In a previous blog post on Securing Azure Service Bus, I highlighted the blind spot of not being able to audit sign in events when using Azure AD for Service Bus authentication. This is because the authentication is non-interactive and requires the sender or receiver of the brokered message to use either a service principal or a managed identity to authenticate.

As Azure AD sign-in logs only surfaces interactive sign-ins, an admin misses out on these useful information.

REFERENCE: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

Well, I noticed the following sometime ago while doing some Azure Sentinel tests and I tweeted about it then – https://twitter.com/asegunlolu/status/1282820324980137984:

Non interactive user sign in, service principal sign in and managed identity sign in are now supported (in preview)! This is amazing as it has been a long standing feature request since 2017 – https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31991029-make-spn-non-interactive-login-events-logged-and

This has all kinds of security benefits as interactions of services with Azure AD could now be subjected to the same analysis and investigations as user interactions. I looked around (including on https://azure.microsoft.com/updates to see if this was announced somewhere but I could not find anywhere similar to when I found the new option to restrict public blobs in a storage account). Maybe I’m missing where to look at for these types of updates.

To test this, I created a key vault, added some secrets to it, created a Linux box with a system-assigned managed identity and then used the identity to retrieve items from the Vault. Here’s what that looks like:

Again this is super amazing! Thanks Microsoft 🙂

NOTE: In order to export Sign-in data, your organization needs Azure AD P1 or P2 license.

DO.

Leave a Reply

Your email address will not be published. Required fields are marked *