Chat with us, powered by LiveChat

Blog

Back

Windows Azure Active Directory Reports

26 Aug 2014 by Emma Robinson

Microsoft Windows Azure Active Directory (WAAD), their Cloud based identity management suite, is what Office 365 uses to manage user accounts, licences and authentication.
WAAD contains a series of security and usage reports which Administrators should be regularly looking at to make sure that their Cloud infrastructure remains secure. We are planning to integrate some of these reports into our own Office 365 Reporting application as well.
To access these reports you need to sign into the Azure Management Portal as an administrator.
Select Active Directory from the Left Hand Menu and click on the directory you wish to view the reports on.

Azure AD Management

Azure AD Management


Select the Reports tab at the top.
Azure AD Reports

Azure AD Reports


.
This Microsoft article does a great job of explaining what each of the reports does and we have mirrored the information below.
Please note that some of these reports are only available in Azure Active Directory Premium.
 

Report Description Report Location

                                                                      Category: Anomaly Reports

Sign ins from unknown sources

This report indicates users who have successfully signed in to your tenant while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies.

Results from this report will show the number of times a user successfully signed in to your tenant from that address and the proxy’s IP address.

Found under the Directory > Reports tab

Sign ins after multiple failures

This report indicates users who have successfully signed in after multiple consecutive failed sign in attempts. Possible causes include:

  • User had forgotten their password
  • User is the victim of a successful password guessing brute force attack

Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in.

Report Settings:  You can configure the minimum number of consecutive failed sign in attempts that must occur before it can be displayed in the report. When you make changes to this setting it is important to note that these changes will not be applied to any existing failed sign ins that currently show up in your existing report. However, they will be applied to all future sign ins. Changes to this report can only be made by licensed admins.

Found under the Directory > Reports tab

Sign ins from multiple geographies

This report includes successful sign in activities from a user where two sign ins appeared to originate from different countries and the time between the sign ins makes it impossible for the user to have travelled between those countries. Possible causes include:

  • User is sharing their password
  • User is using a remote desktop to launch a web browser for sign in
  • A hacker has signed in to the account of a user from a different country.

Results from this report will show you the successful sign in events, together with the time between the sign ins, the countries where the sign ins appeared to originate from and the estimated travel time between those countries.

Found under the Directory > Reports tab

Sign ins from IP addresses with suspicious activity

This report includes sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address.

Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in.

Found under the Directory > Reports tab

Irregular sign in activity

This report includes sign ins that have been identified as “irregular” by our machine learning algorithms. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. The machine learning algorithm classifies events as “irregular” or “suspicious”, where “suspicious” indicates a higher likelihood of a security breach.

Results from this report will show you these sign ins, together with the classification, location and a timestamp associated with each sign in.

Found under the Directory > Reports tab

Sign ins from possibly infected devices

Use this report when you want to see sign ins from devices on which some malware (malicious software) may be running. We correlate IP addresses of sign ins against IP addresses from which an attempt was made to contact a malware server.

Recommendation:  Since this report assumes an IP address was associated with the same device in both cases, we recommend that you contact the user and scan the user’s device to be certain.

For more information about how to address malware infections, see the Malware Protection Center.

Found under the Directory > Reports tab

Users with anomalous sign in activity

Use this report when you want to view all user accounts for which anomalous sign in activity has been identified. This report includes data from all other anomalous activity reports. Results from this report will show you details about the user, the reason why the sign in event was identified as anomalous, the date and time, and other relevant information about the event.

Found under the Directory > Reports tab

                                                                      Category: User-specific Reports

Devices

Use this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure AD.

Found under the Directory > User > Devices  tab

Activity

Use this report when you want to see the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account.

Found under the Directory > User > Activity  tab