eG Monitoring
 

Measures reported by AzrMngdIdntyTest

The Sign-in logs provided by the Azure Active Directory (AD) portal is a treasure-chest of information about user sign-ins to the Azure organization and how signed-in users use the organization's resources.

One of the four types of sign-in logs offered by Azure AD is the Managed Identity for Azure Resources sign-in log. Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.

If managed identity sign-ins fail, then applications will not be able to obtain Azure AD tokens to access critical Azure resources. This can stall application functions and degrade overall application performance. To avoid this, administrators should monitor sign-in attempts made using managed identities, quickly identify those attempts that failed, investigate the reasons for the failure, and fix them, so that the Azure sign-in experience is not impacted.

Administrators should also be capable of detecting and investigating spurious sign-in attempts - for instance, frequent sign-in failures from specific IP addresses/locations or an unusually large number of sign-in failures experienced by specific applications/resources/service principals. As this is how hackers work, by capturng such attempts early, administrators can prevent malicious attacks and potential resource abuse. The AzrMngdIdntyTest helps administrators achieve all of the above!

This test monitors Azure managed identity sign-in logs for failed sign-ins and reports their count and details. With the help of these details, administrators can effectively troubleshoot the failures. These insights also help administrators closely scrutinize the failed sign-ins to isolate patterns - are sign-in attempts from specific IP addresses/locations failing often? are specific applications/service principals seeing more sign-in failures than others? This way, the test sheds light on sign-in attempts that are ‘suspect’, so their authenticity can be verified, and any potential security risks pre-empted.

Outputs of the test : One set of results for the Azure Active Directory tenant being monitored

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Total_sign_in Indicates the total number of managed identity sign-ins attempted. Number  
Success_sign_in Indicates the number of sign-in attempts that were successful. Number Use the detailed diagnosis of this measure to know which sign-in attempts succeeded.

Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes.
Failure_sign_in Indicates the number of sign-in attempts that failed. Number Ideally, the value of this measure should be 0.

Use the detailed diagnosis of this measure to know which sign-in attempts failed.
Unique_ip_address Indicates the number of IP addresses from which successful sign-in attempts were made. Number Use the detailed diagnosis of this measure to know from which IP addresses successful sign-in attempts were made.

Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes.
Unique_location Indicates the number of locations from which successful sign-in attempts were made. Number Use the detailed diagnosis of this measure to know from which IP addresses successful sign-in attempts were made.

Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes.
Unique_app_id Indicates the number of applications that successfully used managed identities to sign into Azure. Number Use the detailed diagnosis of this measure to know from which applications signed into Azure successfully.

Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes.
Unique_srvc_prncpl Indicates the number of service principals that successfully used managed identities to sign into Azure. Number Use the detailed diagnosis of this measure to know which service principals signed into Azure successfully.

Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes.
Unique_resrc_name Indicates the number of services that were used in successful sign-ins. Number Use the detailed diagnosis of this measure to know which services were used in successful sign-ins.

Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes.
Failed_percent Indicates the percentage of sign-in attempts that failed. Number Ideally, the value of this measure should be low.
Failure_ip_address Indicates the number of IP addresses from which sign-in attempts failed. Number Use the detailed diagnosis of this measure to know from which IP addresses the maximum number of failed sign-in attempts were made.
Failure_location Indicates the number of locations from which sign-in attempts failed. Number Use the detailed diagnosis of this measure to know from which locations sign-in attempts failed.
Failure_app_id Indicates the number of applications that were unable to sign-into Azure using managed identities. Number Use the detailed diagnosis of this measure to know which applications failed to sign into Azure using managed identities.
Failure_srvc_prncpl Indicates the number of service principals that could not sign into Azure using managed identities. Number Use the detailed diagnosis of this measure to know which service principals failed to sign into Azure.
Failure_resrc_name Indicates the number of services that were used in failed sign-ins. Number Use the detailed diagnosis of this measure to know which services were used in failed sign-ins.
Not_applied_cndtnl_acc Indicates the number of sign-ins during which no conditional access policy applied to the user and application. Number Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.
Success_cndtnl_acc Indicates the number of sign-ins during which one or more conditional access policies applied to the user and application. Number  
Failed_cndtnl_acc Indicates the number of sign-ins that satisfied the user and application condition of at least one Conditional Access policy and grant controls are either not satisfied or set to block access. Number Use the detailed diagnosis of this measure to know which conditional access policies failed.