Checking Suspicious Activities

If the Azure AD administrator has a Premium license, several reporting options are available for reporting unusual or undesirable service usage. The reports are published in three categories and are available under Reports . The reports for atypical logins to the directory are particularly interesting. Azure AD generates an audit event if users log in to unknown devices or via untraceable connections.

All alarm bells should ring for simultaneous logins from different regions: An alert is generated if Azure AD discovers that a user is logging in from different regions, and the time between logins is not sufficient to travel from one region to another. A user cannot, for example, log in from Munich and then three hours later from New York. The travel time is significantly greater than the time between the logins and would, in this case, mean that an account is compromised or that a user account is being used by multiple individuals.

The Sign ins from possibly infected devices report compares the IP addresses of the users' devices with conspicuous IP addresses from the Internet. If users log in from computers that the Microsoft Security Research Center has recognized as infected through observations from the Internet, this will be listed in the report. Azure AD therefore incorporates information from various sources within these reports. Of course, actual, desired logins that were mistakenly marked as suspicious can also be behind these detected anomalies.

You can focus reports on different time periods and then, depending on the report, look more closely at the previous 30 days. Or, you can define a specific time period to compare – for example, July and December. All reports have a Download button in the bottom menu that lets you download the recorded activities as a .csv file. Microsoft promises to continue providing further reports in the future.

Conclusions

Azure AD is more than just Active Directory in the cloud. It is gradually becoming the central directory for authentication on many other SaaS offerings, well beyond the boundaries of Microsoft. Office 365 is far from the end of the line.

If you were careful when configuring the examples shown here, you will have seen the option for integrating self-created applications. This is where Microsoft sees the next big investment: Newly developed applications will not run permanently on an ordinary infrastructure but will instead be increasingly developed for and in the cloud. Interfaces and options for integrating with Azure AD are also available for this. Azure AD offers advantages over a local AD: It scales much better and is accessible from everywhere. In this article, I laid the foundations for further functions and defined a flexible approach for other potential scenarios.