How do I use Azure Log Analytics to discover what a service account is doing when it signs in?

Question

I have started working as sysadmin at a company that uses Microsoft 365. Before I started a few generically named accounts with the Global Administrator role were being used by multiple people to do most day to day admin. No documentation.

I'm trying to tidy this up so we no longer have as many GA accounts and can have accounts with specific needs allocated more granular roles. The team are no longer using these generic accounts to do things, but some service accounts with Global Admin role must have been set up to do scheduled tasks as they are still showing up in the SigninLogs.

I've followed Microsoft guidance to audit when they sign in in Azure Log Analytics, using this query:

SigninLogs | project UserPrincipalName | where UserPrincipalName == "admin@domain.com"

which tells me how frequently a particular account is used, but I'm not sure how to figure out what it is doing. What queries will help me track all the activities down?

Answer 1

To be able to tell what the identity is doing you probably need to look into the Azure Activity Logs or for M365 the Unified Audit Logging(needs to be enabled). And for the M365 logs I would recommend Microsoft Sentinel, which has data connectors to pull in the M365 logs

This Microsoft Sentinel workbook might help in showing what an user is doing in an Azure tenant, using the Azure Activity Logs https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/AzureActivity.json

For Microsoft 365 this one https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/Office365.json

Microsoft Sentinel also has something called UEBA. As Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organization’s entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon. Using a variety of techniques and machine learning capabilities, Microsoft Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”