Blind spot fixed! Azure AD new sign-in logs improvement

azure blind spot

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In a previous blog post on Securing Azure Service Bus, I highlighted the blind spot of not being able to audit sign in events when using Azure AD for Service Bus authentication. This is because the authentication is non-interactive and requires the sender or receiver of the brokered message to use either a service principal or a managed identity to authenticate.

As Azure AD sign-in logs only surfaces interactive sign-ins, an admin misses out on these useful information.


Well, I noticed the following sometime ago while doing some Azure Sentinel tests and I tweeted about it then –

Non interactive user sign in, service principal sign in and managed identity sign in are now supported (in preview)! This is amazing as it has been a long standing feature request since 2017 –

This has all kinds of security benefits as interactions of services with Azure AD could now be subjected to the same analysis and investigations as user interactions. I looked around (including on to see if this was announced somewhere but I could not find anywhere similar to when I found the new option to restrict public blobs in a storage account). Maybe I’m missing where to look at for these types of updates.

To test this, I created a key vault, added some secrets to it, created a Linux box with a system-assigned managed identity and then used the identity to retrieve items from the Vault. Here’s what that looks like:

Again this is super amazing! Thanks Microsoft 🙂

NOTE: In order to export Sign-in data, your organization needs Azure AD P1 or P2 license.


Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore


New Azure Container Instance Vulnerability — What to do?

Just yesterday, Microsoft disclosed a new (and yet to be clarified) Azure Container Instance vulnerability — From the information shared in the disclosure, it seems

Protecting against #ChaosDB

Cloud security researchers @sagitz and @nirohfeld who both work at Wiz recently discovered what I think is a major vulnerability that exploits the recent CosmosDB Jupyter notebook feature to

Do You Want To Boost Your Business?

drop us a line and keep in touch