Did you know that like in all other Azure services, workbooks are available in Azure AD too? And the good thing about this is, there are a lot of good workbooks ready to be opened and no need to write your KQL queries again. Well, if you fancy your KQL, you can start a new Workbook as well.
However, Insights is the name of the game, and you can easily run these workbooks to understand the activities.
CA Gap Analyzer Workbook
Currently most of the organizations are using Azure AD Conditional Access Policies to strengthen their Zero-Trust posture and to protect the identities and workloads from bad actors. You may have added all relevant CA Policies, or you think you have added them all. However, how to validate that thought? or how to understand what policies you may have missed, skipped or not properly setup?
This is a hidden gem in the portal where you can start using today if you have the required prerequisites which I will be talking about later.
CA Gap Analyzer Workbook at a glance can provide insights about,
- Legacy Authentication
- Unprotected Applications
- Compromised User Sign-ins
- Unprotected Locations
- Unprotected Named Locations
The items comes with the Microsoft recommendation for each section.
Creating the Log Analytics Workspace
You will be charged for Log analytics depending on the number of logs you are streaming from other services.
Go to Azure Portal on portal.azure.com and search for Log Analytics Workspace in a Resource Group
Linking the Log Analytics Workspace with Azure AD
Go to Entra Portal on entra.microsoft.com > Azure Active Directory > Monitoring & Health > Diagnostic settings
Select Ad diagnostic setting and provide a name
Select the Logs you need to stream to Log Analytics Workspace.
Select the Azure subscription and the Log Analytics Workspace for the Destination details
It will be completed as below
Once added, leave it for 15 – 30 mins to initialize and get the logs to start streaming to the workspace.
Azure AD Workbooks
Now that you have added the Log Analytics Workspace, the Azure AD Workbooks will be visible under entra.microsoft.com > Azure Active Directory > Monitoring & Health > Workbooks
As you can see there are a lot of pre-made workbooks where you can start using or you can create your own workbook with graphs and tables and etc.
You can find the Gap Analyzer workbook under the section for Conditional Access.
What’s in the Workbook?
Update the time range to see more CA Insights
Legacy Authentication
Microsoft recommends blocking sign-ins using legacy authentication
Unprotected Applications – Number of Users Signing In to Applications with Conditional Access Policies Not Applied
Microsoft recommends that each sign-in to an application has a Conditional Access Policy applied to it.
And more insights in t the user
Compromised User Sign-ins – Microsoft recommends blocking all high risk sign-in events, including sign-ins where the user account is known to be compromised
Microsoft recommends blocking all high risk sign-in events, including sign-ins where the user account is known to be compromised
Unprotected Locations – Users With No Conditional Access Coverage by Location
Unprotected Named Locations – Named Locations With No Conditional Access Coverage (Preview)
When configuring Conditional Access policies, organizations can choose to include or exclude locations as a condition. Microsoft recommends that each Named location is associated with a Conditional Access Policy.
Wrapping Up
This is a tool that you can add in to your toolbox with very low effort and since the workbook is pre-made, its all ready to go. It is ideal to check insights every once in a while, so you don’t miss out on important CA policies that need to be enabled and be on top of your Zero-Trust game.
Discover more from EMS Route
Subscribe to get the latest posts to your email.