Blind spot fixed! Azure AD new sign-in logs improvement

azure blind spot

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In a previous blog post on Securing Azure Service Bus, I highlighted the blind spot of not being able to audit sign in events when using Azure AD for Service Bus authentication. This is because the authentication is non-interactive and requires the sender or receiver of the brokered message to use either a service principal or a managed identity to authenticate.

As Azure AD sign-in logs only surfaces interactive sign-ins, an admin misses out on these useful information.

REFERENCE: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

Well, I noticed the following sometime ago while doing some Azure Sentinel tests and I tweeted about it then – https://twitter.com/asegunlolu/status/1282820324980137984:

Non interactive user sign in, service principal sign in and managed identity sign in are now supported (in preview)! This is amazing as it has been a long standing feature request since 2017 – https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31991029-make-spn-non-interactive-login-events-logged-and

This has all kinds of security benefits as interactions of services with Azure AD could now be subjected to the same analysis and investigations as user interactions. I looked around (including on https://azure.microsoft.com/updates to see if this was announced somewhere but I could not find anywhere similar to when I found the new option to restrict public blobs in a storage account). Maybe I’m missing where to look at for these types of updates.

To test this, I created a key vault, added some secrets to it, created a Linux box with a system-assigned managed identity and then used the identity to retrieve items from the Vault. Here’s what that looks like:

Again this is super amazing! Thanks Microsoft 🙂

NOTE: In order to export Sign-in data, your organization needs Azure AD P1 or P2 license.

DO.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Uncategorized

New Azure Container Instance Vulnerability — What to do?

Just yesterday, Microsoft disclosed a new (and yet to be clarified) Azure Container Instance vulnerability — https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/. From the information shared in the disclosure, it seems

Protecting against #ChaosDB

Cloud security researchers @sagitz and @nirohfeld who both work at Wiz recently discovered what I think is a major vulnerability that exploits the recent CosmosDB Jupyter notebook feature to

Do You Want To Boost Your Business?

drop us a line and keep in touch