|
Measures reported by AzrSrvcPrncplTest
The Sign-in logs provided by the Azure Active Directory (AD) portal is a treasure-chest of information about user sign-ins to the Azure organization and how signed-in users use the organization's resources.
One of the four types of sign-in logs offered by Azure AD is the Service Principal sign-in log. Service principal sign-ins do not involve a user. Instead, they are sign-ins by any non-user account, such as apps or service principals (except managed identity sign-in, which are in included only in the managed identity sign-in log). In these sign-ins, the app or service provides its own credential, such as a certificate or app secret to authenticate or access resources.
If sign-in attempts of applications/service principals frequently fail, then your apps/services may be unable to access critical resources for prolonged time periods. This in turn will adversely impact app/service operations and performance. To assure your apps/services of uninterrupted access to resources and to ensure their peak performance at all times, administrators should be able to instantly detect service principal sign-in failures, investigate the reason for the failures, diagnose the root-cause, and rapidly fix it.
Sometimes, sign-in failures may not be random incidents; they could follow a definite pattern. For instance, sign-in attempts from specific IP addresses or locations may repeatedly fail. Similarly, some applications/service principals/resources may encounter more failures during sign-in than the others. Administrators should be able to detect these patterns and investigate them, as they could be hacking attempts that have to be averted in order to protect critical Azure resources. Using the AzrSrvcPrncplTest, all of the above can be achieved!
This test periodically scans the messages logged in the Service Principal sign-in logs for failed sign-ins, and reports the count and details of such sign-in attempts. The granular failure metrics that the test pulls from the logs help administrators accurately identify those service principals, applications, IP addresses, locations, and resources that are seeing more sign-in failures than the rest. This way, the test sheds light on sign-in attempts that are ‘suspect’, so their authenticity can be verified, and any potential security risks pre-empted.
Outputs of the test : One set of results for the Azure Active Directory tenant being monitored
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Total_sign_in |
Indicates the number of sign-in attempts made by apps/service principals. |
Number |
|
| Success_sign_in |
Indicates the number of sign-in attempts made by apps/service principals that were successful. |
Number |
Use the detailed diagnosis of this measure to know which sign-in attempts succeeded.
Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes. |
| Failure_sign_in |
Indicates the number of sign-in attempts made by apps/service principals that failed. |
Number |
Ideally, the value of this measure should be 0.
Use the detailed diagnosis of this measure to know which sign-in attempts failed. |
| Unique_ip_address |
Indicates the number of IP addresses from which successful sign-in attempts were made. |
Number |
Use the detailed diagnosis of this measure to know from which IP addresses successful sign-in attempts were made.
Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes. |
| Unique_location |
Indicates the number of locations from which successful sign-in attempts were made. |
Number |
Use the detailed diagnosis of this measure to know from which locations successful sign-in attempts were made.
Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes. |
| Unique_app_id |
Indicates the number of applications for which sign-in attempts succeeded. |
Number |
Use the detailed diagnosis of this measure to know which applications signed into Azure successfully.
Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes. |
| Unique_resrc_name |
Indicates the number of services that were used in successful sign-ins. |
Number |
Use the detailed diagnosis of this measure to know which services were used in successful sign-ins.
Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes. |
| Unique_srvc_prncpl |
Indicates the number of service principals for which sign-in attempts succeeded. |
Number |
Use the detailed diagnosis of this measure to know which service principals signed into Azure successfully.
Note that this measure will report detailed diagnostics only if the Successful Signin DD parameter of this test is set to Yes. |
| Failed_percent |
Indicates the percentage of sign-in attempts made by apps/service principals that failed. |
Number |
Ideally, the value of this measure should be low. |
| Failure_ip_address |
Indicates the number of IP addresses from which sign-in attempts failed. |
Number |
Use the detailed diagnosis of this measure to know from which IP addresses failed sign-in attempts were made. |
| Failure_location |
Indicates the number of locations from which sign-in attempts failed. |
Number |
Use the detailed diagnosis of this measure to know from which locations sign-in attempts failed. |
| Failure_app_id |
Indicates the number of applications for which sign-in attempts failed. |
Number |
Use the detailed diagnosis of this measure to know which applications failed to sign into Azure. |
| Failure_resrc_name |
Indicates the number of service principals for which sign-in attempts failed. |
Number |
Use the detailed diagnosis of this measure to know which services were used in the maximum number of failed sign-ins. You may want to investigate these attempts to figure out if they were geniuine attempts or malicious attacks. |
| Failure_srvc_prncpl |
Indicates the number of service principals for which sign-in attempts failed. |
Number |
Use the detailed diagnosis of this measure to know which service principals failed to sign into Azure. |
| Not_applied_cndtnl_acc |
Indicates the number of sign-ins during which no conditional access policy applied to the user and application. |
Number |
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it. |
| Success_cndtnl_acc |
Indicates the number of sign-ins during which one or more conditional access policies applied to the user and application. |
Number |
|
| Failed_cndtnl_acc |
Indicates the number of sign-ins that satisfied the user and application condition of at least one Conditional Access policy and grant controls are either not satisfied or set to block access. |
Number |
Use the detailed diagnosis of this measure to know which conditional access policies failed. |
|