Blind spot fixed! Azure AD new sign-in logs improvement

azure blind spot

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In a previous blog post on Securing Azure Service Bus, I highlighted the blind spot of not being able to audit sign in events when using Azure AD for Service Bus authentication. This is because the authentication is non-interactive and requires the sender or receiver of the brokered message to use either a service principal or a managed identity to authenticate.

As Azure AD sign-in logs only surfaces interactive sign-ins, an admin misses out on these useful information.


Well, I noticed the following sometime ago while doing some Azure Sentinel tests and I tweeted about it then –

Non interactive user sign in, service principal sign in and managed identity sign in are now supported (in preview)! This is amazing as it has been a long standing feature request since 2017 –

This has all kinds of security benefits as interactions of services with Azure AD could now be subjected to the same analysis and investigations as user interactions. I looked around (including on to see if this was announced somewhere but I could not find anywhere similar to when I found the new option to restrict public blobs in a storage account). Maybe I’m missing where to look at for these types of updates.

To test this, I created a key vault, added some secrets to it, created a Linux box with a system-assigned managed identity and then used the identity to retrieve items from the Vault. Here’s what that looks like:

Again this is super amazing! Thanks Microsoft 🙂

NOTE: In order to export Sign-in data, your organization needs Azure AD P1 or P2 license.


Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Do You Want To Boost Your Business?

drop us a line and keep in touch