Entra ID Logon Security Event Monitor Reference Guide

Entra ID Logon Security Event Monitor

Monitors and alerts about users' successful and/or failed login attempts.

Overview

This event monitor can be configured to alert about both successful and failed login attempts. It can also be set to include or exclude certain users, applications, and resources from all checks performed by the monitor.

Note: It can take between five and ten minutes after configuring this event monitor to run it for the first time. This is because Azure has a lag time of about that amount before it generates the log.

Use Cases

  • Receiving alerts about failed login attempts
  • Keeping a record of all logins

Monitoring Options

This event monitor provides the following options:

Alert with [Warning/Error/Critical] if Azure cannot be contacted

This option will alert you at the level of your choosing if Azure can't be contacted.

Alert with [Warning/Error/Critical] if more than one failed login attempts are found

Enable this option to receive an alert if a login is failed twice or more.

Alert with [Warning/Error/Critical] for successful logins

This option will notify you of every successful login with an alert of your choice.

Only check the selected users

This option lets you specify a list of users that the event monitor will check over exclusively.

Exclude these users from all checks

Enter a comma-separated list of users that will be excluded from all checks.

Include these applications in all checks

The applications you list here will be included in all checks.

Exclude these applications from all checks

The applications you list here will be excluded from all checks.

Include these resources in all checks

The resources you list here will be included in all checks.

Exclude these resources from all checks

The resources you list here will be excluded from all checks.

Authentication and Security

First, you'll need to create an app registration to add to your event monitor's authentication profile. Information on how to do this can be found in our "Creating an Azure Authentication Profile" article.

The app registration must be granted the MSGraph AuditLog.Read.All permission. Your Azure subscription must be for a Premium P1 or P2 account. Microsoft does not support login monitoring with non-premium accounts.

Protocols

Data Points

This event monitor generates the following data points:

Data Point Description
Failed Logins The number of failed logins.
Successful Logins The number of successful logins.

Sample Output

Tutorial

To view the tutorial for this event monitor, click here.

Back to Library

Comments

There are no user-contributed comments for this page. Be the first to submit a comment!

Add a comment