DEMO: Azure AD Reporting and Monitoring
Start course
1h 41m

This Designing for Azure Identity Management course will guide you through the theory and practice of recognizing, implementing, and deploying the services on offer within your enterprise. Learn how to better the protection of your organization by designing advanced identity management solutions. Recommended for those who already have some experience with the subject, this course is comprised of 24 lectures, including demos, and expertly instructed by one of our MS Azure subject matter experts.

Learning Objectives

  • Study and understand what Azure AD Domain Services do and what they can offer
  • Learn to create and manage hybrid identities via Azure AD Connect 
  • Understand the principles of Azure MFA and SSO, and how to enable them
  • Recognize and deploy the key principles of Azure AD B2B and B2C 
  • Learn and utilize Privileged Identity Management

Intended Audience

This course is intended for:

  • IT professionals who are interested in getting certified with MS Azure
  • Those looking to become Azure architects and/or tasked with designing identity management solutions


  • A mid-range knowledge of MS Azure is recommended before starting this course
  • An understanding of identity management concepts

Related Training Content

For more courses related to MS Azure, visit our dedicated Content Training Library.





Hello and welcome back. In this brief demonstration here, what I wanna do is give you a tour, so to speak, of some of the Azure Active Directory Reporting and Monitoring options that are available.

Now, on the screen here, you can see I'm logged in to my Azure Portal, and I'm at the Overview page for my Azure Active Directory. We are working in the directory. Now, the Azure Active Directory Reports that are available provide you with a view of the different activities that are going on in your environment.

You can use reports to determine how applications and services are utilized by your users, and you can detect potential risks that affect the health of your environments. You can use reports to also troubleshoot issues.

With Azure Active Directory Monitoring, you can route your Azure AD activity logs to different endpoints. You can then view this data to see what's going on within your Active Directory.

Let's take a look at some audit logs and some sign-in activities. Now, to take a look at the audit log for Azure Active Directory, what you do here is scroll down in the left pane from the Overview page of your directory and you select Audit logs under Monitoring. Now, what this Audit Log Report does is provide you with a record of the different system activities that have occurred.

For example, we can take a look and see who had access to an admin group and who gave them that access. We can also see information regarding password resets and the like. Now, in this dashboard here for our audit logs, we can see a few different activities that have occurred. We've seen some Add user activities. We've seen some Add member activities. We've also seen some activities revolving around roles.

If we select an activity here, so for example, we'll choose this Add owner to group, what this tells us is what happened, when it happened, and what the status was. It also tells us who performed this action. Selecting the target gives us more information about the activity that occurred. And if we select Modified Properties, we can see what properties were actually modified.

So when you need to look at information for compliance, for example, the Audit logs report would be the report to go to. Now, if we click over to Sign-ins, we can see what was going on regarding sign-ins to our Azure Active Directory. Typically, you'd use the Sign-ins Report to find the sign-in pattern of specific users, or to see how many users have logged in in the last week, or what the sign-in status is.

On the screen here, we can actually see two different sign-ins that occurred. One was interrupted and one was successful. If we select the one here that was interrupted, we can see information about that specific sign-in. We can see when it happened, what happened, what the error code was, and what the failure reason was for the interrupted sign-in. We can see which user generated the alert and even the application where the sign-in occurred.

Along this top tab, we have lots of other different information we can look at. We can look at the location where this occurred. The Device Info. We can see that this failed login occurred on a Windows 10 machine from the Chrome browser. If we look at the Authentication Details, we can see that was a CloudOnlyPassword and that it was false. We can see any Conditional Access information that applied here.

In this case, there were no policies applied. And any Additional Details. Now, to configure monitoring for Azure Active Directory, what you can do is go into Diagnostic settings here below Monitoring, and we can see we have no diagnostic settings configured yet. So what we'll do is add a diagnostic setting.

So we'll go ahead and call this MyDiags. Now, what we can do here is we can collect audit logs or sign-in logs. And then when we do that, we can send them to either Log Analytics or to a storage account, or we can stream them to an event hub. For this demonstration here, what we'll do is we'll gather our audit logs and send them to a storage account.

Now, if we leave Retention here set to zero, if you look down here, you can see that setting it to zero does not apply a retention policy. This means the data that you collect is retained forever. I'll just retain this for one day for this demonstration.

Now, when we select our storage account, we need to choose what storage account we want to archive to. So I already have a test9878 storage account here, so that's what's selected here. But I could change this to a different storage account if I wanted to. So what we're doing here is collecting our audit logs with a retention of one day and sending them to our storage account, and then we'll go ahead and save this.

Now, what we could also do here is instead of sending to a storage account, we can send to Log Analytics. Now, to send to Log Analytics, you'll need to have a Log Analytics workspace already created. We have a default workspace here. We actually have a couple. So what we'll do here is we'll send to Log Analytics, and we'll save it, and we can see we get the success here.

Now, to take a look at our logs, what we can do is go back out to our directory and then go into Logs here under Monitoring. Now, from the Log Analytics page here, what I can do is run different queries to track down the information I'm looking for as it relates to my Azure Active Directory. So that will call it a wrap.

Just keep in mind that you can run reports to track down specific information that's reported in the Sign-ins Report and in the Audit logs report. And you can use Monitoring to send your information through logs into the Azure Monitor and/or Log Analytics workspace.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.