You may already know that you can have Azure AD Diagnostic logs; but do you know you can now send these logs to Log Analytics for consolidation and better analysis?

To do so, just logon to your Azure AD administration portal (https://aad.portal.azure.com) or Azure portal (https://portal.azure.com) and reach out the Azure AD configuration blade.

From there, scroll down to reach the Monitoring section and click on the Diagnostic settings – if you did not already had it enabled, you will be requested to enable it

image

Then just choose the option Send to Log Analytics

image

Select (or create a new one) the Log Analytics workspace to save the log

image

Enable the log options you want to enabled – off course the recommendation is to enable both Audit and SignIn

image

Once completed, you have to wait a little (about 15 min) before you will start seeing Azure AD logs in your Log Analytics workspace

image

You can use the the predefined views (.omsview file) Azure AD Log Analytics available from https://aka.ms/AADLogAnalyticsviews

image

Then import these views (one by one) by going to the View Designer and then import and save

imageimage