The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Azure AD Domain Services Security Audit Events? RRS feed

  • Question

  • How can I get the security audit events like Account Logon (Audit Kerberos Authentication Service) in Azure AD Domain Services?

    I am new to Azure and my requirement is to get Network Information and Account Information from the computers connected to Azure AD Domain Controller (Doc: 4768(S, F): A Kerberos authentication ticket (TGT) was requested).

    I enable the security audits for Azure Active Directory Domain Services (Doc: Enable security audits for Azure Active Directory Domain Services) which stream security events to targeted resources. I configured the target resource as Azure Log Analytics Workspace but still unable to get the Kerberos Authentication Audit events from the connected computers in Log Analytics workspace.

    I configured the Azure AD domain services and Join a couple of Windows Server virtual machine to a managed domain and then configured security audit policy settings in windows server VM to generate audit events. (Doc: Advanced security audit policy settings)

    As Azure AD DS is a domain managed by Microsoft so we do not have full control of the domain controller. Please let me know how can I get security audit events from Azure AD DS

    P.S.: Unable to attach links as account is not verified.

    Thanks and Regards,

    Hrishikesh

    Tuesday, November 12, 2019 6:28 AM

Answers

  • Hi Hrishikesh, 

    Our product team confirmed that event ID 4768 is currently not available. They have plans to incrementally make more events available. Kerberos and NTLM events are their priority as of now. 

    Currently, the recommendation is to submit a feature request here including the event ID's you are looking for. This will help them prioritize the events accordingly. 

    Hope this helps. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, November 20, 2019 7:54 AM
    Moderator

All replies

  • Hi Hrishikesh, 

    In the document, which lists audit events available from Azure ADDS, event 4768 is not included.

    If you are receiving other events in the workspace (other than 4768) then this is by design. Can you confirm if you are receiving any events at all from Azure ADDS?


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Tuesday, November 12, 2019 8:48 AM
    Moderator
  • Hi Manoj,

    Thanks for your fast reply, I am receiving events from the category AccountLogon (only 4776) and LogonLogoff (4634, 4672) in the workspace, as I enable only LogonLogoff and AccountLogon category in Diagnostic Settings.

    Please let me know how I can get Event 4768 or any relevant kerberos authentication event.

    Is there any other way like API so I can get kerberos authentication events from Azure AD DS domain controller?


    Tuesday, November 12, 2019 9:10 AM
  • Hi Manoj,

         As per the document, it mentioned that "Audit Kerberos Authentication Service" events are available under "Account Logon" category but in the "Event IDs per category" section, I can not see any kerberos authentication event ID mentioned under "Account Logon security" category.

    The event IDs available are: 4767, 4774, 4775, 4776, 4777. Which are used for credential validation.

    Tuesday, November 12, 2019 9:58 AM
  • Hi Hrishikesh, 

    I am discussing this internally with the product team and will provide an update as soon as I hear from them.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, November 14, 2019 9:49 AM
    Moderator
  • Hi Manoj, 

    Thanks for the update, I am waiting for your response.


    Thanks & Regards, Hrishikesh

    Thursday, November 14, 2019 12:48 PM
  • Hi Hrishikesh, 

    Our product team confirmed that event ID 4768 is currently not available. They have plans to incrementally make more events available. Kerberos and NTLM events are their priority as of now. 

    Currently, the recommendation is to submit a feature request here including the event ID's you are looking for. This will help them prioritize the events accordingly. 

    Hope this helps. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, November 20, 2019 7:54 AM
    Moderator
  • Thanks for the update Manoj.

    FYI I submitted the feature request.

    Thanks & Regards,

    Hrishikesh


    Wednesday, November 20, 2019 11:13 AM