Monitoring and protecting privileged accounts is paramount because failure to do so can lead to loss or theft of sensitive information, or enable malware to compromise your network. Privileged accounts can include global administrators, Azure subscription administrators, and users who have administrator access in VMs or SaaS apps.
In Azure Active Directory (AD), auditing is enabled by default. You can check all activity in any given Azure AD environment using the Azure Portal, PowerShell cmdlets, and a security information and event management (SIEM) solution.
In Azure AD, select Roles and Administrators to see the list of all available roles and their permissions. Any changes made to the accounts in Roles and Administrators can be viewed and monitored under Audit Logs as well, as seen here in Figure 1.
Figure 1. Audit Logs display all activity happening in an Azure AD environment.
Azure AD Privileged Identity Management (PIM) is a service that enables you to manage and monitor access to privileged accounts in your organization. It can generate alerts when there is suspicious or unsafe activity in your environment. When an alert is triggered, it shows up on the PIM dashboard. Select Alerts (Figure 2) to see the list of alerts generated, and select a report to see the user or roles that triggered the alert.
Figure 2. Alerts that are set up to monitor Azure AD roles.
To use PIM, you must have one of the following paid or trial licenses:
If you want to set up alerts with the basic Azure AD plan, you will have to use PowerShell scripts. This leaves you with only two options; one is time-consuming and the other is expensive. The best workaround is to use a comprehensive third-party tool that is both efficient and inexpensive.