6.4 Configuring Microsoft Azure Active Directory Monitoring

Microsoft Azure Active Directory (Azure AD) is a cloud based directory and identity management service. Change Guardian allows you to monitor Azure AD along with on-premises Active Directory.

The Azure AD monitoring capability in Change Guardian is built in with Microsoft Graph API.

Change Guardian monitors the following in Azure AD:

  • Administrative units

  • Applications

  • Devices

  • Directories

  • Groups

  • Policies

  • User accounts

This section provide the following information:

6.4.1 Implementation Checklist

Complete the following tasks to start monitoring Azure AD audit events:

Task

See

Complete the prerequisites

Prerequisites

Add the license key

Adding License for Applications

Configure Change Guardian for monitoring

Categories of Change Guardian Policies for Azure AD

Assigning Policies and Policy Sets

Triage events.

Section 7.0, Configuring Events

Section 9.0, Configuring Alerts

The following illustration explains the workflow of various components with Azure AD:

Figure 6-1 Azure AD Monitoring using Change Guardian

The deployment diagram illustrates the following:

  • Change Guardian Agent for Windows collects events from Azure AD

  • Change Guardian Agent for Windows sends the event details to the Change Guardian server

6.4.2 Prerequisites

Ensure that you have completed the following:

Configuring Default Windows Registry Keys

Change Guardian has defined the default values for the Windows registry keys. To modify the registry key values, see the following sections:

NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Configuring Azure AD Event Fetching Interval

Change Guardian fetches events at a given time interval. The default interval is set to 120 minutes. If the agent starts at 10 a.m., event fetching starts 120 minutes before the current system time, that is, from 8 a.m. to 10 a.m.

WARNING:If the time interval is set to more than 1440 minutes, the system resets it to 1440 minutes automatically because it is the maximum permitted value. If the latency from Microsoft is more than this value, there might be data loss.

If you observe a different latency time in your environment, you can change this value to the observed interval.

While processing Azure AD events, Change Guardian removes duplicate events. For more information, see Azure Active Directory reporting latencies.

To modify the time interval:

  1. In Windows registry settings, navigate to the Change Guardian agent installation directory: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetIQ\ChangeGuardianAgent

  2. Right click the AzureADEventFetchInterval key.

  3. Under Base, select Decimal.

  4. (Conditional) If you notice a higher latency value in your environment, you can configure this value based on your observed value. The value range is between 120 minutes and 1440 minutes.

  5. Go to Services > NetIQ Change Guardian Agent.

  6. Select the Change Guardian Agent for Windows application, and click Restart.

Configuring Azure AD Access Token Refresh Time Interval

Access token is the interval at which Change Guardian connects to Azure AD. By default, Change Guardian refreshes the access token every 30 minutes with a maximum interval of 50 minutes. If you configure this value below 15 minutes or above 50 minutes, the system automatically resets to either 15 or 50 minutes respectively.

To modify the time interval:

  1. In Windows registry settings, navigate to the Change Guardian Agent installation directory: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetIQ\ChangeGuardianAgent

  2. Right click the AzureADTokenRefreshInterval key.

  3. Select Decimal under Base.

  4. Specify the time interval to any required value range between 15 minutes and 50 minutes.

  5. Go to Services > NetIQ Change Guardian Agent.

  6. Select the Change Guardian Agent for Windows application, then click Restart.

Configuring Azure AD Event Collection Interval

By default, Change Guardian fetches event logs every 10 minutes from Azure AD and processes them based on applied AD policies.

You can configure the event collection interval to be any duration between 5 minutes and 30 minutes. If you configure the duration to below 5 minutes or above 30 minutes, the system automatically resets it either to 15 or 30 minutes respectively. However, you can consider a fetch interval of 10 minutes.

To modify this time interval:

  1. In Windows registry settings, navigate to the Change Guardian Agent installation directory: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetIQ\ChangeGuardianAgent

  2. Right click the AzureADEventCollectionInterval key.

  3. Select Decimal under Base.

  4. Specify the time interval to any required value range between 5 minutes and 30 minutes.

  5. Go to Services > NetIQ Change Guardian Agent.

  6. Select the Change Guardian Agent for Windows application, then click Restart.

6.4.3 Configuring Change Guardian for Monitoring

Complete the following tasks on Change Guardian server to monitor Azure AD events:

Enabling Azure AD Monitoring

Reconfigure the Change Guardian Agent for Windows to enable Azure AD monitoring.

Ensure that you have added Azure AD assets in Agent Manager.

To reconfigure:

  1. In Agent Manager, select the asset and click Manage Installations > Reconfigure Agents.

  2. On the Reconfigure Agents page, select Enable Azure AD Monitoring under Edit Agent Configuration.

Configuring Azure AD Tenant

In Azure AD, a tenant is a representative of an organization. You have to configure a tenant and its credentials, such as Domain Name, Authentication Key, and Application ID to make it available to Change Guardian. Change Guardian connects with Azure AD using the Microsoft Graph API. It supports a single tenant.

To configure the Azure AD tenant:

  1. Log in to Policy Editor.

  2. Under Azure AD, open Azure Tenant Configuration.

  3. Specify values for the following fields:

    • Domain Name: Specify the name of the Azure AD domain.

    • Application ID: Enter the Application ID that was displayed in the Azure portal during configuration.

    • Authentication Key: Enter the Authentication Key that was displayed in the Azure portal during configuration.

6.4.4 Categories of Change Guardian Policies for Azure AD

Administrative Unit: Policies about adding, deleting, and updating administrative units, and modifying administrative unit attributes

Applications: Policies about adding, deleting, and updating applications and application owners

Devices: Policies about adding, deleting and, updating devices, and modifying device attributes

Directories: Policies about adding verified and unverified domains, and modifying directory attributes

Groups: Policies about adding, deleting, updating, and restoring groups, adding and removing group owner and group member, and so on

Policy: Policies about adding, deleting, and updating policies, and modifying policy attributes

User Accounts: Policies about adding, deleting, restoring, and updating user accounts, disabling and enabling accounts, and changing user license and user password, and so on

For information about creating Azure AD policies, see Creating a Policy for Azure AD Groups. For information about creating policies in Change Guardian, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.

NOTE:You cannot assign Azure AD policies by using Asset Groups.

Creating a Policy for Azure AD Groups

To create a policy:

  1. In Policy Editor, select Azure AD > Azure AD Policies.

  2. Select Groups and specify the information in the Groups Policy window.

    NOTE:You must provide the specific group event type from the event list.