Directory Audit Report Events. It is now convenient for an admin of an organization to gather critical changes that are happening in their Azure Active Directory tenant.

https://blogs.msdn.microsoft.com/azuresecurity/2015/06/11/azure-active-directory-audit-logs

What other logs are you trying to enable beyond the above?

What are you after?

Note: AAD is not ADDS from a diagnostics approach perspective.

Update for OP

Audit Logs for Azure Events
https://blogs.msdn.microsoft.com/cloud_solution_architect/2015/03/10/audit-logs-for-azure-events/

Retrieving Resource Metrics and Creating Alert Rules via Azure PowerShell

Metric Definitions

The Get-AzureRmMetric cmdlet downloads the definitions of an Azure Insights metric. For example, the following retrieves the definitions for a VM named myVM in a resource group named myRG:

$resourceId = '/subscriptions/SUBSCRIPTION_guid/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM'

Get-AzureRmMetricDefinition –ResourceId $resourceId `
 -DetailedOutput

https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/02/26/retrieving-resource-metrics-and-creating-alert-rules-via-azure-powershell

Example 4: Get all resources with a given name

PowerShell = Copy  ( Try It 
PS C:\> Get-AzureRmResource -Name testVM | fl

Name              : testVM
ResourceGroupName : testRG
ResourceType      : Microsoft.Compute/virtualMachines
Location          : westus
ResourceId        : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM


Example 7: Get a resource by resource id

PowerShell = Copy  ( Try It 
PS C:\> Get-AzureRmResource -ResourceId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM

Name              : testVM
ResourceGroupName : testRG
ResourceType      : Microsoft.Compute/virtualMachines
Location          : westus
ResourceId        : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM

https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/get-azurermresource?view=azurermps-6.7.0

1
votes

Currently, it seems that there is no powershell command to get the Azure AD Audit and Sign-In logs directly.

If Micorsoft Graph Rest API is acceptable, you could use the following Microsoft graph Rest API to do that.

GET tenant user activities  https://graph.microsoft.com/beta/auditLogs/directoryAudits 

GET tenant user sign-ins    https://graph.microsoft.com/beta/auditLogs/signIns

We also could get the demo code from this link. If we want to run the code. We need to do prerequisites to access the Azure Active Directory reporting API, for more information please refer to this document.

$URIfilter = "?`$filter=activityDateTime gt $PastPeriod"  
$url = "https://graph.microsoft.com/beta/auditLogs/directoryAudits" + $URIfilter 
GetReport $url "DirectoryAudits" $Tenantdomain

For more information about Azure AD report, please refer to this tutorial

Update:

We could use the following Rest API to enable/update the Azure Audit logs or Sign-In logs.

Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview

Body

{
  "properties": {
    "logs": [
      {
        "category": "AuditLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      },
      {
        "category": "SignInLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ],
    "metrics": [],
    "storageAccountId": "/subscriptions/{subscriptionId}/resourceGroups/{resourgroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"
  }

I test it with postman.

enter image description here